0

I'm setting up a dns server in a vm with Ubuntu 18.06 for school and I encounter strange behaviour when forwarding a request which my server is not authoritative for. My server asks the dns server in spcified in named.conf.options in forwarders. Even though it receives a correct response resolving the query, my server replies server failure to my client.

My server is able to resolve queries regarding the zones which it is authoritative for but not external domains.

Content of named.conf.options:

options {                                                                                                                       
    directory "/var/cache/bind";                                                                                                                                                                                                                    
    forwarders {                                                                                                                    
        8.8.8.8;                                                                                                        
    };
    dnssec-validation auto;                                                                                                                                                                                                                         
    auth-nxdomain no;    # conform to RFC1035                                                                               
    listen-on-v6 { any; };
};

I have tried adding

allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };

but it didn't change the behaviour.

I've also tried:

  • reinstalling bind9
  • reinstalling the whole os
  • switching to Ubuntu 16.04
  • removing zone configuration
  • different combinations of what's stated above

I've also read somewhere it could be due to security configurations in my router but I don't know how or if I should touch that.

Can someone help me fix this?

Edit logging file contents:

29-May-2021 15:47:35.187 resolver: notice: DNS format error from 192.112.36.4#53 resolving ./NS: non-improving referral

this line a bunch of times with different IPs. I'm guessing they're the root servers.

nightcrawler
  • 21
  • 2
  • What happens? What kind of response do you get? What do the logs say? – Håkan Lindqvist May 29 '21 at 13:56
  • Try disable DNSSEC validation. If the domain you are asking for a record does NOT have DNSSEC enabled, then you won't get any answer when validation is enabled. Particularly if there exist a DNSSEC enabled version AND a DNSSEC disable version, then you will always get response from the enabled one. – Lasse Michael Mølgaard May 29 '21 at 14:03
  • @LasseMichaelMølgaard That is not how it works, though. The delegation point specifies whether a child zone is signed or not (indicated by `DS` or lack thereof). If a zone is not supposed to be signed, the answers are returned without validation, if it is supposed to be signed only responses signed with the appropriate key are returned. – Håkan Lindqvist May 29 '21 at 14:13
  • 1
    I'm not ruling out that there could be some form of DNSSEC-related failure happening, but it's definitely not the case that only signed zones can be queried. Also, for the purposes of understanding what you are doing, I think it's more useful to take a close look at the outcome rather than guessing what might be a way forward without even knowing what happened in the first place. – Håkan Lindqvist May 29 '21 at 14:19
  • Well it was at least the case for me, when I created a subdomain with Samba Active Directory. Something about Samba does not support DNSSEC signing, which ment that whenever I queried Bind9 it reported back with "no record found" due to I had not created a record on my public DNS server that had DNSSEC signing enabled. After I used `validate-except` for my subdomain there were no problems. – Lasse Michael Mølgaard May 29 '21 at 16:19

1 Answers1

0

That error is typically caused by a Forwarded Zone followed by Delegation

You can reproduce the error with this simple setup

  • F-Server is a DNS server that forwards domain.com to A-Server
  • A-Server is authoritative for domain.com
  • A-Server has a delegation for sub.domain.com pointing to B-Server
  • B-Server is authoritative for sub.domain.com

What happens is

  • Client queries F-Server for abcd.sub.domain.com
  • F-Server forwards the query to A-server
  • A-server responds with NS records referring to the sub.domain.com delegation
  • F-server receives the NS records but does not follow them due to a non-improving referral

Rule of thumb is to either have a Delegation setup or a Forwarded setup. Not both. And especially not Forwarding followed by Delegation.

The quickest fix in this scenario is to create another Forwarded Zone for the subzone. In Windows terms that's another Conditional Forwarder. In Bind it is just another Forward Zone statement.

madacoda
  • 185
  • 7