I'm trying to build a nameserver to run behind my home router. Things are going pretty well except on the DNS server itself. I can't ping, dig, or traceroute an external domain name like google.com; they all report some variation of no server found or unreachable. Using ping, dig, and tracroute for internal hosts works, but response time is extremely slow even though the stats themselves look reasonable, i.e., each response takes several seconds in real time. The results are the same using both the linux and windows host as the argument.
My configuration:
- Router is a D-Link DIR-865L set to to use my home DNS and one of Google's servers as primary and secondary name server, respectively. The router's "Enable DNS Relay" function is turned OFF, which as I understand will keep the router from using the router's gateway IP as a DNS address when using DHCP.
- The name server is Debian Squeeze, bare bones with no GUI.
- Using the D-Link's DHCP with reserved addresses for everyone. I think this works out the same as having static addresses.
- The nameserver is named NS01, IP address 192.168.2.2, Debian, running bind 9.7.3
- A (linux) DNS client named blahblahblah, IP address 192.168.2.40
- A (Windows) DNS client named homebrew01, IP address 192.168.2.6
- The D-Link router has been given an A record name of "router" and has a CNAME of "gateway", IP address 192.168.2.1
- My internal domain is house.pvt
- I haven't (knowingly) fooled with iptables and would like to avoid it if at all possible.
The DNS seems to be working otherwise; browsers on other clients resolve addresses correctly and reliably, though it seems to be a little slow (related to this problem?). I intend to post a separate question on the slowness problem with details and examples.
My intent is to have the D-Link router use my DNS as a primary, then failover to the secondary for all requests that are NOT inside my firewall. I've tried to setup NS01 to automatically forward everything that's NOT part of house.pvt to the outside, and hosts inside my firewall will either be found or timeout without bothering to hit an outside DNS (with an empty forwarders clause in the house.pvt zone).
What's going on? Is there some kind of loop going on since I'm trying to run my query on the DNS box itself? Some kind of endless loop that times out? I'm new at this and have torn my hair out over this whole project for several weekends. Once I get this ironed out, I'll clean up the config files and chroot the whole mess.
Details follow:
ping:
Code:
root@ns01:/etc# ping homebrew01
PING homebrew01.house.pvt (192.168.2.6) 56(84) bytes of data.
[about 7 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=1 ttl=128 time=0.405 ms
[about 10 seconds]
64 bytes from homebrew01.local (192.168.2.6): icmp_req=2 ttl=128 time=0.371 ms
[etc...]
The actual time= times don't look out of line, but why is it taking several seconds for the screen to update between each? My thoughts are that I've disabled caching somehow and/or I'm going through some complicated resolution process accumulating timeout failures.
traceroute:
Code:
root@ns01:/etc# traceroute homebrew01
traceroute to homebrew01 (192.168.2.6), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
[etc...]
More timeouts?
dig is different. Using just a host name (internal or external) I get a "connection timed out; no servers could be reached" answer after about 18 seconds. Using an internalhost.mydomain.myprivatetld argument I get almost immediately:
Code:
root@ns01:/etc# dig homebrew01.house.pvt
; <<>> DiG 9.7.3 <<>> homebrew01.house.pvt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23531
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;homebrew01.house.pvt. IN A
;; ANSWER SECTION:
homebrew01.house.pvt. 10800 IN A 192.168.2.6
;; AUTHORITY SECTION:
house.pvt. 10800 IN NS ns01.house.pvt.
;; ADDITIONAL SECTION:
ns01.house.pvt. 10800 IN A 192.168.2.2
;; Query time: 1 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Wed Apr 10 15:29:06 2013
;; MSG SIZE rcvd: 95
nslookup
Code:
root@ns01:/etc# nslookup
> set debug
>
>
> blahblahblah
Server: 192.168.2.2
Address: 192.168.2.2#53
------------
QUESTIONS:
blahblahblah.house.pvt, type = A, class = IN
ANSWERS:
-> blahblahblah.house.pvt
internet address = 192.168.2.40
ttl = 10800
AUTHORITY RECORDS:
-> house.pvt
nameserver = ns01.house.pvt.
ttl = 10800
ADDITIONAL RECORDS:
-> ns01.house.pvt
internet address = 192.168.2.2
ttl = 10800
------------
Name: blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> blahblahblah.house.pvt
Server: 192.168.2.2
Address: 192.168.2.2#53
------------
QUESTIONS:
blahblahblah.house.pvt, type = A, class = IN
ANSWERS:
-> blahblahblah.house.pvt
internet address = 192.168.2.40
ttl = 10800
AUTHORITY RECORDS:
-> house.pvt
nameserver = ns01.house.pvt.
ttl = 10800
ADDITIONAL RECORDS:
-> ns01.house.pvt
internet address = 192.168.2.2
ttl = 10800
------------
Name: blahblahblah.house.pvt
Address: 192.168.2.40
>
>
> google.com
[about 19 seconds]
;; connection timed out; no servers could be reached
>
>
> exit
named-checkconf output:
Code:
options {
directory "/var/cache/bind";
listen-on-v6 {
"none";
};
auth-nxdomain no;
allow-query {
127.0.0.1/32;
192.168.2.0/24;
};
forwarders {
208.67.222.222; // resolver1.opendns.com
208.67.220.220; // resolver2.opendns.com
8.8.8.8; // google
8.8.4.4; // google
};
forward only;
};
logging {
// stuff...
};
zone "house.pvt" {
type master;
file "/etc/bind/db.house.pvt";
forwarders {};
};
zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.2.in-addr.arpa";
notify no;
};
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127.0.0.in-addr.arpa";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Contents of db.house.pvt
Code:
root@ns01:/etc# cat bind/db.house.pvt
$TTL 3h
house.pvt. IN SOA ns01.house.pvt. admin.house.pvt. (
2013031801 ; serial
10800 ; refresh after
3600 ; Retry after
604800 ; Expire after
3600 ) ; Negative cash
;
; Name servers
;
house.pvt. IN NS ns01.house.pvt.
;
; Record addresses for hosts in this zone
;
blahblahblah.house.pvt. IN A 192.168.2.40 ; Sandbox
router.house.pvt. IN A 192.168.2.1 ; Router and gateway
homebrew01.house.pvt. IN A 192.168.2.6 ; Main (Leslye's) computer
ns01.house.pvt. IN A 192.168.2.2 ; Name server
;
; CNAME record addresses (aliases) - Point to an A record name
;
ns1.house.pvt. IN CNAME blahblahblah
gateway.house.pvt. IN CNAME router
nameserver.house.pvt. IN CNAME ns01
Contents of db.192.168.2.in-addr.arpa
Code:
$TTL 38400
2.168.192.in-add.arpa. IN SOA ns01.house.pvt. admin.house.pvt. (
2013031801 ; Serial
10800 ; Refresh after
3600 ; Retry after
604800 ; Expire after
300 ) ; Negative cache TTL
;
; Name Servers
;
2.2.168.192.in-add.arpa. NS ns01.house.pvt. ; namesever name
;
; Map addresses to names. Only A record names allowed, no PTR or CNAME records
;
1.2.168.192.in-addr.arpa. PTR router.house.pvt. ; Router and gateway
2.2.198.192.in-addr.arpa PTR ns01.house.pvt. ; Name server
6.2.168.192.in-addr.arpa. PTR homebrew01.house.pvt. ; Main (Leslye's) computer
40.2.168.192.in-addr.arpa. PTR blahblahblah.house.pvt ; Sandbox
Contents of /etc/resolv.conf
Code:
root@ns01:/etc# cat resolv.conf
// Append this to suffix-less names e.g. "router" becomes "router.house.pvt"
search house.pvt
// search name servers in this order
nameserver 192.168.2.2
nameserver 8.8.8.8
Contents of /etc/hosts
Code:
root@ns01:/etc# cat hosts
127.0.0.1 localhost
192.168.2.2 ns01.house.pvt ns01
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
My hosts.allow and hosts.deny are essentially empty, just the standard comments.
Contents of /etc/hosts.conf
Code:
root@ns01:/etc# cat host.conf
## off - return only the first valid address for a host that appears in the /etc/hosts file
## on - return all valid addresses for a host that apears in the /etc/hosts file
multi on
## lookup methods bind, hosts, nis
order bind
Contents of /etc/ hostname
Code:
root@ns01:/etc# cat hostname
ns01