Windows 2012 can’t validate forwarders without a root zone

binddomain-name-systemwindows-dnswindows-server-2012

(Disclaimer: I am not a Windows DNS admin. I do have a decent amount of DNS experience under my belt though, and this is not making any sense. I am working closely with the admins responsible for these devices and can get tests performed as needed.)

We have run into an issue where we cannot add conditional forwarders that point to BIND nameservers under Windows Server 2012. Adding the IP address of the server results in a validation error: An unknown error occurred while validating the server.

forwarder fail. :(

Looking at the query log on the BIND server, we found something rather interesting: the Windows DNS server was querying for . IN SOA, i.e. the SOA record for the root nameservers. No query for example.com. IN SOA at all. It attempts to query for root authority and doesn't continue when it receives a response of REFUSED.

client 192.168.203.20#59067 (.): query: . IN SOA - (192.168.208.201)
client 192.168.203.20#50553 (.): query: . IN SOA - (192.168.208.201)
client 192.168.203.20#55468 (.): query: . IN SOA - (192.168.208.201)

Madness. To humor it, we reproduced this problem in the lab. I downloaded a copy of the root zone and configured a . zone (commenting out my root hints), and lo and behold, this error no longer occurs.

I really don't get this. I'm providing an authoritative nameserver that shouldn't have to provide answers to . SOA, and as matters stand I'm going to have to add this zone to all of our production servers just to play nicely with Windows 2012. In my experience, a forwarder should only be concerned with whether or not the target nameserver is authoritative for the zone in question.

Why is this happening?

If we try to ignore the error (click on OK anyway), we get the following error dialog:

more forwarder fail. :(

The query log still shows that the upstream server is only asking for . IN SOA. There is never an attempt to see if the server is authoritative for example.com..

Best Answer

I tried to reproduce this on both Windows 2012 and Windows 2012 R2 but couldn't get the same end result.

I can confirm the initial validation error (An unknown error occurred while validating the server.), and I can see the strange query for . IN SOA, but clicking "OK" at that point appears to work (no further errors are shown and the forwarding zone is added).

It appears that the second error message that you encountered (A problem occurred while trying to add the conditional forwarder. A zone configuration problem occurred.) may be unrelated to the strange validation behavior.

I can't really tell why it is doing its validation based on a query for . IN SOA but it appears to be mostly a cosmetic problem as you're not prevented from proceeding despite the validation failure.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

BIND – Forward DNS Query for Specific Domain to Specific Nameserver

Have a look at this page. You can use the forward and forwarders statements inside your zone block.

forward ( only | first )
forwarders { ipv4_addr }

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

BIND – Forward DNS Query for Specific Domain to Specific Nameserver

Related Topic