Join Log in
Score:0
avatar Server

Support with configuring bind9 DNS server for a private network

co flag
RenegadeAndy

I have a number of servers on my home network (192.168.0.0/24) and would like to setup bind9 as a DNS server, so I can more easily resolve IP addresses of these machines by name.

I installed and configured bind9 on ubuntu 20.04 in the following way -- following this tutorial pretty closely.

2 zones: epicsystems.local.com - /etc/bind/zones/db.epicsystems.local.com

    $TTL    604800
@   IN  SOA ns1.epicsystems.local.com. admin.epicsystems.local.com. (
                  3     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
; name servers - NS records
    IN  NS  ns1.epicsystems.local.com.

; name servers - A records
ns1.epicsystems.local.com.  IN  A   192.168.0.69


; 192.168.0.0/16 - A records
host2.epicsystems.local.com.    IN  A    192.168.0.67
host1.epicsystems.local.com         IN  A    192.168.0.66

db.192.168 -- reverse lookup zone

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@   IN  SOA ns1.epicsystems.local.com. admin.epicsystems.local.com. (
                  3     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;

;name servers - NS records
    IN  NS  ns1.epicsystems.local.com.

;PTR records
69.0    IN  PTR ns1.epicsystems.local.com.          ;192.168.0.69
66.0    IN  PTR host1.epicsystems.local.com.            ;192.168.0.66
67.0    IN  PTR host2.epicsystems.local.com.        ;192.168.0.67

My named.conf.local in /etc/bind/named.conf.local has:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "epicsystems.local.com"{
    type master;
    file "/etc/bind/zones/db.epicsystems.local.com"; #zone file path
};

zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168"; #192.168.0.0/16 subnet
};

I checked the syntax of the conf and the zones - and syntactically it is valid - but it is not working.

I assign my local mac the dns server 192.168.0.69 -- and try an nslookup for ubuntu.com -- this works - so the bind9 works to that extent.

If I then try a nslookup for host1 , or host2 - it fails. The misc log for the bind9 shows the zones being setup:

09-Aug-2021 21:23:34.627 zoneload: info: managed-keys-zone: loaded serial 11
09-Aug-2021 21:23:34.627 zoneload: info: zone 0.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.631 zoneload: info: zone 255.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.635 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.635 zoneload: info: zone 168.192.in-addr.arpa/IN: loaded serial 3
09-Aug-2021 21:23:34.639 zoneload: info: zone localhost/IN: loaded serial 2
09-Aug-2021 21:23:34.639 zoneload: info: zone epicsystems.local.com/IN: loaded serial 3
09-Aug-2021 21:23:34.639 general: notice: all zones loaded
09-Aug-2021 21:23:34.639 general: notice: running
09-Aug-2021 21:23:34.743 dnssec: info: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
09-Aug-2021 21:23:34.811 resolver: info: resolver priming query complete
09-Aug-2021 21:23:42.131 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.143 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.163 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.231 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.247 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.335 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.347 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.415 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.603 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.623 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.707 dnssec: info: validating com/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.715 dnssec: info: validating com/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:20.508 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:20.528 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.244 dnssec: info:   validating cloud/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.260 dnssec: info:   validating cloud/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.324 dnssec: info: validating cloud/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.340 dnssec: info: validating cloud/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:36.973 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:36.989 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:37.005 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:37.093 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:29:26.277 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:29:26.577 dnssec: info: validating net/DNSKEY: got insecure response; parent indicates it should be secure

The query.log shows the lookup for host1 arrives - but doesn't resolve anything:

09-Aug-2021 21:25:15.148 client @0x7f1cc0005910 192.168.0.13#49292 (host1.epicsystems.local.com): query: host1.epicsystems.local.com IN A + (192.168.0.69)
09-Aug-2021 21:25:36.941 client @0x7f1cbc00a550 192.168.0.13#58522 (host1): query: host1 IN A + (192.168.0.69)

Can anyone see what I have done wrong here? It is my first time trying to set a DNS server up so it is most likely I made a mistake somewhere!

352
1 + 4
Patrick Mevzek avatar
cn flag
Patrick Mevzek
Do not use bogus/random domain names to set up your private network, like `local.com`. The best advice is to register whatever domain name you want, through the appropriate registrar and registry, and then use a subzone out of it like `internal.example.com` or something like that and name your hosts in it. Also you are not really showing how you tests things. 1) Prefer `dig` over `nslookup` 2) Always use the `@` option when debugging to specify unambigously which nameserver you want to query and 3) when that works, see what you have in `resolv.conf`, `host.conf` and `nsswitch.conf`
2
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
Also make sure to configure your nameserver to be either authoritative or recursive, not both at the same time which seems to be the case from your logfile.
0
Reply
DarkMoon avatar
in flag
DarkMoon
I used the Ubuntu server docs to configure my BIND server: https://ubuntu.com/server/docs/service-domain-name-service-dns. It seems to show an "@" at the beginning of the IN NS lines for your db files? And I presume you have forwarders listed in named.conf.options?
0
Reply
co flag
RenegadeAndy
Hi @PatrickMevzek thanks for the advice. I am not clear on the difference between authoritative and recurisve. Given my aim, is to add this DNS as an entry to most of my network's machines - so they can more easily identify one another, and the other DNS servers (ISP) will handle general lookups for domains etc - which should I pick and why?
0
Reply
Score:1
avatar Server
ru flag
Bob 
host1.epicsystems.local.com         IN  A    192.168.0.66

This record is missing a trailing dot. That means that a bind DNS server does not treat it as the fully qualified domain name you wanted to use, but rather as shorthand.

Bind will append the $ORIGIN (the zone name) to shorthand records, making that the A record for host1.epicsystems.local.com.epicsystems.local.com. which is probably not what you intended.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.