BIND doesn't resolve hostnames information for which is stored on other DNS servers

GD_19 · 01-02-2006, 09:41 PM

Hello,

I've been trying to solve the following issue for the past week but I've been unable to:

I have set a DNS server on my home network server to resolve hostnames. Internet resolving works fine, as does resolving hostnames for my domain, gdnet.awmn

I also participate in a community wireless metropolitan network (AWMN) which also uses DNS extensively. Thus, I set up BIND to request DNS info from the master servers. I added a slave section in named.conf and zone transfer works fine. However not all info is included in the zone file that end up on my HD. It includes info on which name servers are authoritative for some subdomains, and my server is expected to query them should a request be made. However this doesn't work for some reason:

Code:

irouter bind # dig www.awmn 
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.2.5 <<>> www.awmn
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42324
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 228, ADDITIONAL: 228

;; QUESTION SECTION:
;www.awmn.                      IN      A

;; ANSWER SECTION:
www.awmn.               3600    IN      A       10.19.143.13

;; AUTHORITY SECTION:
awmn.                   3600    IN      NS      ns0.andreas.ns.awmn.
awmn.                   3600    IN      NS      ns0.apoikos.ns.awmn.
[...]
;; ADDITIONAL SECTION:
ns0.ee.ns.awmn.         3600    IN      A       10.31.176.1
ns0.gd.ns.awmn.         3600    IN      A       10.2.24.253
[...]
;; Query time: 32 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  3 06:36:42 2006
;; MSG SIZE  rcvd: 9326

This works fine. However:

Code:

irouter bind # dig winner.awmn

; <<>> DiG 9.2.5 <<>> winner.awmn
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58672
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;winner.awmn.                   IN      A

;; AUTHORITY SECTION:
winner.awmn.            3600    IN      NS      ns0.winner.ns.awmn.
winner.awmn.            3600    IN      NS      ns0.bliz.ns.awmn.

;; ADDITIONAL SECTION:
ns0.bliz.ns.awmn.       3600    IN      A       10.2.13.131
ns0.winner.ns.awmn.     3600    IN      A       10.2.12.70

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  3 06:39:29 2006
;; MSG SIZE  rcvd: 112

The answer section is void!

I suppose this is what I should get:

Code:

irouter bind # dig winner.awmn @10.2.12.70

; <<>> DiG 9.2.5 <<>> winner.awmn @10.2.12.70
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;winner.awmn.                   IN      A

;; ANSWER SECTION:
winner.awmn.            3600    IN      A       10.2.12.72

;; Query time: 97 msec
;; SERVER: 10.2.12.70#53(10.2.12.70)
;; WHEN: Tue Jan  3 06:40:15 2006
;; MSG SIZE  rcvd: 45

Why doesn't BIND contact winner's DNS server which is authoritative for the winner.awmn domain to get an answer? Any ideas? This is my named.conf (largely based on gentoo-wiki's how-to):

Code:

irouter bind # cat /etc/bind/named.conf
options {
        directory "/var/bind";
        statistics-file "/var/bind/named.stats";
        dump-file "/var/bind/named.dump";
        zone-statistics yes;
        allow-recursion { 10.0.0.0/8; };
        allow-transfer { 10.0.0.0/8; };
        transfer-format many-answers;

        // uncomment the following lines to turn on DNS forwarding,
        // and change the forwarding ip address(es) :
        forward first;
        forwarders {
                194.219.227.2;
                193.92.150.3;
        };

        listen-on-v6 { none; };
        listen-on { 10.2.24.30; 10.2.24.189; 127.0.0.1; };

        // to allow only specific hosts to use the DNS server:
        //allow-query {
        //      127.0.0.1;
        //};

        // if you have problems and are behind a firewall:
        //query-source address * port 53;
        pid-file "/var/run/named/named.pid";
        };

        // Includes
        include "/var/bind/conf/logging.conf";
        include "/var/bind/conf/acls.conf";

zone "." IN { type hint; file "named.ca"; };

zone "localhost" IN { type master; file "pri/localhost.zone"; allow-update { none; }; notify no; };
zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; };

zone "gdnet.awmn" IN { type master; file "pri/gdnet.zone"; allow-query { our-networks; }; notify yes; };
zone "24.2.10.in-addr.arpa" IN { type master; file "reverse/24.2.10.zone"; allow-query { our-networks; }; notify yes; };

zone "awmn" IN { type slave; file "sec/awmn.zone"; masters { 10.19.143.12; }; };
zone "10.in-addr.arpa" IN { type slave; file "sec/10.zone"; masters { 10.19.143.12; }; };

Sorry for the long post... And thanks in advance. Any help would be greatly appreciated...
George

scowles · 01-03-2006, 07:25 AM

I agree, it looks like you have the proper delegation records
(NS) in the awmn zone. Your "dig winner.awmn" query seems to
verify this.

Is recursion enabled on the DNS server you are querying?

Also, try: dig +trace winner.awmn

This should point out where recursion is broke.

kbuk · 01-03-2006, 08:37 AM

I know this may seem a little silly, but you have done the following restarted bind, set resolv.conf to use the local nameserver, set any other pc's on the domain to use the nameserver ?

GD_19 · 01-03-2006, 01:54 PM

Thanks for replying...

Recursive queries are enabled on my server. I have both the allow-recursion and recursion options enabled in named.conf...

Yes I have restarted named, resolv.conf is fine and I have even flushed the DNS cache to no avail...

However the output of +trace seems really weird:

For some reason the ROOT servers are involved, which I can provide no explanation for:

Code:

irouter ~ # dig +trace winner.awmn

; <<>> DiG 9.2.5 <<>> +trace winner.awmn
;; global options:  printcmd
.                       458486  IN      NS      C.ROOT-SERVERS.NET.
.                       458486  IN      NS      D.ROOT-SERVERS.NET.
.                       458486  IN      NS      E.ROOT-SERVERS.NET.
.                       458486  IN      NS      F.ROOT-SERVERS.NET.
.                       458486  IN      NS      G.ROOT-SERVERS.NET.
.                       458486  IN      NS      H.ROOT-SERVERS.NET.
.                       458486  IN      NS      I.ROOT-SERVERS.NET.
.                       458486  IN      NS      J.ROOT-SERVERS.NET.
.                       458486  IN      NS      K.ROOT-SERVERS.NET.
.                       458486  IN      NS      L.ROOT-SERVERS.NET.
.                       458486  IN      NS      M.ROOT-SERVERS.NET.
.                       458486  IN      NS      A.ROOT-SERVERS.NET.
.                       458486  IN      NS      B.ROOT-SERVERS.NET.
;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 4 ms

.                       86400   IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006010300 1800 900 604800 86400
;; Received 104 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 263 ms

Any ideas?

kbuk · 01-03-2006, 03:23 PM

Sorry, misread your origional message (mostly due to others using the wrong terminoligy.
Not to mention you've not exactly specified what I think you're now meaning.

Domain
awmn

is gdnet.awmn a hostname or sub-domain.
From the above I assumed it was a hostname (fqdn, I didn't scroll down on the named.conf)

From what you've said (and re-reading what you posted) it sounds like you're talking about a subdomain

eg
www.gdnet.awmn
ftp.gdnet.awmn
mail.gdnet.awmn
etc

in that case you need to add something like the following to the zone file for awmn
gdnet IN A 10.2.24.30
IN NS ns0.bliz.ns.awmn.
IN NS gdnet

You don't need the A record (it's there for glue record purposes). I'm not completely sure but it's probably best if you avoid the glue record issues and set the FQDN gdnet.awmn from within the gdnet.awmn zonebut that's a little beyond what we need (and may not be needed at all).

You're really asking about DNS subdomains.

GD_19 · 01-03-2006, 08:31 PM

(kinda) SOLVED!

I had to include 127.0.0.1 in the allow-recursion directive...

However another error has emerged... When forwarding is enabled (through the forwarders directive) my named won't work as a secondary server for the awmn zone... Anyway this is not as urgent as the previous problem since I now can virtually resolve any hostname to its IP, the only problem being I can't take advantage of my ISP's dns cache for faster lookups on the internet... (yes forward first is used, not forward only)

here's my new named.conf:

Code:

options {
        directory "/var/bind";
        statistics-file "/var/bind/named.stats";
        dump-file "/var/bind/named.dump";
        zone-statistics yes;
        allow-recursion { our-networks; };
        allow-transfer { our-networks; };
        transfer-format many-answers;
        recursion 1;

        // uncomment the following lines to turn on DNS forwarding,
        // and change the forwarding ip address(es) :
        //forward first;
        //forwarders {
        //        194.219.227.2;
        //        193.92.150.3;
        //};

        listen-on-v6 { none; };
        listen-on { 10.2.24.30; 10.2.24.189; 127.0.0.1; };

        // to allow only specific hosts to use the DNS server:
        //allow-query {
        //      127.0.0.1;
        //};

        // if you have problems and are behind a firewall:
        //query-source address * port 53;
        pid-file "/var/run/named/named.pid";
};

        // Includes
        include "/var/bind/conf/logging.conf";
        include "/var/bind/conf/acls.conf";

zone "." IN { type hint; file "named.ca"; };

zone "localhost" IN { type master; file "pri/localhost.zone"; allow-update { none; }; notify no; };
zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; };

zone "gdnet.awmn" IN { type master; file "pri/gdnet.zone"; allow-query { our-networks; }; notify yes; };
zone "24.2.10.in-addr.arpa" IN { type master; file "reverse/24.2.10.zone"; allow-query { our-networks; }; notify yes; };

zone "awmn" IN { type slave; file "sec/awmn.zone"; masters { 10.19.143.12; }; };
zone "10.in-addr.arpa" IN { type slave; file "sec/10.zone"; masters { 10.19.143.12; }; };