CODEWITHSUNDEEP
network-programmingdnsnamedbind9
tph43
tph43

Reputation: 1

bind9 DNS not responding to queries on LAN

I'm setting up bind9 as a DNS server for our local network. The server works as expected for DNS queries from the machine running the server, but does not respond to queries from other machines on the network. Running tcpdump on the DNS server, I see the queries from other machines arriving, but I don't see any response or anything in the bind9 logs to indicate an error. Any suggestions about possible sources of this issue or avenues to debug it gratefully received!

In detail:

Running bind9 on Ubuntu. My config is:

options {
    directory "/etc/bind";
    listen-on port 53 {100.1.1.2; };
    listen-on-v6 port 53 { none; };
    allow-query { any; };
    dnssec-validation no;
};

zone "mydomain.com" IN {
    type master;
    file "mydomain.com.db";
    allow-update { none; };
};

zone "1.1.100.in-addr.arpa" {
    type master;
    file "revp.100.1.1";
};

zone file is

$ORIGIN mydomain.com.
$TTL    5; 3600
@   IN  SOA dns admin.mydomain.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
; DNS Servers
            NS      dns

; Machine Names
localhost   IN  A   127.0.0.1
dns     IN  A   100.1.1.2
bar     IN  A   100.1.1.10
baz     IN  A   100.1.1.11

Starting named with sudo named -c /etc/bind/named.conf -g -d100. Looking in the logs it is indeed listening on the correct IP (I see listening on IPv4 interface enp6s0, 100.1.1.2#53). Testing out a DNS lookup on the same machine running the DNS server with dig baz.mydomain.com @100.1.1.2 I get an answer from the DNS server with corresponding entry in the named log. I also see the DNS request in sudo tcpdump -i lo -u port 53.

Next, now on PC bar, I ran dig baz.mydomaain.com @100.1.1.2. This request doesn't get any response from the DNS server and I don't see anything in the DNS logs. Looking at sudo tcpdump -u port 53 on the DNS server, I see the DNS requests arriving from bar but no response so this doesn't seem to be a firewall issue.

Any suggestions for next steps?

Upvotes: 0

Views: 2157

Answers (2)

tph43
tph43

Reputation: 1

Okay, this turned out to be a basic firewall issue. Long story short, I hadn't appreciated that tcpdump sees packets before the firewall, so seeing inbound DNS requests doesn't imply that they reach the server. doh!

Upvotes: 0

oerdnj
oerdnj

Reputation: 333

I would start with not using MCI Communication Services address block and use proper netblock from RFC1918:

NetRange:       100.0.0.0 - 100.19.255.255
CIDR:           100.16.0.0/14, 100.0.0.0/12
NetName:        V4-VZO
NetHandle:      NET-100-0-0-0-1
Parent:         NET100 (NET-100-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19262
Organization:   MCI Communications Services, Inc. d/b/a Verizon Business (MCICS)
RegDate:        2010-12-28
Updated:        2018-01-10
Ref:            https://rdap.arin.net/registry/ip/100.0.0.0

Then of course using wireshark (or tcpdump) to watch where does the packets get routed. But using other people's networks is strongly discouraged.

Upvotes: 0

Related Questions