LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 04-10-2013, 08:23 PM   #1
ivoidwarranties
LQ Newbie
 
Registered: Feb 2008
Location: Auburndale, Florida
Distribution: Mepis 11, Debian, Raspian
Posts: 7

Rep: Reputation: 0
Bind DNS behind home gateway won't resolve host names on itself.


I'm trying to build a nameserver to run behind my home router. Things are going pretty well except on the DNS server itself. I can't ping, dig, or traceroute an external domain name like google.com; they all report some variation of no server found or unreachable. Using ping, dig, and tracroute for internal hosts works, but response time is extremely slow even though the stats themselves look reasonable, i.e., each response takes several seconds in real time. The results are the same using both the linux and windows host as the argument.

My configuration:
  • Router is a D-Link DIR-865L set to to use my home DNS and one of Google's servers as primary and secondary name server, respectively. The router's "Enable DNS Relay" function is turned OFF, which as I understand will keep the router from using the router's gateway IP as a DNS address when using DHCP.
  • The name server is Debian Squeeze, bare bones with no GUI.
  • Using the D-Link's DHCP with reserved addresses for everyone. I think this works out the same as having static addresses.
  • The nameserver is named NS01, IP address 192.168.2.2, Debian, running bind 9.7.3
  • A (linux) DNS client named blahblahblah, IP address 192.168.2.40
  • A (Windows) DNS client named homebrew01, IP address 192.168.2.6
  • The D-Link router has been given an A record name of "router" and has a CNAME of "gateway", IP address 192.168.2.1
  • My internal domain is house.pvt
  • I haven't (knowingly) fooled with iptables and would like to avoid it if at all possible.
The DNS seems to be working otherwise; browsers on other clients resolve addresses correctly and reliably, though it seems to be a little slow (related to this problem?). I intend to post a separate question on the slowness problem with details and examples.

My intent is to have the D-Link router use my DNS as a primary, then failover to the secondary for all requests that are NOT inside my firewall. I've tried to setup NS01 to automatically forward everything that's NOT part of house.pvt to the outside, and hosts inside my firewall will either be found or timeout without bothering to hit an outside DNS (with an empty forwarders clause in the house.pvt zone).

What's going on? Is there some kind of loop going on since I'm trying to run my query on the DNS box itself? Some kind of endless loop that times out? I'm new at this and have torn my hair out over this whole project for several weekends. Once I get this ironed out, I'll clean up the config files and chroot the whole mess.

Details follow:

ping:
Code:
root@ns01:/etc# ping homebrew01
PING homebrew01.house.pvt (192.168.2.6) 56(84) bytes of data.
[about 7 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=1 ttl=128 time=0.405 ms
[about 10 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=2 ttl=128 time=0.371 ms
[etc...]
The actual time= times don't look out of line, but why is it taking several seconds for the screen to update between each? My thoughts are that I've disabled caching somehow and/or I'm going through some complicated resolution process accumulating timeout failures.

traceroute:
Code:
root@ns01:/etc# traceroute homebrew01
traceroute to homebrew01 (192.168.2.6), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
[etc...]
More timeouts?

dig is different. Using just a host name (internal or external) I get a "connection timed out; no servers could be reached" answer after about 18 seconds. Using an internalhost.mydomain.myprivatetld argument I get almost immediately:
Code:
root@ns01:/etc# dig homebrew01.house.pvt

; <<>> DiG 9.7.3 <<>> homebrew01.house.pvt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23531
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;homebrew01.house.pvt.    IN      A

;; ANSWER SECTION:
homebrew01.house.pvt. 10800 IN    A       192.168.2.6

;; AUTHORITY SECTION:
house.pvt.        10800   IN      NS      ns01.house.pvt.

;; ADDITIONAL SECTION:
ns01.house.pvt.   10800   IN      A       192.168.2.2

;; Query time: 1 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Wed Apr 10 15:29:06 2013
;; MSG SIZE  rcvd: 95
nslookup
Code:
root@ns01:/etc# nslookup
> set debug
>
>
> blahblahblah
Server:         192.168.2.2
Address:        192.168.2.2#53

------------
    QUESTIONS:
        blahblahblah.house.pvt, type = A, class = IN
    ANSWERS:
    ->  blahblahblah.house.pvt
        internet address = 192.168.2.40
        ttl = 10800
    AUTHORITY RECORDS:
    ->  house.pvt
        nameserver = ns01.house.pvt.
        ttl = 10800
    ADDITIONAL RECORDS:
    ->  ns01.house.pvt
        internet address = 192.168.2.2
        ttl = 10800
------------
Name:   blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> blahblahblah.house.pvt
Server:         192.168.2.2
Address:        192.168.2.2#53

------------
    QUESTIONS:
        blahblahblah.house.pvt, type = A, class = IN
    ANSWERS:
    ->  blahblahblah.house.pvt
        internet address = 192.168.2.40
        ttl = 10800
    AUTHORITY RECORDS:
    ->  house.pvt
        nameserver = ns01.house.pvt.
        ttl = 10800
    ADDITIONAL RECORDS:
    ->  ns01.house.pvt
        internet address = 192.168.2.2
        ttl = 10800
------------
Name:   blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> google.com
[about 19 seconds]
;; connection timed out; no servers could be reached
>             
> 
> exit
named-checkconf output:
Code:
options {
        directory "/var/cache/bind";
        listen-on-v6 {
                "none";
        };
        auth-nxdomain no;
        allow-query {
                127.0.0.1/32;
                192.168.2.0/24;
        };
        forwarders {
	    208.67.222.222; 	// resolver1.opendns.com
	    208.67.220.220; 	// resolver2.opendns.com
            8.8.8.8; 		// google
	    8.8.4.4;		// google
        };
        forward only;
};
logging {
// stuff...
};

zone "house.pvt" {
        type master;
        file "/etc/bind/db.house.pvt";
        forwarders {};
};
zone "2.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192.168.2.in-addr.arpa";
        notify no;
};
zone "." {
        type hint;
        file "/etc/bind/db.root";
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127.0.0.in-addr.arpa";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
Contents of db.house.pvt
Code:
root@ns01:/etc# cat bind/db.house.pvt
$TTL 3h
house.pvt.           IN SOA  ns01.house.pvt. admin.house.pvt. (
                        2013031801      ; serial
                        10800           ; refresh after
                        3600            ; Retry after
                        604800          ; Expire after
                        3600 )          ; Negative cash
;
; Name servers
;
house.pvt.        IN NS   ns01.house.pvt. 
;
; Record addresses for hosts in this zone
;
blahblahblah.house.pvt.   IN A    192.168.2.40    ; Sandbox
router.house.pvt.         IN A    192.168.2.1     ; Router and gateway              
homebrew01.house.pvt.     IN A    192.168.2.6     ; Main (Leslye's) computer
ns01.house.pvt.           IN A    192.168.2.2     ; Name server
;
; CNAME record addresses (aliases) - Point to an A record name
;
ns1.house.pvt.            IN CNAME        blahblahblah
gateway.house.pvt.        IN CNAME        router
nameserver.house.pvt.     IN CNAME        ns01
Contents of db.192.168.2.in-addr.arpa
Code:
$TTL 38400
2.168.192.in-add.arpa.  IN SOA  ns01.house.pvt. admin.house.pvt. (
                        2013031801      ; Serial
                        10800           ; Refresh after
                        3600            ; Retry after
                        604800          ; Expire after
                        300 )           ; Negative cache TTL
;
; Name Servers
;
2.2.168.192.in-add.arpa. NS     ns01.house.pvt.  ; namesever name
;
; Map addresses to names.  Only A record names allowed, no PTR or CNAME records
;
1.2.168.192.in-addr.arpa.       PTR     router.house.pvt.         ; Router and gateway         
2.2.198.192.in-addr.arpa        PTR     ns01.house.pvt.           ; Name server
6.2.168.192.in-addr.arpa.       PTR     homebrew01.house.pvt.     ; Main (Leslye's) computer
40.2.168.192.in-addr.arpa.      PTR     blahblahblah.house.pvt    ; Sandbox
Contents of /etc/resolv.conf
Code:
root@ns01:/etc# cat resolv.conf
// Append this to suffix-less names e.g. "router" becomes "router.house.pvt"
search house.pvt

// search name servers in this order
nameserver 192.168.2.2
nameserver 8.8.8.8
Contents of /etc/hosts
Code:
root@ns01:/etc# cat hosts
127.0.0.1       localhost
192.168.2.2     ns01.house.pvt    ns01

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
My hosts.allow and hosts.deny are essentially empty, just the standard comments.

Contents of /etc/hosts.conf
Code:
root@ns01:/etc# cat host.conf
## off - return only the first valid address for a host that appears in the /etc/hosts file
## on - return all valid addresses for a host that apears in the /etc/hosts file
multi on

## lookup methods bind, hosts, nis
order bind
Contents of /etc/ hostname
Code:
root@ns01:/etc# cat hostname
ns01

Last edited by ivoidwarranties; 04-15-2013 at 12:14 PM. Reason: grammar, spelling, clarify examples
 
Old 04-10-2013, 10:16 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Your zone files look odd. There's a good example at 16.3.3 http://www.linuxtopia.org/online_boo...bind-zone.html with explanations, in fact have a good read of the whole of Chap 16.

HTH
 
Old 04-10-2013, 11:16 PM   #3
ivoidwarranties
LQ Newbie
 
Registered: Feb 2008
Location: Auburndale, Florida
Distribution: Mepis 11, Debian, Raspian
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks chrism01 for the link. I'll check it out.

The zone files and such are pretty much copied straight from O'Reilly's DNS and Bind, and DNS and Bind Cookbook. I know my versions are dumbed down (no shortcuts, abbreviations, etc) but they seem to work for my DNS clients, it's just the DNS box itself that having problems.

My thinking is that there's an option or switch that's amiss. I'm hoping someone who's experienced this before will chime in.
 
Old 04-11-2013, 01:46 AM   #4
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
I see you have forwarding set up in the global section. That means it applies to all zones unless overridden within a zone definition. You are nullifying it with an empty list only in "house.pvt". I think you want it nullified in all zones except for ".".

If it fixes the problem, you might want to just reverse the logic, as it would require less coding. That is, just add the forwarding list to the '.' zone, remove it from the global section, and remove the null list from all of your local zones (i.e., "house.pvt", "2.168.192.in-addr.arpa", "localhost", "0.0.127.in-addr.arpa").

What is the purpose of your last two zones, the "0.in-addr.arpa" and the "255.in-addr.arpa"? I don't have those defined in my configuration, and I've never seen a config example with those defined.


I'm not that well versed in DNS, so please pardon me if I send you on a wild goose chase.
 
Old 04-11-2013, 10:51 AM   #5
ivoidwarranties
LQ Newbie
 
Registered: Feb 2008
Location: Auburndale, Florida
Distribution: Mepis 11, Debian, Raspian
Posts: 7

Original Poster
Rep: Reputation: 0
Z038, don't feel bad, I'm almost certainly less (fewer?) versed than you. Will try your suggestion tonight.

The 0.in-addr.arpa and the 255.in-addr.arpa zones are what apt-get got when I installed bind9. I'm at the DNS kiddie stage now so if it doesn't seem to be causing a problem, I ain't messin' with it.
 
Old 04-13-2013, 11:59 AM   #6
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 805

Rep: Reputation: 158Reputation: 158
ivoid, did you ever try adding the null forwarders{} list to your authoritative zones? I was reading here http://docstore.mik.ua/orelly/networ...ns/ch10_05.htm, section 10.5.2 Forward Zones, especially starting at the paragraph where it says "There's another variety of forward zone, in a way the opposite of the kind we just showed you. These allow you to specify which queries don't get forwarded." That section explains what I was talking about.

The example shown there is for a slave zone, but it would apply to a master too, including the reverse address zones.
 
  


Reply

Tags
bind, dns, server


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS server not able to resolve host names to IP adresses Shiva Pahwa Linux - Server 4 08-07-2012 01:35 PM
DNS server not able to resolve host names to IP adresses Shiva Pahwa Linux - Server 3 06-22-2012 04:53 AM
Bind DNS for Active Directory long names don't resolve humbletech99 Linux - Networking 2 01-18-2007 06:22 AM
Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients registering Linux - Networking 3 06-16-2004 08:25 AM
BIND 9 won't reslove host names jglazner Linux - Networking 4 02-23-2004 07:42 PM


All times are GMT -5. The time now is 11:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration