Join Log in
Score:0
avatar Server

Bind service doesnt reply with local domain

us flag
TRW

My setup is the following

ServerA (vpn-server with 10.200.0.1) has a Bind9 service running on VPN ip range.

options {
  directory "/var/cache/bind";

  forwarders {
    8.8.8.8;
  };

  dnssec-validation auto;
  auth-nxdomain no;

  listen-on {
    10.200.0.1;
  };

  allow-query { any; };
};

controls {};

The local zones are defined as followes:

# named.conf.local 
zone "domain.tld" {
  type master;
  file "/etc/bind/db.domain.tld";
};

and zone db.domain.tld is like:

$TTL  6800
@ IN  SOA servera.domain.tld. root.domain.tld. (
           13   ; Serial
          600   ; Refresh
        86400   ; Retry
       604800   ; Expire
       604800 ) ; Negative Cache TTL
;
; name servers - NS records
     IN      NS      servera.domain.tld.

; 10.200.0.0/24 - domain.tld
servera.domain.tld.    IN      A      10.200.0.1
root.domain.tld.       IN      A      10.200.0.1
x.domain.tld.          IN      A      10.200.0.2

It contains some local domains (domain.tld). When I use nslookup on my notebook (which is connected to VPN), it works as expected.

# nslookup
> server 10.200.0.1
Default server: 10.200.0.1
Address: 10.200.0.1#53
> x.domain.tld
Server:     10.200.0.1
Address:    10.200.0.1#53

Name:   x.domain.tld
Address: 10.200.0.2

When I create a second bind service on my local side (192.168.1.1) that is connected via VPN to ServerA and only define this in /etc/bind/named.conf.options:

options {
  directory "/var/cache/bind";

  forwarders {
    10.200.0.1;
  };

  dnssec-validation auto;
  auth-nxdomain no;

  listen-on {
    192.168.1.1;
  };

  allow-query { any; };
};

controls {};

and try to use this service as just a forward dns to the external dns, I don't get answers for all domains configured within serverA, but all public DNS responses

# nslookup
> server 192.168.1.1
Default server: 192.168.1.1
Address: 192.168.1.1#53
> x.domain.tld
Server:     192.168.1.1
Address:    192.168.1.1#53

** server can't find x.domain.tld: NXDOMAIN

As already said. Both Bind server can make public DNS lookups like google.com. But, why doesnt ServerB get answers for domain.tld from ServerA, but when I use nslookup in the same network, it works.

Because ServerA doesnt know about ServerB I didnt configure any upstream DNS server. I wonder why ServerB cannot query domain.tld but google.com or something else public.

PS: be aware that domain.tld (especially .tld is a private TLD like ".home"), so there is no public root server.

39
1 + 0
Score:0
avatar Server
us flag
TRW

I think, I found the issue.

When I change dnssec-validation on ServerB to no, I'm getting an answer.

... adding some more infos later, when I know how to add the DNSSec for domain.tld... til then have a look at bind9 configure forward zone for local domain without DNSSEC for this zone only which is currently not my best solution, because I'd like to configure ServerB without any knowledge about hosted domains on ServerA.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.