DDNS – Unable to Add Forward Map SERVFAIL/REFUSED

bindddnsdhcp-serverdomain-name-systemisc-dhcp

I am using bind9 on a primary dns server with two secondary dns servers in a master/slave relationship. I am attempting to implement DDNS but seem to be running into a problem when it comes to adding a forward map, I get the error

Unable to add forward map from DESKTOP-9MFAP8Q.student.co.uk to 192.168.80.51: SERVFAIL

I originally got a REFUSED error until I added the address of the DHCP server into the allow-query and allow-transfer options in named.conf.local on the primary dns. I am not sure if this is needed, it is just something I tried in order to get this to work.

I have attempted changing the permissions on the zone files using

sudo chown bind:bind /etc/bind/*.db

sudo chmod 664 /etc/bind/*.db

but that had no change on the outcome.

I will post the config files below, any help is appreciated.

Router – 192.168.80.2

DHCP – 192.168.80.3

Primary DNS – 192.168.80.4

Secondary DNS – 192.168.80.5, 192.168.80.6

————————-Primary DNS————————-

named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

key "rndc-key" {
        algorithm hmac-sha256;
        secret "ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==";
};

zone "student.co.uk" {
        type master;
        file "/etc/bind/db.student.co.uk";
        notify no;
        allow-query {
                127.0.0.1;
                192.168.80.5;
                192.168.80.6;
                192.168.80.3;
        };
        allow-transfer {
                192.168.80.5;
                192.168.80.6;
                192.168.80.3;
        };
        allow-update {
                { key rndc-key; };
        };
};

zone "80.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.80.168.192.in-addr.arpa";
        notify no;
        allow-query {
                127.0.0.1;
                192.168.80.5;
                192.168.80.6;
        };
        allow-transfer {
                192.168.80.5;
                192.168.80.6;
        };
        allow-update {
                { key rndc-key; };
        };
};

named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders {
                8.8.8.8;
                8.8.4.4;
         };
         allow-query {
                192.168.80.5;
                192.168.80.6;
                127.0.0.1;
         };
         allow-transfer {
                192.168.80.5;
                192.168.80.6;
                127.0.0.1;
         };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };
};

db.80.168.192.in-addr.arpa


; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                     2021020902         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.student.co.uk.
@       IN      NS      ns2.student.co.uk.
150     IN      PTR     www.student.co.uk.
151     IN      PTR     www.student.co.uk.

db.student.co.uk


; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                     2021021902         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.student.co.uk.
@       IN      NS      ns2.student.co.uk.
ns1     IN      A       192.168.80.5
ns2     IN      A       192.168.80.6
www     IN      A       192.168.80.150
www     IN      A       192.168.80.151

————————-DHCP————————-

dhcpd.conf

# option definitions common to all supported networks...
option domain-name "student.co.uk";
option domain-name-servers 192.168.80.5, 192.168.80.6;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-updates on;
ddns-update-style standard;
update-static-leases on;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

allow unknown-clients;
use-host-decl-names on;

key rndc-key {
        algorithm hmac-sha256;
        secret ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==;
};

zone student.co.uk. {
    primary 192.168.80.4;
    key rndc-key;
}

zone 80.168.192.in-addr.arpa. {
    primary 192.168.80.4;
    key rndc-key;
}

subnet 192.168.80.0 netmask 255.255.255.0 {
  range 192.168.80.50 192.168.80.100;
  option domain-name-servers 192.168.80.5, 192.168.80.6;
  option domain-name "student.co.uk";
  ddns-domainname "student.co.uk.";
   ddns-rev-domainname "in-addr.arpa.";
  option subnet-mask 255.255.255.0;
  option routers 192.168.80.2;
  option broadcast-address 192.168.80.255;
  default-lease-time 600;
  max-lease-time 7200;

  host DOMAIN1 {
    hardware ethernet 00:0c:29:20:87:b0;
    fixed-address 192.168.80.99;
    ddns-hostname "test";
  }
}

Best Answer

General recommendation

Check the logs for BIND (as that is where the error occurred from the looks of it), you should find relevant error messages from the update attempts there.

My hunch (educated guess, if you will)

BIND is probably unable to create/modify files.

Either the directory and/or files are not writable as per the filesystem permissions or some additional layer like Selinux/Apparmor disallows writing outside of the expected directories for the particular service.

Root cause theory (assuming my hunch is correct)

You are placing these writable files in rather unconventional places, this likely goes right against what the package maintainer has prepared for (both in terms of filesystem permissions and any Selinux/Apparmor profiles).

Normally you would use something like /var/lib/bind for writable files (or /var/cache/bind for "cache" files), not /etc/bind as that is normally read-only configuration.

I would suggest confirming the appropriate directory and use that rather making additional system changes unless there is an important reason to use a different directory.

Sidenote: I would suggest using a specific key for these dhcpd-sourced updates rather than repurposing a key named such that it appears to be intended for rndc usage (and presumably also valid for this?).

Related Solutions

Hidden DNS master only sending notify to one slave

Have you tried setting this?

notify-to-soa yes;

From the BIND 9 Configuration Reference:

notify-to-soa

If yes do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate master. Sometimes, however, a slave is listed as the SOA MNAME in hidden master configurations and in that case you would want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset.

Global Reverse DNS look-ups not working

You've set it up correctly on your server, but your server is not marked as authoritative for 123.5.253.159.in-addr.arpa. Your reverse DNS is managed by your ISP (the whole 5.253.159.in-addr.arpa zone):

; <<>> DiG 9.7.3-P3 <<>> ns 5.253.159.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;5.253.159.in-addr.arpa.        IN  NS

;; ANSWER SECTION:
5.253.159.in-addr.arpa. 86010   IN  NS  ns3.uxw.nl.
5.253.159.in-addr.arpa. 86010   IN  NS  ns4.uxw.nl.

You have 2 solutions to solve that:

ask your ISP to define the 123.5.253.159.in-addr.arpa record for you on their DNS (ns3.uxw.nl and ns4.uxw.nl),
ask your ISP to delegate the 123.5.253.159.in-addr.arpa record to your server, as per the RFC 2317, this is just a matter of defining a CNAME pointing to a new record on a new zone on your DNS (you then have to define this special zone on your DNS, your ISP will tell you how to name this new zone).

First solution is probably the quickest, but if you change your server's name in the future, you've got to ask them to change it again. Second solution is the most flexible, if your ISP is willing to support RFC 2317. If your ISP is providing you with more than a single address, reverse DNS can be delegated for all of them (the whole range) so you can be in charge. I'd recommend you to ask for that.

This similar question is worth reading.

Trivia: a few years ago (5, or 10 years back), some people were advocating against RFC-2317, because some DNS clients couldn't handle the reverse queries well. However, I don't think that is relevant anymore, RFC-2317 exists for about 15 years now.