BIND9 denying queries from IPs outsite localnet (External IPs) on Ubuntu

Question

BIND9 denying queries from IPs outsite localnet (External IPs) on Ubuntu.

options {
        listen-on port 53       { any; };
        directory               "/var/bind";
        allow-query             { any; };
        allow-query-cache       { any; };
        allow-transfer          { none; };
        recursion               no;
        dnssec-validation       auto;
        auth-nxdomain           no;
};

include "/etc/bind/zones.conf";
include "/etc/bind/reverse-zones.conf";
include "/etc/bind/named.conf.default-zones";

Example of zones.conf

zone "test.test" IN {
    type slave;
    file "zones/test.test.zone";
    masters { 1.1.1.1; };
};

Also, I saw a denied in my logs so added allow-query-cache { any; }; however this made no difference.

Log:client 192.168.3.100#64088 (test.test.SUB.DOMAIN.INTERN): query (cache) 'test.test.SUB.DOMAIN.INTERN/A/IN' denied

After running "nslookup test.test 172.1.1.5" ( DNS Timeout)

Now nothing shows in the syslog out of the ordinary. This is what BIND shows before it loads the zones (with no errors):

adjusted limit on open files from 4096 to 1048576
found 18 CPUs, using 18 worker threads
using 18 UDP listeners per interface
using up to 18432 sockets
loading configuration from '/etc/bind/named.conf'
reading built-in trusted keys from file '/etc/bind/bind.keys'
using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
no IPv6 interfaces found
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface eth0, 172.1.1.5#53
generating session key for dynamic DNS
sizing zone task pool based on 162 zones
using built-in root key for view _default
set up managed keys zone for view _default, file 'managed-keys.bind'
command channel listening on 127.0.0.1#953
managed-keys-zone: loaded serial 2
zone 0.in-addr.arpa/IN: loaded serial 1

Var/Bind is in a non standard location but I have checked logs after editing the apparmor profile and see no issue.

I can successfully query bind from the same subnet.

/etc/default/bind9:

# run resolvconf?
RESOLVCONF=no

# startup options for the server
# OPTIONS="-u bind"
OPTIONS="-4 -u bind"

This change was to disable ipv6

I'm a RHEL guy - set up the server successfully on Centos7(1503) and found out the guys overseas with the slave want to run Ubuntu. So this cool be an OS config error on my part.

Answer 1

Have you checked your firewall? The logs indicate that BIND is listening on 172.1.1.5 so you should see some queries in the logs, even if the queries didn't actually resolve.

Answer 2

Is this log message correct ? The client query test.test.SUB.DOMAIN.INTERN which is not defined as your zone.

client 192.168.3.100#64088 (test.test.SUB.DOMAIN.INTERN): query (cache) 'test.test.SUB.DOMAIN.INTERN/A/IN' denied

You maight remove recursion no and put following lines for allowing clients to make recursive queries :

allow-recursion {
    ::1;
    127.0.0.1;
    172.1.1.0/24;
    192.168.3.0/24;
};

Besides , are you sure that master name server ( 1.1.1.1 as your sample ) allow your server to act as slave and do zone-transfer ?

Answer 3

Check your logs for a zone transfer from the master server at 1.1.1.1, test.test is a slave, and will send nxdomain until it receives the zone from the master.

Also, external communications should be signed with transactional security.

I assume SUB.DOMAIN.INTERN is your dhcp search domain. Please end all domain lookups with a period (.)