I spun up a new server on AWS using the Ubuntu 14.04 Server AMI. I'm intending to build a public DNS server for our sites. We currently have two others running CentOS, but I was informed that one will be shutdown because it's on old hardware. If nothing else, a good opportunity to learn about BIND!

Here's my current set up on this new (non-functioning) DNS server:


options {
    directory "/var/cache/bind";

 dnssec-validation auto;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    listen-on port 53 { any; };
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query { any; };
    allow-transfer { none; };
    recursion no;
    allow-query-cache { none; };

zone "test.edu" IN {
        type master;
        file "/var/named/testedu.db";
        allow-update { none; };

Then, /var/named/testedu.db:

$TTL    3600
$ORIGIN test.edu.

@       IN      SOA     dns3.test.edu.  isdept.test.edu. (

            20150413        ;Serial
            10800           ; Refresh after 6 hours
            3600            ;Retry
            604800          ;Expire
            3600            ;TTL

;NS Records
        IN      NS dns3.test.edu.

;mail records
    IN      MX      5       mail.test.edu.

;Host A records
dns2    IN      A
dns1    IN      A
dns3    IN      A

www     IN      A
test.edu.       IN      A
mail    IN      A
facultyportal   IN      A

So, named-checkconf /etc/bind/named.conf.options returns nothing, so no errors there. And named-checkzone test.edu /var/named/testedu.db returns that it loaded the serial and is OK.

If I run: netstat -an | grep ^udp | grep 53, I get:

udp        0      0*
udp        0      0  *
udp6       0      0 :::53                   :::*

Which seems right - and shows that BIND is running.

But - when I run nslookup, I get SERVFAIL on any record that this server should be able to return:

user@dns3:/var/named$ nslookup
> server localhost
Default server: localhost
> facultyportal.test.edu
Server:         localhost

** server can't find facultyportal.nwcu.edu: SERVFAIL

Output of named-checkconf -zj:

zone test.edu/IN: loaded serial 20150413
zone stead/IN: loaded serial 1
zone localhost/IN: loaded serial 2
zone 127.in-addr.arpa/IN: loaded serial 1
zone 0.in-addr.arpa/IN: loaded serial 1
zone 255.in-addr.arpa/IN: loaded serial 1

(the stead zone is one that I added as a testing measure. It appears that localhost CAN resolve entries from there)

Is there something I'm missing? Thank you!

  • You only configured `facultyportal.test.edu`, not `facultyprotal.nwcu.edu`. Did you run `rndc reload` or restart `named` after updating the zone file? – jordanm Apr 14 '15 at 00:42
  • Whoops! I fixed the the post now. I had made an effort to hide the true domain and looks like I missed one. Anyway, the result was accurate. – SteadH Apr 14 '15 at 00:45
  • I ran rndc reload, the service bind9 reload, then service bind9 restart to be sure. I've also rebooted, just as a test. Still SERVFAIL. – SteadH Apr 14 '15 at 00:46
  • Your netstat shows it's bound to then you query localhost. It's not bound to It's failing because there's no server listening there. –  Apr 14 '15 at 01:59
  • 1
    I doubt that `named.conf.options` is the file it actually uses directly. It may be *included* but there's probably more to your configuration. What does `named-checkconf -zj` say, is there anything in the logs and what is listening on – Håkan Lindqvist Apr 14 '15 at 04:16
  • @yoonix I cut out the rest of netstat - sorry about that. I just updated the post with the full netstat output. – SteadH Apr 14 '15 at 14:29
  • @HåkanLindqvist `named-checkconf -zj` is now posted in the question. Nothin in Syslog except for bind restarts. I enabled query logging for bind, but just got: client (test.edu): query: test.edu IN A + ( – SteadH Apr 14 '15 at 14:50

