CODEWITHSUNDEEP
dnsbind
JP.
JP.

Reputation: 5594

Issues with DNS lookup on BIND wildcard subdomain

There's tutorials galore out there, but I'm having a hard time getting BIND to provide local network DNS lookup.

Aims:

Here's my config:

# /etc/named.conf
options {
  directory "/var/named";
  # Hide version string for security
  version "not currently available";

  # Forward all unknown DNS queries to the Google Public DNS. (Does it?)
  forwarders { 8.8.8.8; 8.8.4.4; };

  dnssec-validation auto;

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
};

zone "demo." IN {
  type master;
  file "zone.demo";
};

And the zone file:

; /var/named/zone.demo
$ORIGIN demo.
$TTL 1D
@ IN SOA demo. hostmaster (
                          201312041 ; serial
                          8H        ; refresh
                          4H        ; retry
                          4W        ; expire
                          1D )      ; minimum

*. IN  A  192.168.0.64

I then run named-checkconf (no output) and named -f (which blocks - all looks well!)

To check that the server is doing what I expect, I run dig:

$ dig @127.0.0.1 A test.demo

; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 test.demo
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Any ideas as to what I'm doing wrong here?

Upvotes: 0

Views: 12057

Answers (1)

chriswood123
chriswood123

Reputation: 86

First thing you'll need is an NS record:

@ IN NS ns.demo.

This needs an associated A record as it is essentially a CNAME which in this case would be in your zone. So you'll need:

ns.demo. IN A <Your DNS server IP here>

Then, as you're wildcard has a dot at the end you are specifying one 'level' of DNS record (e.g. com, net, or demo) and not including your zone's origin. You need to either ditch the dot:

* IN A 192.168.0.64

or do:

*.demo. IN A 192.168.0.64

This is because the final dot in a bind zone file denotes the end of the field. If you don't put the dot on the end of the field then bind will add the origin. This does not apply to IP addresses.

As for the forwarding, that should work, but you'll probably want to have multiple nameservers set up on your clients, in case this one is down for any reason, etc. In this case you won't need the forwarding.

If you want to secure the server to only respond to clients on the local network you can use the allow-query statement to limit it to certain IP ranges. But if your server is not accessible on the internet you should be fine. One thing to check is that the server isn't listening on the loopback interface, meaning that you will only be able to reach it from the machine named is running on and not other machines on your network.

Hope this helps. Let me know if anything isn't clear.

Upvotes: 7

Related Questions