Join Log in
Score:0
Julian Dimitrov avatar Server

BIND9 server for a network with no internet access

jo flag
Julian Dimitrov

The question I have is the same as this one, but the accepted answer, and the comments did not helped me solve my issue. I'll put here the whole setup that I have.

BIND9 version - BIND 9.11.5-P4-5.1+deb10u6-Debian (Extended Support Version),

OS - Debian Buster (10.11)

named.conf:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        //forwarders {
        //    0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };

        //hide version number from clients for security reasons.
        version "not currently available";
        
};

named.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

named.conf.default-zones:

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        //Default
        //file "/usr/share/dns/root.hints";
        file "/etc/bind/db.fake.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

db.fake.root:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL    86400
@       IN      SOA     ns. root.unimar.io. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      ns
ns      IN      A       127.0.0.1
$ORIGIN unimar.io.
uniapp  IN      A       10.120.0.12

When I restart the service it runs, but gets this warning message in the logs:

Nov 25 11:03:11 unimarDNS named[1145]: zone 255.in-addr.arpa/IN: loaded serial 1
Nov 25 11:03:11 unimarDNS named[1145]: zone 127.in-addr.arpa/IN: loaded serial 1
Nov 25 11:03:11 unimarDNS named[1145]: zone localhost/IN: loaded serial 2
Nov 25 11:03:11 unimarDNS named[1145]: all zones loaded
Nov 25 11:03:11 unimarDNS systemd[1]: Started BIND Domain Name Server.
Nov 25 11:03:11 unimarDNS named[1145]: running
Nov 25 11:03:11 unimarDNS named[1145]: lame server resolving '.' (in '.'?): 127.0.0.1#53
Nov 25 11:03:11 unimarDNS named[1145]: lame server resolving '.' (in '.'?): 127.0.0.1#53
Nov 25 11:03:11 unimarDNS named[1145]: managed-keys-zone: Unable to fetch DNSKEY set '.': failure
Nov 25 11:03:11 unimarDNS named[1145]: resolver priming query complete

And when I try to dig the host I get this:

root@unimarDNS:/etc/bind# dig uniapp.unimar.io

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> uniapp.unimar.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39791
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8da51eb1b4443aeda9f03e38619f5190efb0dc3cd3c88f68 (good)
;; QUESTION SECTION:
;uniapp.unimar.io.              IN      A

;; Query time: 1 msec
;; SERVER: 10.120.0.13#53(10.120.0.13)
;; WHEN: Thu Nov 25 11:04:16 EET 2021
;; MSG SIZE  rcvd: 73

And in the logs I got this:

Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '0.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '0.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '1.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '1.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '2.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '2.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '3.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53
Nov 25 11:04:16 unimarDNS named[1145]: lame server resolving '3.debian.pool.ntp.org' (in '.'?): 127.0.0.1#53

Please can anyone tell me what am I doing wrong?

EDIT

I did like @Nikita Kipriyanov suggested in the comments below.

The solution in that queston does not work because BIND expects the root zone to be signed. I don't get why trying to redefine root servers and not just making an authorized server for the needed zone? This is greatly unneccessary complication. If the system is disconnected from the internet, the internet lookups will fail anyway.

196
0 + 0
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
The solution in that queston does not work because BIND expects the root zone to be *signed*. I don't get why trying to redefine root servers and not just making an authorized server for the needed zone? This is greatly unneccessary complication. If the system is disconnected from the internet, the internet lookups will fail anyway.
2
Reply
Julian Dimitrov avatar
jo flag
Julian Dimitrov
So if I understand correctly (I'm very new using BIND at all), to install BIND leave the default configuration, make a zone for uniapp.unimar.io, and turn off `recursive` search?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Yes, I think that's enough.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
At least two things: 1) don't expect to have DNSSEC working in that scenario specially if you are new to DNS and this setup, so deactivate it, and 2) when you do `dig` queries also specify the nameserver you want to reach using `@`. Also, do you absolutely need to use `bind`? It seems from your coarse description of what you want to achieve that `dnsmasq` or `unbound` would be far simpler to setup for you.
0
Reply
Score:0
Julian Dimitrov avatar Server
jo flag
Julian Dimitrov

I did like @Nikita Kipriyanov suggested in the comments below.

The solution in that queston does not work because BIND expects the root zone to be signed. I don't get why trying to redefine root servers and not just making an authorized server for the needed zone? This is greatly unneccessary complication. If the system is disconnected from the internet, the internet lookups will fail anyway.

0 + 0
djdomi avatar
za flag
djdomi
is that an answer or comment?
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.