[SOLVED] Random name resolution failures when using root servers directly in bind

Red Squirrel · 08-20-2016, 01:21 AM

I have my own local DNS server to resolve local domains like servers etc, and also have it setup to use root servers so I can resolve outside hosts.

Problem is, it randomly fails, it goes into this weird mode where half the internet I can't get to. Names just fail to resolve. It eventually starts working again.

I figured maybe I need to update my named.ca file, so I did by downloading the one from internic. It only made the problem worse. Some sites would not resolve AT ALL including this one. I ended up having to add the google dns servers back as forwarders just to be able to get here.

Is there a way to make it work more reliably by using root DNS? I don't like the idea of using a single forwarder as it's kind of a privacy issue, especially google, I'm sure they record all of that and sell the info to advertisers etc.

Heck, is there a way to just sync the entire domain database locally occasionally so that all name resolution is local? Bet that would speed up internet by A LOT. I'm on fibre, I find 90% of the time waiting for a page to load is DNS, as the actual data download speed is fast. If I could just store everything locally it would make things way faster. I don't imagine it would be that big, a couple hundred gigs maybe? Is this doable?

smallpond · 08-20-2016, 06:11 PM

Most likely there is something wrong with your setup. Post the contents of named.conf (x-ing out keys and your static IP, of course). Also any details of your network that might be helpful.

Red Squirrel · 08-20-2016, 10:25 PM

Here it is, it's mostly vanilla, may have done a few changes as seen in tutorials etc... at some point.

Code:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { 127.0.0.1; 10.1.1.5; };
	#listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; any; };
	recursion yes;

	dnssec-enable no;
	dnssec-validation no;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";


forwarders {
8.8.8.8;
8.8.4.4;
};


};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


zone "." IN {
	type hint;
	file "named.ca";
};




include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/named/zones.conf";

smallpond · 08-21-2016, 11:05 AM

The only thing I see that's wrong is that you turned off dnssec. Maybe check to see if you are getting cache-poisoning attacks.

Red Squirrel · 08-22-2016, 03:45 AM

While troubleshooting I had read to try turning that off, but given it did not solve the issue I can probably just turn it back on.

The server does not face the internet so I don't believe it is compromised.

Red Squirrel · 11-09-2016, 09:43 PM

This seems to have solved itself over time, I think updating my named.ca file may have done the trick but I tried so much other stuff in the process too it may not be that. I also setup a secondary name server just to have a backup, that may possibly be helping too as if it fails on one it might automatically try the other, so it would sorta be like when I would hit refresh, but it's faster and more seamless. Just guessing though.