DNS – Secondary DNS Not Responding to Dig

We are new to DNS. we are trying to configure a secondary DNS server using Bind & CentOS for an existing primary server (Eg:142.250.192.110).

Our secondary server configuration is as follows:

    listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

    
zone "example.com" IN {
        type slave;
        masters {  142.250.192.110; };
        file "slaves/example.forward";
};
zone "192.250.142.in-addr.arpa" IN {
        type slave;
        masters {  142.250.192.110; };
        file "slaves/example.reverse";
};

When we executed dig @127.0.0.1 host1.example.com we are getting a proper reply.
When we executed with local IP (Secondary Server), dig @192.168.1.10 host1.example.com we are getting a proper reply.

But when we execute command with public IP / hostname of a secondary server, Eg: dig @dns2.example.com host1.example.com we are getting errors like ;; connection timed out; no servers could be reached

Please suggest some help to solve this issue. Thanks in advance for your valuable time and help.

Some information and troubleshoot details (IP & hostname is not original):

Primary DNS: 142.250.192.110 (dns1.example.com)

Secondary DNS: 192.168.1.10 (local IP), 142.250.192.220 (dns2.example.com)

nslookup dns2.example.com

Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   dns2.example.com
Address: 142.250.192.220

dig @127.0.0.1 host1.example.com – Success

dig @192.168.1.10 host1.example.com – Success

dig @142.250.192.220 host1.example.com – Failed.

dig @dns2.example.com host1.example.com – Failed.

tcpdump shows packet transfer, with dig @127.0.0.1 and dig @192.168.1.10.
But shows NO packet transfer, with dig @142.250.192.220 and dig @dns2.example.com.

To check, whether the firewall is blocking port 53, we tested the port with tcpdump and tcpdump shows packet transfer when did telnet 142.250.192.220 53

Note: We have a firewall that does NAT local IP with Public IP. We are waiting for the reply from the network team, whether Firewall is blocking this dig request.

Best Answer

Always check the logs on both servers. Verify that the slave has been able to fetch the zone. One step is to do the transfer manually using dig @192.168.1.10 axfr example.com from the slave, where @192.168.1.10 is the master in the slave config.

allow-transfer { }; might be needed on master to allow the slave to fetch the zone. Again, all this is in the logs.

Always check local access first. Check with netstat -anp if the server is listening properly, and again check the logs. and as a last resort, try tcpdump to see which packets go where and if there is any reply.

Best Answer

Related Solutions

Fedora – Setting Up a DNS Server on Fedora 11

Bind master/slave, with public and local views, after sync slaves share private on public

Related Topic