Bind DNS behind home gateway won't resolve host names on itself.

ivoidwarranties · 04-10-2013, 07:23 PM

I'm trying to build a nameserver to run behind my home router. Things are going pretty well except on the DNS server itself. I can't ping, dig, or traceroute an external domain name like google.com; they all report some variation of no server found or unreachable. Using ping, dig, and tracroute for internal hosts works, but response time is extremely slow even though the stats themselves look reasonable, i.e., each response takes several seconds in real time. The results are the same using both the linux and windows host as the argument.

My configuration:

Router is a D-Link DIR-865L set to to use my home DNS and one of Google's servers as primary and secondary name server, respectively. The router's "Enable DNS Relay" function is turned OFF, which as I understand will keep the router from using the router's gateway IP as a DNS address when using DHCP.
The name server is Debian Squeeze, bare bones with no GUI.
Using the D-Link's DHCP with reserved addresses for everyone. I think this works out the same as having static addresses.
The nameserver is named NS01, IP address 192.168.2.2, Debian, running bind 9.7.3
A (linux) DNS client named blahblahblah, IP address 192.168.2.40
A (Windows) DNS client named homebrew01, IP address 192.168.2.6
The D-Link router has been given an A record name of "router" and has a CNAME of "gateway", IP address 192.168.2.1
My internal domain is house.pvt
I haven't (knowingly) fooled with iptables and would like to avoid it if at all possible.

The DNS seems to be working otherwise; browsers on other clients resolve addresses correctly and reliably, though it seems to be a little slow (related to this problem?). I intend to post a separate question on the slowness problem with details and examples.

My intent is to have the D-Link router use my DNS as a primary, then failover to the secondary for all requests that are NOT inside my firewall. I've tried to setup NS01 to automatically forward everything that's NOT part of house.pvt to the outside, and hosts inside my firewall will either be found or timeout without bothering to hit an outside DNS (with an empty forwarders clause in the house.pvt zone).

What's going on? Is there some kind of loop going on since I'm trying to run my query on the DNS box itself? Some kind of endless loop that times out? I'm new at this and have torn my hair out over this whole project for several weekends. Once I get this ironed out, I'll clean up the config files and chroot the whole mess.

Details follow:

ping:

Code:

root@ns01:/etc# ping homebrew01
PING homebrew01.house.pvt (192.168.2.6) 56(84) bytes of data.
[about 7 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=1 ttl=128 time=0.405 ms
[about 10 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=2 ttl=128 time=0.371 ms
[etc...]

The actual time= times don't look out of line, but why is it taking several seconds for the screen to update between each? My thoughts are that I've disabled caching somehow and/or I'm going through some complicated resolution process accumulating timeout failures.

traceroute:

Code:

root@ns01:/etc# traceroute homebrew01
traceroute to homebrew01 (192.168.2.6), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
[etc...]

More timeouts?

dig is different. Using just a host name (internal or external) I get a "connection timed out; no servers could be reached" answer after about 18 seconds. Using an internalhost.mydomain.myprivatetld argument I get almost immediately:

Code:

root@ns01:/etc# dig homebrew01.house.pvt

; <<>> DiG 9.7.3 <<>> homebrew01.house.pvt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23531
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;homebrew01.house.pvt.    IN      A

;; ANSWER SECTION:
homebrew01.house.pvt. 10800 IN    A       192.168.2.6

;; AUTHORITY SECTION:
house.pvt.        10800   IN      NS      ns01.house.pvt.

;; ADDITIONAL SECTION:
ns01.house.pvt.   10800   IN      A       192.168.2.2

;; Query time: 1 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Wed Apr 10 15:29:06 2013
;; MSG SIZE  rcvd: 95

nslookup

Code:

root@ns01:/etc# nslookup
> set debug
>
>
> blahblahblah
Server:         192.168.2.2
Address:        192.168.2.2#53

------------
    QUESTIONS:
        blahblahblah.house.pvt, type = A, class = IN
    ANSWERS:
    ->  blahblahblah.house.pvt
        internet address = 192.168.2.40
        ttl = 10800
    AUTHORITY RECORDS:
    ->  house.pvt
        nameserver = ns01.house.pvt.
        ttl = 10800
    ADDITIONAL RECORDS:
    ->  ns01.house.pvt
        internet address = 192.168.2.2
        ttl = 10800
------------
Name:   blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> blahblahblah.house.pvt
Server:         192.168.2.2
Address:        192.168.2.2#53

------------
    QUESTIONS:
        blahblahblah.house.pvt, type = A, class = IN
    ANSWERS:
    ->  blahblahblah.house.pvt
        internet address = 192.168.2.40
        ttl = 10800
    AUTHORITY RECORDS:
    ->  house.pvt
        nameserver = ns01.house.pvt.
        ttl = 10800
    ADDITIONAL RECORDS:
    ->  ns01.house.pvt
        internet address = 192.168.2.2
        ttl = 10800
------------
Name:   blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> google.com
[about 19 seconds]
;; connection timed out; no servers could be reached
>             
> 
> exit

named-checkconf output:

Code:

options {
        directory "/var/cache/bind";
        listen-on-v6 {
                "none";
        };
        auth-nxdomain no;
        allow-query {
                127.0.0.1/32;
                192.168.2.0/24;
        };
        forwarders {
	    208.67.222.222; 	// resolver1.opendns.com
	    208.67.220.220; 	// resolver2.opendns.com
            8.8.8.8; 		// google
	    8.8.4.4;		// google
        };
        forward only;
};
logging {
// stuff...
};

zone "house.pvt" {
        type master;
        file "/etc/bind/db.house.pvt";
        forwarders {};
};
zone "2.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192.168.2.in-addr.arpa";
        notify no;
};
zone "." {
        type hint;
        file "/etc/bind/db.root";
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127.0.0.in-addr.arpa";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

Contents of db.house.pvt

Code:

root@ns01:/etc# cat bind/db.house.pvt
$TTL 3h
house.pvt.           IN SOA  ns01.house.pvt. admin.house.pvt. (
                        2013031801      ; serial
                        10800           ; refresh after
                        3600            ; Retry after
                        604800          ; Expire after
                        3600 )          ; Negative cash
;
; Name servers
;
house.pvt.        IN NS   ns01.house.pvt. 
;
; Record addresses for hosts in this zone
;
blahblahblah.house.pvt.   IN A    192.168.2.40    ; Sandbox
router.house.pvt.         IN A    192.168.2.1     ; Router and gateway              
homebrew01.house.pvt.     IN A    192.168.2.6     ; Main (Leslye's) computer
ns01.house.pvt.           IN A    192.168.2.2     ; Name server
;
; CNAME record addresses (aliases) - Point to an A record name
;
ns1.house.pvt.            IN CNAME        blahblahblah
gateway.house.pvt.        IN CNAME        router
nameserver.house.pvt.     IN CNAME        ns01

Contents of db.192.168.2.in-addr.arpa

Code:

$TTL 38400
2.168.192.in-add.arpa.  IN SOA  ns01.house.pvt. admin.house.pvt. (
                        2013031801      ; Serial
                        10800           ; Refresh after
                        3600            ; Retry after
                        604800          ; Expire after
                        300 )           ; Negative cache TTL
;
; Name Servers
;
2.2.168.192.in-add.arpa. NS     ns01.house.pvt.  ; namesever name
;
; Map addresses to names.  Only A record names allowed, no PTR or CNAME records
;
1.2.168.192.in-addr.arpa.       PTR     router.house.pvt.         ; Router and gateway         
2.2.198.192.in-addr.arpa        PTR     ns01.house.pvt.           ; Name server
6.2.168.192.in-addr.arpa.       PTR     homebrew01.house.pvt.     ; Main (Leslye's) computer
40.2.168.192.in-addr.arpa.      PTR     blahblahblah.house.pvt    ; Sandbox

Contents of /etc/resolv.conf

Code:

root@ns01:/etc# cat resolv.conf
// Append this to suffix-less names e.g. "router" becomes "router.house.pvt"
search house.pvt

// search name servers in this order
nameserver 192.168.2.2
nameserver 8.8.8.8

Contents of /etc/hosts

Code:

root@ns01:/etc# cat hosts
127.0.0.1       localhost
192.168.2.2     ns01.house.pvt    ns01

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

My hosts.allow and hosts.deny are essentially empty, just the standard comments.

Contents of /etc/hosts.conf

Code:

root@ns01:/etc# cat host.conf
## off - return only the first valid address for a host that appears in the /etc/hosts file
## on - return all valid addresses for a host that apears in the /etc/hosts file
multi on

## lookup methods bind, hosts, nis
order bind

Contents of /etc/ hostname

Code:

root@ns01:/etc# cat hostname
ns01

chrism01 · 04-10-2013, 09:16 PM

Your zone files look odd. There's a good example at 16.3.3 http://www.linuxtopia.org/online_boo...bind-zone.html with explanations, in fact have a good read of the whole of Chap 16.

HTH

ivoidwarranties · 04-10-2013, 10:16 PM

Thanks chrism01 for the link. I'll check it out.

The zone files and such are pretty much copied straight from O'Reilly's DNS and Bind, and DNS and Bind Cookbook. I know my versions are dumbed down (no shortcuts, abbreviations, etc) but they seem to work for my DNS clients, it's just the DNS box itself that having problems.

My thinking is that there's an option or switch that's amiss. I'm hoping someone who's experienced this before will chime in.

Z038 · 04-11-2013, 12:46 AM

I see you have forwarding set up in the global section. That means it applies to all zones unless overridden within a zone definition. You are nullifying it with an empty list only in "house.pvt". I think you want it nullified in all zones except for ".".

If it fixes the problem, you might want to just reverse the logic, as it would require less coding. That is, just add the forwarding list to the '.' zone, remove it from the global section, and remove the null list from all of your local zones (i.e., "house.pvt", "2.168.192.in-addr.arpa", "localhost", "0.0.127.in-addr.arpa").

What is the purpose of your last two zones, the "0.in-addr.arpa" and the "255.in-addr.arpa"? I don't have those defined in my configuration, and I've never seen a config example with those defined.

I'm not that well versed in DNS, so please pardon me if I send you on a wild goose chase.

ivoidwarranties · 04-11-2013, 09:51 AM

Z038, don't feel bad, I'm almost certainly less (fewer?) versed than you. Will try your suggestion tonight.

The 0.in-addr.arpa and the 255.in-addr.arpa zones are what apt-get got when I installed bind9. I'm at the DNS kiddie stage now so if it doesn't seem to be causing a problem, I ain't messin' with it.

Z038 · 04-13-2013, 10:59 AM

ivoid, did you ever try adding the null forwarders{} list to your authoritative zones? I was reading here http://docstore.mik.ua/orelly/networ...ns/ch10_05.htm, section 10.5.2 Forward Zones, especially starting at the paragraph where it says "There's another variety of forward zone, in a way the opposite of the kind we just showed you. These allow you to specify which queries don't get forwarded." That section explains what I was talking about.

The example shown there is for a slave zone, but it would apply to a master too, including the reverse address zones.