[SOLVED] Centos - Named Problems

mr_si · 11-21-2014, 05:43 AM

Hi all, I have Centos 6.6 running as a server for an internal network, the roles it will be playing are DNS, DHCP and samba file sharing.

I am currently working to set up DNS and testing with my windows client machine but when I change the DNS Server (instead of the router) on my windows machine to use the server it doesn't work.

The symptom is that websites cannot be found, but recursion is set to yes.
I've copied the config from my own server at home and edited the subnet information and domain accordingly but it doesn't seem to want to know.

Named is running in cached mode and the config files on the server are as follows:

/etc/named.conf

Code:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "trusted" {
        127.0.0.1;
        192.168.1.0/24;
        192.168.199.0/24;
        localhost;
        localnets;
};

options {
        listen-on port 53 { 127.0.0.1; 192.168.1.100;};
#       listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { trusted; };
        allow-query-cache { trusted; };
        allow-recursion { trusted; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone    "domain.lan" IN {
        type master;
        file "fwd.domain.lan";
        allow-update { none; };
};
zone    "1.168.192.in-addr.arpa" IN {
        type master;
        file "rev.domain.lan";
        allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

fwd.domain.lan

Code:

$TTL 86400
$ORIGIN domain.lan.

@   IN  SOA     aaserver.domain.lan. root.domain.lan. (
        2014111803  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)


                IN      NS      aaserver.domain.lan.
                IN      A       192.168.1.100
                IN      MX      10 aaserver.domain.lan.


aaserver          IN      A       192.168.1.100
aaserverbackup    IN      A       192.168.1.101

rev.domain.lan

Code:

$TTL 86400
@   IN  SOA     aaserver.domain.lan. root.domain.lan. (
        2014111803  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@       IN  NS      aaserver.domain.lan.

aaserver          IN      A       192.168.1.100
aaserverbackup    IN      A       192.168.1.101

100       IN      PTR     aaserver.domain.lan.
101       IN      PTR     aaserverbackup.domain.lan.

/etc/resolv.conf

Code:

; generated by /sbin/dhclient-script, edited by me.
search domain.lan
nameserver 192.168.1.100
nameserver 192.168.1.1
nameserver 8.8.8.8

/etc/sysconfig/network-scripts/ifcfg-eth2

Code:

DEVICE=eth2
TYPE=Ethernet
UUID=3486d5f5-7c3f-41a3-b454-bf2b2eb48be9
ONBOOT=yes
NM_CONTROLLED=YES
BOOTPROTO=none
HWADDR=00:14:22:77:5C:D9
IPADDR=192.168.1.100
PREFIX=24
GATEWAY=192.168.1.1
DNS1=192.168.1.100
DNS2=192.168.1.1
DNS3=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth2"

I look forward to your response(s) with baited breath

Simon

wpeckham · 11-21-2014, 06:32 AM

I do not know the solution to your BIND problem, but still have a suggestion.
I have set up small offices and home server network using dnsmasq for DHCP and caching DNS without bind. IT worked great, and was much easier to set up and administrate. I recommend you give it a look.

Ser Olmy · 11-21-2014, 06:44 AM

I'll take the bait.

You may have recursion enabled, but you haven't specified any forwarders. You do have a hints file, but your ISP may not allow outbound DNS queries to random external servers (and querying the root servers is considered bad form anyway).

Try adding the router as a forwarder in the "options" section of named.conf. You can also try querying an external name server directly with nslookup to see if your ISP is filtering DNS packets. For instance, nslookup -q=A www.linuxquestions.org 8.8.8.8 will query "google-public-dns-a.google.com" (8.8.8.8) for the IPv4 address of "www.linuxquestions.org".

mr_si · 11-21-2014, 07:06 AM

Hi all, thank you for the replies. I should have said that it previously worked when I first set it up.

I have done some further digging and found that within /var/log/messages it was saying the following:

"error (broken trust chain) resolving..."

So I googled that and found followed instructions here:

http://vm89.blogspot.co.uk/2013/12/b...ust-chain.html

All is now working perfectly again.

Ser Olmy · 11-21-2014, 08:10 AM

In other words, your clock was off to such an extent that DNSSEC validation failed, and syncing the clock against pool.ntp.org solved the problem.

You should probably keep in mind that ntpdate will only adjust the clock this once, so if your clock was off for a reason, it may drift off sync again.

(You're still bothering the root servers, BTW. Using forwarders is highly recommended.)