Bind9 not working reverse zone
 

Hello everybody, I recently change my OS to debian jessie and I can't make the server work properly.
/etc/resolv.conf
================
nameserver xxx.yyy.zzz.2
nameserver 8.8.8.8
nameserver 8.8.4.4

hosts
======
/hosts
127.0.0.1 localhost
xxx.yyy.zzz.2 ns1.midominio.com ns1

named.conf.local
================
include "/etc/bind/named.conf.log";
//JUJUYTEL
//directa

zone "midominio.com" IN {
type master;
file "/etc/bind/directa/midominio.com1";
allow-query { any; };
};

//reversa
zone "zzz.yyy.xxx.IN-ADDR.ARPA" {
type master;
file "/etc/bind/midominio.com.reversa";
allow-query { any; };
};

//WEBMAIL
//directa

zone "webmail.midominio.com" IN {
type master;
file "/etc/bind/webmail.midominio.com";
allow-query { any; };
};

//MAIL
//directa

zone "mail.midominio.com" IN {
type master;
file "/etc/bind/mail.midominio.com";
allow-query { any; };
};

named.conf.options
==================

options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
};

version "No version";
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
rate-limit {
responses-per-second 10;

};
};

zone midominio.com
====================
$ORIGIN midominio.com.
$TTL 1W
@ IN SOA ns1.midominio.com. root.ns1.midominio.com. (
2017022005 ; Serial
3600 ; Refresh
300 ; Retry
1209600 ; Expire
3600 ; Minimum
)

IN NS ns1.midominio.com.
IN NS web.midominio.com.
IN NS ns1.arnet.com.ar.
IN NS ns2.arnet.com.ar.
IN MX 0 mail.midominio.com.
;--------------------------------------------------------------
localhost IN A 127.0.0.1

ns1 IN A xxx.yyy.zzz.2
IN HINFO DNS Server

web IN A xxx.yyy.zzz.5
IN HINFO Web Server

mail IN A xxx.yyy.zzz.6
IN HINFO Mail Server


www IN CNAME web.midominio.com.
webmail IN CNAME mail.midominio.com.
proxy IN CNAME ns1.midominio.com.

reverse zone
============
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.midominio.com. root.midominio.com. (
2017022002 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.midominio.com.
2 IN PTR ns1.midominio.com.
5 IN PTR web.midominio.com.
6 IN PTR mail.midominio.com.


I get this error
============
nslookup
> xxx.yyy.zzz.2
;; Got SERVFAIL reply from xxx.yyy.zzz.2, trying next server
;; Got SERVFAIL reply from 8.8.8.8, trying next server
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find 2.zzz.yyy.xxx.in-addr.arpa: SERVFAIL

I hope someone can guide me with this.
Best regards.

You mean that previously it was working? If that's the case review the steps you've taken to (re)configure bind and/or take a look at named logs.


The SERVFAIL could happen because a variety of reasons. You can check the reverse zonefile to see if there is an error:

Bathory thanks foy your reply, I found the error.
I have comments in my named.conf.local, I delete those lines and worked again.
Thanks a lot.
I have another issue, in my named.conf.option change recursion to NO, but now I get Status REFUSED.
I have another question.
I have a different domain that I need to delegate, how I can do that?
Thanks

Best Regards

This is not because of "recursion no", but rather that you have a "allow-query..." or similar option where you didn't add the host that gets the "REFUSED" error.


I'm not sure I understand what you're saying,
If you want to add a new domain (zone) for your dns to be authoritative of, just add the zone definition in named.conf and create the zonefile of the zone in question.
If that's not what you're trying to do, please elaborate.

Regards

My named.conf.option is...

directory "/var/cache/bind";
forwarders {
8.8.8.8;
};

//recursion no;
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
rate-limit {
responses-per-second 10;
};

Maybe you have another "allow-query" statement in a different config file that does not have the "any" keyword, resulting in the REFUSED error. Could you please post the output of the next command (masking sensitive data)
BTW you don't need forwarders as you're running an authoritative nameserver

Bathory, here is what you ask...

dig midominio.com @ns1.midominio.com

; <<>> DiG 9.9.5-9+deb8u9-Debian <<>> midominio.com @ns1.midominio.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43297
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;midominio.com. IN A

;; AUTHORITY SECTION:
midominio.com. 3600 IN SOA ns1.midominio.com. root.ns1.midominio.com. 2017024005 3600 300 1209600 3600

;; Query time: 0 msec
;; SERVER: xxx.yyy.zzz.2#53(xxx.yyy.zzz.2)
;; WHEN: Wed Mar 01 16:24:17 ART 2017
;; MSG SIZE rcvd: 92


With nslookyp I get this...
root@ns1:/etc/bind# nslookup midominio.com
Server: xxx.yyy.zzz.2
Address: xxx.yyy.zzz.2#53


*** Can't find midominio.com: No answer


root@ns1:/etc/bind# nslookup www.midominio.com
Server: xxx.yyy.zzz.2
Address: xxx.yyy.zzz.2#53


www.midominio.com canonical name = midominio.com.

I still have something wrong.

I change my named.conf.option file commenting forwarders and uncomment recursion like this...

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 8.8.8.8;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
//dnssec-validation no;
recursion no;
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
//listen-on-v6 { any; };
rate-limit {
responses-per-second 10;
// log-only yes; //comentar
};
};

But I get this error.... REFUSED

01-Mar-2017 16:35:39.662 query-errors: info: client aaa.bbb.ccc.123#17529 (clients4.google.com): rate limit drop REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:39.704 query-errors: info: client aaa.bbb.ccc.90#61512 (emupdate.avcdn.net): rate limit slip REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:39.837 query-errors: info: client aaa.bbb.ccc.130#14852 (www.facebook.com): rate limit drop REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:39.906 query-errors: info: client aaa.bbb.ccc.16#24348 (graph2.facebook.com): rate limit slip REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:39.982 rate-limit: info: limit REFUSED error responses to 192.168.20.0/24
01-Mar-2017 16:35:39.982 query-errors: info: client 192.168.20.151#23499 (apis.google.com): rate limit slip REFUSED error response to 192.168.20.0/24
01-Mar-2017 16:35:40.160 query-errors: info: client aaa.bbb.ccc.130#14852 (www.google.com.ar): rate limit drop REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:40.233 query-errors: info: client aaa.bbb.ccc.179#26182 (connectivitycheck.android.com): rate limit slip REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:40.238 query-errors: info: client aaa.bbb.ccc.179#26184 (connectivitycheck.android.com): rate limit drop REFUSED error response to aaa.bbb.ccc.0/24
01-Mar-2017 16:35:40.307 query-errors: info: client aaa.bbb.ccc.211#15764 (a.root-servers.net): rate limit slip REFUSED error response to aaa.bbb.ccc.0/24

This is because you don't have a RR for midominio.com. Add in the zonefile
increase the serial, reload zone and test.


You need to allow recursion for your clients (hosts, networks).
So in named.conf use: