0

I'm trying to configure bind9 DNS to make it usable for my tiny network of windows PCs in order to create Active Directory DC on samba. For some reason I am getting "ignoring out-of-zone data" for these PCs. I am pretty sure I am missing something, most likely the understanding how this works. I would appreciate if someone who has more experience in bind configuration would have a look at this and spot what I am doing wrong. I started thinking that maybe I should use split horizon DNS, like the one described here: https://www.howtoforge.com/two_in_one_dns_bind9_views

However, this server should work primarily for internal network 192.168.3.0, so the PCs would communicate with SAMBA Active Directory DC within the same network back and forth (SAMBA is hosted on the same machine as BIND), and also be able to address queries to the Internet through this DNS. I am however not interested in serving queries for network 10.0.5.0, as this one uses separate DNS servers specified in named.conf as forwarders (10.0.14.13, 10.0.6.66).

resolv.conf:

search dom.co.uk
nameserver 192.168.3.10

named conf:

options {
    listen-on port 53 { 127.0.0.1; 192.168.3.10; 10.0.5.105; };
#   listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
#   allow-query     { localhost; };
    forwarders  { 10.0.14.13; 10.0.6.66; };   
    allow-query { localhost; 192.168.3.10; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
    allow-recursion { trusted; };
    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";


};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "j6105.md.dom.co.uk" IN {
         type master;
         file "/var/named/j6105.md.dom.co.uk";
         allow-update { none; };
};


zone "3.168.192.in-addr.arpa" IN {
          type master;
          file "/var/named/j6105.md.dom.co.uk.rev";
          allow-update { none; };
};



include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

server 10.0.14.13 {
    };
server 10.0.6.66 {
    };
acl trusted {
    192.168.3.0/27;
    10.0.5.0/24;
    10.0.162.0/24;
    10.0.163.0/24;
    localhost;
    localnets;
};

j6105.md.dom.co.uk zone file:

$ORIGIN j6105.md.dom.co.uk.
$TTL 3h
@   IN  SOA dc1.j6105.md.dom.co.uk. root.j6105.md.dom.co.uk. (
            201900924
            3h
            1h
            1h
            1h )
@                          IN NS    j6105.md.dom.co.uk.
@                      3600 IN MX 10 j6105.md.dom.co.uk.
@                      3600    IN A     192.168.3.10
j6105.md.dom.co.uk.                    3600    IN A     192.168.3.10
j6105.md.dom.co.uk.                  3600    IN A     192.168.3.10
j6105.md.dom.co.uk.                 3600    IN A     10.0.5.105
; lan data
j6105.md.dom.co.uk.              3600    IN A     192.168.3.10
pc5.md.dom.co.uk.              3600    IN A      192.168.3.11
pc2.md.dom.co.uk.            3600    IN A      192.168.3.12
pc3.md.dom.co.uk.              3600    IN A      192.168.3.13
pc1.md.dom.co.uk.              3600    IN A      192.168.3.14
pc4.md.dom.co.uk.              3600    IN A      192.168.3.15
nicola-research2.md.dom.co.uk.              3600    IN A      192.168.3.16

j6105.md.dom.co.uk.rev for zone 3.168.192.in-addr.arpa file:

$ttl 1H
3.168.192.in-addr.arpa. IN  SOA j6105.md.dom.co.uk. root.j6105.md.dom.co.uk. (
            2008112122
            3600
            3600
            3600
            3600 )
10.3.168.192.in-addr.arpa.  IN  NS  j6105.md.dom.co.uk.
3.168.192.in-addr.arpa. IN  NS  dc1.j6105.md.dom.co.uk.
105.5.0.10.in-addr.arpa.    IN  NS  j6105.md.dom.co.uk.
10.3.168.192.in-addr.arpa.              IN      PTR     j6105.md.dom.co.uk
11.3.168.192.in-addr.arpa.              IN      PTR     pc5.j6105.md.dom.co.uk
12.3.168.192.in-addr.arpa.              IN      PTR     pc2.j6105.md.dom.co.uk
13.3.168.192.in-addr.arpa.              IN      PTR     pc3.j6105.md.dom.co.uk
14.3.168.192.in-addr.arpa.              IN      PTR     pc1.j6105.md.dom.co.uk
15.3.168.192.in-addr.arpa.              IN      PTR     pc4.j6105.md.dom.co.uk
16.3.168.192.in-addr.arpa.              IN      PTR     nicola-research2
187.5.0.10.in-addr.arpa.              IN      PTR       nicola-research2

the result of named-checkzone command:

sudo named-checkzone j6105.md.dom.co.uk /var/named/j6105.md.dom.co.uk
/var/named/j6105.md.dom.co.uk:17: ignoring out-of-zone data (pc5.md.dom.co.uk)
/var/named/j6105.md.dom.co.uk:18: ignoring out-of-zone data (pc2.md.dom.co.uk)
/var/named/j6105.md.dom.co.uk:19: ignoring out-of-zone data (pc3.md.dom.co.uk)
/var/named/j6105.md.dom.co.uk:20: ignoring out-of-zone data (pc1.md.dom.co.uk)
/var/named/j6105.md.dom.co.uk:21: ignoring out-of-zone data (pc4.md.dom.co.uk)
/var/named/j6105.md.dom.co.uk:22: ignoring out-of-zone data (nicola-research2.md.dom.co.uk)
zone j6105.md.dom.co.uk/IN: loaded serial 201900924
OK

the command nslookup command from Linux BIND server gives me the following results:

nslookup pc4.md.dom.co.uk
Server:         192.168.3.10
Address:        192.168.3.10#53

** server can't find pc4.md.dom.co.uk: NXDOMAIN

nslookup 192.168.3.15
Server:         192.168.3.10
Address:        192.168.3.10#53

15.3.168.192.in-addr.arpa       name = pc4.j6105.md.dom.co.uk.3.168.192.in-addr.arpa.

nslookup from windows client machine (pc4.md.dom.co.uk/192.168.3.15):

> nslookup 192.168.3.10
Server:  [192.168.3.10]
Address:  192.168.3.10

*** 192.168.3.10 can't find nslookup: Non-existent domain
> nslookup j6105.md.dom.co.uk
Server:  j6105.md.dom.co.uk
Addresses:  10.0.5.105
          192.168.3.10

*** j6105.md.dom.co.uk can't find nslookup: Non-existent domain

dig from linux server hosting bind to client machine (pc4.md.dom.co.uk/192.168.3.15):

dig pc4.md.dom.co.uk

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> pc4.md.dom.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52595
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pc4.md.dom.co.uk.              IN      A

;; AUTHORITY SECTION:
dom.co.uk.              4553    IN      SOA     eagle.dom.co.uk. dnsman.dom.co.uk. 2019070968 7200 3600 604800 14400

;; Query time: 0 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Sep 19 14:06:22 BST 2019
;; MSG SIZE  rcvd: 94


dig 192.168.3.15

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> 192.168.3.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50490
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;192.168.3.15.                  IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2019091802 1800 900 604800 86400

;; Query time: 23 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Sep 19 14:06:50 BST 2019
;; MSG SIZE  rcvd: 116
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
domaniqs
  • 3
  • 2
  • Think your config shows the subdomain as `j6105.md.dom.co.uk.` but the PCs are `pcX.md.dom.co.uk.`, which isn't in in the `j6105.md.dom.co.uk.` zone. Change the names for the PCs to be `pcX.j6105.md.dom.co.uk` and re-check with `named-checkzone j6105.md.dom.co.uk /path/to/zone/file/for/j6105.md.dom.co.uk` – ivanivan Sep 19 '19 at 14:14
  • oh gosh! spot on, yes, that was it! Many thanks for your help. If you would like to post an answer, I'll make it accepted solution. Now I'm getting when I nslookup from windows client something like this: `nslookup 192.168.3.10 Server: UnKnown Address: 192.168.3.10 *** UnKnown can't find 192.168.3.10: Non-existent domain` but it is most likely the subject for another investigation, it resolves other local pcs very well. – domaniqs Sep 19 '19 at 14:30

1 Answers1

0

Think your config shows the subdomain (in the SOA line as well as the @ entry) as j6105.md.dom.co.uk. but the PCs are pcX.md.dom.co.uk, which isn't in in the j6105.md.dom.co.uk zone.

Change the names for the PCs to be pcX.j6105.md.dom.co.uk and re-check with

named-checkzone j6105.md.dom.co.uk /path/to/zone/file/for/j6105.md.dom.co.uk

And you should be good to go.

ivanivan
  • 1,448
  • 6
  • 6