DNS server using BIND9 for LAN [DEBIAN]

Question

I am trying to configure LAN DNS server using BIND9 on DEBIAN.

Context: network mask: 255.255.0.0, network IP: 10.1.xxx.xxx
I own a public domain example.com, managed by external NS and my aim is to manage all subdomains lan.example.com, e.g. address node1.lan.example.com is computer with IP 10.1.1.1

Current configuration
/etc/bind/named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options:

options {
    directory "/var/cache/bind";
    forwarders {
        EXTERNAL_DNS_NAMESERVERS;
    };
    dnssec-validation auto;
    recursion yes;
    allow-query { 10/24; 127.0.0.1; };
    allow-recursion { 10/24; 127.0.0.1; };
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    listen-on port 53 { 127.0.0.1; 10.1.0.2; } ;
};

/etc/bind/named.conf.local:

zone "lan.example.com" {
    type master ;
    allow-query { 10/24; 127.0.0.1; };
    file "/etc/bind/zone.lan.example.com" ;
};
zone "0.1.10.in-addr-arpa" {
    type master ;
    notify no ;
    allow-query { 10/24; 127.0.0.1; };
    file "/etc/bind/zone.0.1.10.in-addr.arpa" ;
} ; 
zone "2.1.10.in-addr-arpa" {
    type master ;
    notify no ;
    allow-query { 10/24; 127.0.0.1; };
    file "/etc/bind/zone.2.1.10.in-addr.arpa" ;
} ; 

/etc/bind/named.conf.default-zones:

zone "." {
    type hint;
    file "/etc/bind/db.root";
};
zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};

/etc/bind/zone.lan.example.com:

; zone.lan.example.com BIND9 configuration file.
;
$TTL 604800
@   IN  SOA ns.lan.example.com. root.localhost. (
    201212041   ; serial no. (increment by +1 after every edit!)
    604800      ; refresh
    86400       ; retry after failure
    2419200 ; expired
    604800); TTL negative cache
;
@   IN  NS  ns.lan.example.com.
@   IN  A   127.0.0.1
;
; A records - Local machines and addresses:
; Servers:
router  IN  A   10.1.0.1    ; Router
ns      IN  A   10.1.0.2    ; NS Server
server  IN  A   10.1.0.2    ; Server
media   IN  A   10.1.0.3    ; Media Server

;
; Workstations:
node1   IN  A   10.1.1.1    ; node1

Issue:

client 10.1.0.1#50808: query (cache) 'a.root-servers.net/A/IN' denied
client 10.1.0.2#59641: query (cache) 'example.com/A/IN' denied
client MY_EXTERNAL_IP#37853: query 'server.lan.example.com/A/IN' denied
client MY_EXTERNAL_IP#56367: query (cache) 'superuser.com/A/IN' denied

When I try to dig server.lan.example.com on the nameserver ns.lan.example.com, everything works, if I try to do this from another machine, it fails.

How can I solve this?

Thanks in advance

Answer 1

You configured BIND to allow queries from 10/24. I'm not sure if BIND even accepts that as a valid netmask, but if it does, then it would expand to 10.0.0.0/24 or 10.0.0.0/255.255.255.0, which does not match 10.1.0.1. (Did you mix up /24 with 10.0.0.0/8?)

According to your note network mask: 255.255.0.0, network IP: 10.1.xxx.xxx, the correct network should be 10.1.0.0/16.

Answer 2

The previous answer solved the problem for the initial submitter, but for another, more generalized, way of doing this you can use the built-in ACLs "localnets" and "localhost", e.g.:

allow-recursion { localnets; } ;

localhost is pretty self-explanatory (except that in addition to 127.0.0.1 or ::1 it includes the configured address of every network interface BIND is using (so 127.0.0.1 plus all addrresses assigned to the local host.)

localnets is based on your local interfaces configuration and derived from their addresses and netmasks.

If your server has an interface that is not in private address space but is internet routable then you probably don't want to use "localnets"