0

Just as the title says: is it possible to have Bind (named service) on a Linux machine (Fedora 27, Server Edition) answer authoritatively for local domains or, at the very least, answer in such a way that something enquiring about them will accept the server's answer over any other?

I know that is is supposed to be possible (in theory, at least), but I cannot get it working, even though both the named and rndc services are and even though my files pass checks on both named-checkconf and named-checkzone.

I need to be able to receive an answer from the Bind server for my local domain (enquiries originating from a Windows 7 PC) that points to my local domain (as opposed to an authoritative or non-authoritative answer elsewhere on the internet), similar to this post: BIND9 cannot resolve local domain. I would also like to make it possible to add in other (internet) domain names at a later date (so a fake root would probably not work as a solution) but, as it stands, the nslookup answer is:

** server can't find vpntest.it: NXDOMAIN **

I have also reinstalled the distro (bare minimum install), modified the files according to the Fedora Administrator's Guide, and have checked (plus carefully extrapolated from) this post: https://serverfault.com/questions/838380/dns-use-public-domain-name-for-internal-use ...and still receive the above error. Grrrrrrrrrrrrrrrr!

My files are currently as follows:

/etc/nsswitch.conf value:

files dns myhostname

/etc/resolv.conf:

# Generated by NetworkManager
nameserver 64.83.128.50
nameserver 64.20.192.50
nameserver 2001:4860:4860::8888
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2001:4860:4860::8844

/etc/hosts:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

etc/named.conf (RNDC Key deleted from this post):

options {
    listen-on port 53 { 10.200.0.1; }; // 127.0.0.1 //
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";

    recursion no;
    dnssec-enable yes;
    dnssec-validation auto;

    auth-nxdomain no;
    allow-query { localhost; };
    version "Damned If I Know";
    allow-recursion { 10.200.0.1/24; };

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
# include "/etc/named.root.key";

key "rndc-key" {
    algorithm hmac-md5;
    secret "";
};

controls {
    inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "vpntest.it" IN {
    type master;
    file "vpntest.it.zone";
};

zone "0.200.10.in-addr.arpa" IN {
    type master;
    file "10.200.0.zone";
    allow-update { none; };
};

/var/named/vpntest.it.zone:

$ORIGIN vpntest.it.
$TTL 86400
@       IN      SOA    ns1.vpntest.it.    hostmaster.vpntest.it. (
                100 ; serial
                21600   ; refresh after 6 hours
                3600    ; retry after 1 hour
                604800  ; expire after 1 week
                86400 ) ; minimum TTL of 1 day
;
                IN  NS  ns1.vpntest.it.
;
ns1             IN  A   10.200.0.1
;
www             IN  A   10.200.0.6

/var/named/10.200.0.zone:

$ORIGIN 0.200.10.in-addr.arpa.
$TTL 86400
@       IN      SOA    ns1.vpntest.it.    hostmaster.vpntest.it. (
                100 ; serial
                21600   ; refresh after 6 hours
                3600    ; retry after 1 hour
                604800  ; expire after 1 week
                86400 ) ; minimum TTL of 1 day
;
@               IN  NS  ns1.vpntest.it.
;
1               IN  PTR ns1.vpntest.it.
6               IN  PTR www
Improve this question
16
  • What is the IP address of your Nameserver? If it's not 10.200.0.1 that's your problem. Also, you need to allow recursion for it to handle other domains.
    – davidgo
    Commented Mar 3, 2018 at 1:07
  • is nslookup vpntest.it different from nslookup vpntest.it 127.0.0.1 or such?
    – thrig
    Commented Mar 3, 2018 at 2:05
  • @davidgo: I will check now and see if that fixes the problem, - thanks.
    – 9A4Sc6GW4LkvRD
    Commented Mar 3, 2018 at 16:51
  • @davidgo: sorry, - fix not successful ( ** server can't find vpntest.it: NXDOMAIN ** ). - I updated my vpntest.it.zone file NS A record and added an AAAA for FE80::1, so the nameserver IPs match those given in resolv.conf (where I also amended FE80::/64 to FE80::1). Recursion has also now been enabled in named.conf.
    – 9A4Sc6GW4LkvRD
    Commented Mar 3, 2018 at 17:29
  • Changed file format to match naming conventions, so vpntest.it.zone changed to named.vpntest.it; likewise with the PTR file. Also removed recursion no; (to avoid a potential conflict with the allow-recursion directive), and used var/named/named.empty to create a stripped, conventionally-correct, named.vpntest.it. Result: still NXDOMAIN.
    – 9A4Sc6GW4LkvRD
    Commented Mar 4, 2018 at 5:16

1 Answer 1

Reset to default
0

I know this question is a bit old (and it seems like you have some semi-working configuration), so please forgive me if I state anything you are already aware of or that not longer applies to your issue.

I can't speak directly to any other problems, but you (apparently) don't have an entry for vpntest.it in your zone file:

$ORIGIN vpntest.it.
$TTL 86400
@       IN      SOA    ns1.vpntest.it.    hostmaster.vpntest.it. (
                100 ; serial
                21600   ; refresh after 6 hours
                3600    ; retry after 1 hour
                604800  ; expire after 1 week
                86400 ) ; minimum TTL of 1 day
;
                IN  NS  ns1.vpntest.it.
;
ns1             IN  A   10.200.0.1
;
vpntest.it.     IN  A   10.200.0.6  ; http://vpntest.it - no subdomain
www             IN  A   10.200.0.6  ; http://www.vpntest.it - subdomain

Note that the serial should always be incremented when making changes to your zones.

Other Notes

  • .it is a real TLD along with .dev. This can cause resolution issues (as can any real, public TLD). You may want to check this list of International Top Level Domains and pick a fake TLD that isn't on that list (e.g. .nx perhaps?). There are some officially reserved non-public TLDs (well, semi-excluding .onion) but .invalid is the one you would choose to be absolutely safe (avoid .local since this is used in conjunction with zeroconf networking).

  • As you note in your comments, recursion no; should be removed (since you are already limiting recursion with allow-recursion { 10.200.0.1/24; };).

  • Any computer that you wish vpntest.it to work with needs to have its DNS traffic pass through your BIND server.

  • hosts can potentially override BIND. While nsswitch.conf wouldn't seem to be an issue (considering the order), this is probably still worthwhile to note for general troubleshooting (i.e. you shouldn't need vpntest.it 127.0.0.1 when using BIND).

  • While it doesn't apply to your issue, make sure to use e.g. vpntest.it/ (note the trailing slash) to access custom domains in current versions of Chrome, Firefox and Opera (or other Chromium-derived browsers). Leaving it off can cause resolution issues as well (assuming DNS is working properly otherwise).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .