Setting up two Bind9 DNS Servers on LAN with one serving a particular zone and the other hinting to it

Question

I have set up a Bind9 DNS to serve names on a local netword 172.16.0.0/16. This Bind9 DNS service works fine and resides on 172.16.0.4. It serves names in the domain "mydomain.mak" correctly to all other computers in this subnetwork.

For some computers, let's say one at 172.16.32.10, I'd like to have a Bind9 DNS server installed on this particular computer and have it resolve names normally but when DNS queries are made for the zone mydomain.mak, I'd like to have it forward somehow this request to the Bind9 that resides on 172.16.0.4.

I tried it, installed Bind9 on the computer at 172.16.32.10, but it does not work: when I do host -a example on 172.16.32.10 it should query the localhost's Bind9 DNS querying for example.mydomain.mak and this query should be trasfered to the main Bind9 DNS on 172.16.0.4. But instead, it just does not resolv anything and there's no incoming query in the logs of the Bind DNS located at 172.16.0.4. Oddly, when I use wget, a DNS query is effectively sent to the main Bind9 DNS located in 172.16.0.4 and it appears in its logs...

There are no firewalls.

I don't understand why host and nslookup don't resolve names in the zone mydomain.mak.

My resolv.conf file contains :

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search mydomain.mak

Here's the content of /etc/dhcp/dhclient.conf :

# Configuration file for /sbin/dhclient, which is included in Debian's                                                                        
#       dhcp3-client package.                                                                                                                 
#                                                                                                                                             
# This is a sample configuration file for dhclient. See dhclient.conf's                                                                       
#       man page for more information about the syntax of this file                                                                           
#       and a more comprehensive list of the parameters understood by                                                                         
#       dhclient.                                                                                                                             
#                                                                                                                                             
# Normally, if the DHCP server provides reasonable information and does                                                                       
#       not leave anything out (like the domain name, for example), then                                                                      
#       few changes must be made to this file, if any.                                                                                        
#                                                                                                                                             

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

#send host-name "andare.fugue.com";                                                                                                           
send host-name = gethostname();
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;                                                                                              
#send dhcp-lease-time 3600;                                                                                                                   
#supersede domain-name "fugue.com home.vix.com";                                                                                              
prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name, domain-name-servers, domain-search, host-name,
        dhcp6.name-servers, dhcp6.domain-search,
        netbios-name-servers, netbios-scope, interface-mtu,
        rfc3442-classless-static-routes, ntp-servers;

The main reason I put this file here's for you to notice that the prepend directive make sure that resolvconf generates the correct resolv.conf and uses the localhost's Bind9.

Here's the /etc/bind/named.conf.local file I use:

//                                                                                                                                         
// Do any local configuration here                                                                                                            
//                                                                                                                                            

// Consider adding the 1918 zones here, if they are not used in your                                                                          
// organization                                                                                                                               
//include "/etc/bind/zones.rfc1918";                                                                                                          

  zone "mydomain.mak" IN {
        type hint;
        file "/etc/bind/db.mydomain.mak";

  };
//      zone "16.172.in-addr.arpa" {
//            type hint;
//            file "/etc/bind/db.mydomain.mak.rev";
//      };

named-checkconf returns no error. Here are the zone files with which named-checkzone returns "OK".

File Edit Options Buffers Tools Help                                                                                                          
$TTL    604800
$ORIGIN mydomain.mak
@       IN      SOA     localhost. mak.mydomain.mak. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

; Name server
mydomain.mak.    IN      NS      ns

; A records for name servers
ns              IN      A       172.16.0.4

I'm really stuck.

`//` and `#` are invalid in bind. `and it appears in its logs...`. Be more specific. Please add the path of the log. — 030, Jan 25 '15 at 14:20
I don't think so. These were generated at install time. Plus, named-checkconf and named-checkzone did not return ANY syntax error. — mak, Jan 25 '15 at 14:22
Did you install a master on 172.16.32.10 instead of a slave? — 030, Jan 25 '15 at 14:24
Yes, on 172.16.32.10 there's a bind9 that is a master. The thing I'm trying to achieve is when a process needs to resolve a name in the mydomain.mak zone, this request should not be processed by the local master but by the bind DNS located at 172.16.0.4. — mak, Jan 25 '15 at 14:27
This will not work. Please read: http://serverfault.com/questions/458360/can-you-have-multiple-writable-authoritative-bind-dns-servers-for-the-same-zone — 030, Jan 25 '15 at 14:33

score 0 · Accepted Answer · edited Apr 13 '17 at 12:14

Multi master in BIND does not work. A slave should be installed on 172.16.32.10 instead of a master.

When I started to setup a master-slave in BIND I read this documentation.

Master

options {
        listen-on port 53 { 127.0.0.1; 192.168.0.200; }; # Here we need to add our Master DNS Server IP.
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.0.0/24; }; # subnet range where my hosts are allowed to query our DNS.
        allow-transfer     { localhost; 192.168.0.201; };  # Here we need to our Slave DNS server IP.
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

## Define our forward & reverse Zone file here for tecmintlocal.com.


zone"tecmintlocal.com" IN {
type master;
file "tecmintlocal.fwd.zone";
allow-update { none; };
};

zone"0.168.192.in-addr.arpa" IN {
type master;
file "tecmintlocal.rev.zone";
allow-update { none; };
};

#####
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Slave

options {
        listen-on port 53 { 127.0.0.1; 192.168.0.201}; # Our Slave DNS server IP
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.0.0/24; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

## Define our slave forward and reverse zone, Zone files are replicated from master.

zone"tecmintlocal.com" IN {
type slave;
file "slaves/tecmintlocal.fwd.zone";
masters { 192.168.0.200; };
};

zone"0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/tecmintlocal.rev.zone";
masters { 192.168.0.200; };
};

#####
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Setting up two Bind9 DNS Servers on LAN with one serving a particular zone and the other hinting to it

1 Answers1