0

I have such an /etc/resolv.conf :

# Generated by NetworkManager
search mydom.com-local site
nameserver 127.0.0.1
nameserver 10.11.12.13
nameserver 8.8.8.8

If I search a host with a domain which is only known by company's DNS server (here 10.11.12.13), it does not work, if I use the command 'host' :

# host myhost.mycompany.grp    
Host myhost.mycompany.grp not found: 3(NXDOMAIN)

But If I comment out the nameserver 127.0.0.1 in resolv.conf

# Generated by NetworkManager
search mydom.com-local site
#nameserver 127.0.0.1
nameserver 10.11.12.13
nameserver 8.8.8.8

It works at once :

# host myhost.mycompany.grp
myhost.mycompany.grp has address 10.55.66.77

It looks like the "nameserver 127.0.0.1" is not forwarding requests for outer zones to other DNS servers.

I do not use dnsmasq (and I do not want to). I tried many options in named.conf but without any success.

My named.conf :

options {
    check-names master warn;
    directory "/var/named";
    dump-file "/var/log/named_dump.db";
    include "/etc/named/forwarders.conf";
    listen-on-v6 { any; };
    notify no;
    statistics-file "/var/log/named.stats";
    empty-zones-enable no;

    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "appdom.com-local" in {
    type master;
    file "master/appdom.com-local.zone";
    allow-transfer { any; };
};
zone "in-addr.arpa" in {
    type master;
    file "master/appdom.com-local_reverse.zone";
    allow-transfer { any; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

My /etc/named/forwarders.conf : 

forwarders { 10.11.12.13; 8.8.8.8; };

I have put in debug mode named (rndc trace 1000) : I do not see in traces that named is trying to forward the request to 10.11.12.13.

What's wrong with my forwarding on my local name server ?

Eric
  • 229
  • 4
  • 14
  • Can you please share some of your BIND logs? It's probably the access control list denying you to do recursive queries. – William Sandin Jan 25 '18 at 17:24
  • 1
    This makes no sense: " I need "nameserver 127.0.0.1" AND "nameserver 10.11.12.13" in resolv.conf because each of them are managing different zones.". DNS and resolv.conf do not work like that: the first nameserver line will get all the queries, irrespective of the zone, and the second nameserver will be used only in the cases where the first one did not reply at all (NXDOMAIN is a valid reply). For your need you must configure your DNS server at first line to serve all zones you need, even if forwrding queries. Take a look at `unbound` if you do not want to install `dnsmasq` – Patrick Mevzek Jan 26 '18 at 05:18
  • @Patrick : That's the point : with my local DNS server, I tried to forward queries to other DNS if needed, but it does not work. resolv.conf only defines backup DNS. But even by putting some forwarding rules or files, local DNS does not resolve outer zones. I will update my question to be more clear. – Eric Jan 26 '18 at 07:26

2 Answers2

1

Although it's hard for me to tell because you're using one of those BIND installs that scatters the config across many small files (and because you've not told us what you're trying to do, only how you're trying to do it), I suspect what you want to do is forwarding on a per-zone basis (as I do exactly the same thing).

This comes in two flavours: local BIND should resolve everything except queries for certain zones which should be sent onwards, and local BIND should resolve only queries for certain zones with all others to be sent onwards. For the former, try

zone "example.org" {
        type forward;
        forward first;
        forwarders {
                10.11.12.13 ;
        } ;
} ;

If you're doing the latter, remove the hints for zone . - if your local server can resolve everything, why would it ever need to forward a query?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • my local server does not resolve everything, I need to forward unresolved request. I will try your setting... – Eric Jan 26 '18 at 07:53
  • Hopefully that will work. Certainly, if your local server can't resolve everything, you should stop telling it that it can and should! – MadHatter Jan 26 '18 at 08:10
  • Unfortunately not in my case. See the "solution" I finally found below... – Eric Jan 26 '18 at 09:18
1

I finally found a solution,

After activating query logging (rndc querylog), I was able to see in messages :

error (insecurity proof failed) resolving 'myhost.mycompany.grp/A/IN': 10.11.12.13#53

I deactivated DNSSEC validation:

dnssec-validation no;

Then I had a very strange behavior, like forwarders IPs are used in a round robin manner : sometime the host is resolved sometime not (the host is known only from the first IP)

By putting only the first IP in forwarders it now works.

I will try soon, if it is possible, to add some priority on forwarders IPs.

So, now it is more a DNSSEC problem, I will manage that later.

Eric
  • 229
  • 4
  • 14