[SOLVED] nameserver (bind) resolution by hint and forwarding

hoomanv · 07-28-2013, 01:12 PM

Hello

I have the following rules in named.conf that is basically for resolving all external domain names.

Code:

recursion yes;

zone "." {
   type hint;
   file "named.ca";
};

There is an internal active directory server that controls the "lab.local" domain. What I want is to enable named resolve .local requests via the active directory server and resolve anything else recursively via the root servers.

I tried adding another zone to forward .local requests but it does not work. I think I can only have master zones go along with the hint zone.

Code:

zone "lab.local." {
   type forward;
   forwarders { 192.168.0.250; };
};

Ser Olmy · 07-28-2013, 01:37 PM

Try adding forward only; below the type forward; directive.

And remember to restart bind.

hoomanv · 07-28-2013, 01:51 PM

Quote:

Originally Posted by Ser Olmy

Try adding forward only; below the type forward; directive.

And remember to restart bind.

I have already tried that, no success

Doing an nslookup for lab.local gives NXDOMAIN and for sub.lab.local gives SERVFAIL

Ser Olmy · 07-28-2013, 02:06 PM

I have the following definition in my /etc/named.conf:

Code:

zone "company.local" IN {
        type forward;
        forward only;
        forwarders { 192.168.100.21; };
};

192.168.100.21 is a Windows DC at the other end of a VPN connection. I'm running bind 9.9.2, and this definitely works.

Have you checked that the remote server actually accepts DNS queries from your server? And that there isn't some silly typo hiding somewhere in /etc/named.conf?

Edit: You have a trailing dot after the domain name. Try removing it.

hoomanv · 07-28-2013, 02:22 PM

I've attached my latest named.conf

both windows DCs are up and responsive

Still not working

Ser Olmy · 07-28-2013, 02:54 PM

Apart from the view definition, it looks pretty similar to my own (working) configuration.

Does running nslookup -q=soa lan.local 192.168.0.250 on the DNS server return the proper SOA record?

Have you tried running named in the foreground with logging to stderr to see what's really going on? Debug level 3 should be sufficient (named -d 3 -g -c /etc/named.conf).

hoomanv · 07-28-2013, 03:26 PM

Quote:

Originally Posted by Ser Olmy

Does running nslookup -q=soa lab.local 192.168.0.250 on the DNS server return the proper SOA record?

yes

Quote:

Originally Posted by Ser Olmy

Have you tried running named in the foreground with logging to stderr to see what's really going on? Debug level 3 should be sufficient (named -d 3 -g -c /etc/named.conf).

I just did, here's the log file

hoomanv · 07-28-2013, 03:52 PM

Disabling dnssec will fix the problem. now I have to find a way to enable dnssec on windows DC since I don't want to leave this option off

Ser Olmy · 07-28-2013, 04:06 PM

Your zone setting is valid, and a recursive query is being sent to the right server:

Code:

29-Jul-2013 00:49:33.662 error (insecurity proof failed) resolving 'lab.local/A/IN': 192.168.0.251#53

This is DNSSEC related. The issue is described in this bug report.

My server isn't configured to use DNSSEC validation, which is why it works.

Edit: A bit slow today, you beat me to it.