configuring named. Works only with local names but returns SERVFAIL with global names

fperal · April 22, 2021, 10:28am

Hi.

I’m trying to configure named to resolve local names and external names too.
I have done a fresh install of Opensuse 15.2 with the server minimal configuration.
I’m following the opensuse guide about the The Domain Name System

I have installed all the named stuff

zypper in -t pattern dhcp_dns_server

The server has static ip 192.168.2.70, named “named”
It has IPV6 disabled
It has 192.168.2.1 (my router) as nameserver

I follow the rest of the configuration with yast.
I add 192.168.2.1 as forwarder
I add a new zone “bogus” master
another master zone 2.168.192.in-addr.arpa

I edit the bogus zone
-add a nameserver named.bogus.
-add a A record test1 192.168.2.10
-add a A record named 192.168.2.70

I edit the reverse zone
-add a nameserver 70
-add a reverse ptr 192.168.2.10 test1
-add a reverse ptr 192.168.2.70 named

open the port in the firewall, and activate named in boot.

The resulting files are

/etc/named.conf

 Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany. 
# All rights reserved. 
# 
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de> 
# 
# /etc/named.conf 
# 
# This is a sample configuration file for the name server BIND 9.  It works as 
# a caching only name server without modification. 
# 
# A sample configuration for setting up your own domain can be found in 
# /usr/share/doc/packages/bind/sample-config. 
# 
# A description of all available options can be found in 
# /usr/share/doc/packages/bind/misc/options. 

options { 

        # The directory statement defines the name server's working directory 

        directory "/var/lib/named"; 

        # enable DNSSEC validation 
        # 
        # If BIND logs error messages about the root key being expired, you 
        # will need to update your keys. See https://www.isc.org/bind-keys 
        # 
        # The dnssec-enable option has been obsoleted and no longer has any effect. 
        # DNSSEC responses are always enabled if signatures and other DNSSEC data are present. 

        # dnssec-validation yes (default), indicates that a resolver 
        # (a caching or caching-only name server) will attempt to validate 
        # replies from DNSSEC enabled (signed) zones. To perform this task 
        # the server also needs either a valid trusted-keys clause 
        # (containing one or more trusted-anchors) or a managed-keys clause. 
        # If you have problems with forwarders not returning signed responses, 
        # set this to "no", but be aware that this may create security issues 
        # so better switch to a forwarder which supports DNSSEC! 

        #dnssec-validation auto; 
        managed-keys-directory "/var/lib/named/dyn/"; 

        # Write dump and statistics file to the log subdirectory.  The 
        # pathenames are relative to the chroot jail. 

        dump-file "/var/log/named_dump.db"; 
        statistics-file "/var/log/named.stats"; 

        # The forwarders record contains a list of servers to which queries 
        # should be forwarded.  Enable this line and modify the IP address to 
        # your provider's name server.  Up to three servers may be listed. 

        #forwarders { 192.0.2.1; 192.0.2.2; }; 

        # Enable the next entry to prefer usage of the name server declared in 
        # the forwarders section. 

        #forward first; 

        # The listen-on record contains a list of local network interfaces to 
        # listen on.  Optionally the port can be specified.  Default is to 
        # listen on all interfaces found on your system.  The default port is 
        # 53. 

        #listen-on port 53 { 127.0.0.1; }; 

        # The listen-on-v6 record enables or disables listening on IPv6 
        # interfaces.  Allowed values are 'any' and 'none' or a list of 
        # addresses. 

 #       listen-on-v6 { any; }; 

        # The next three statements may be needed if a firewall stands between 
        # the local server and the internet. 

        #query-source address * port 53; 
        #transfer-source * port 53; 
        #notify-source * port 53; 

        # The allow-query record contains a list of networks or IP addresses 
        # to accept and deny queries from. The default is to allow queries 
        # from all hosts. 

        #allow-query { 127.0.0.1; }; 

        # If notify is set to yes (default), notify messages are sent to other 
        # name servers when the the zone data is changed.  Instead of setting 
        # a global 'notify' statement in the 'options' section, a separate 
        # 'notify' can be added to each zone definition. 

        notify no; 

 #       disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 
        include "/etc/named.d/forwarders.conf"; 
}; 

# To configure named's logging remove the leading '#' characters of the 
# following examples. 
#logging { 
#       # Log queries to a file limited to a size of 100 MB. 
#       channel query_logging { 
#               file "/var/log/named_querylog" 
#                       versions 3 size 100M; 
#               print-time yes;                 // timestamp log entries 
#       }; 
#       category queries { 
#               query_logging; 
#       }; 
# 
#       # Or log this kind alternatively to syslog. 
#       channel syslog_queries { 
#               syslog user; 
#               severity info; 
#       }; 
#       category queries { syslog_queries; }; 
# 
#       # Log general name server errors to syslog. 
#       channel syslog_errors { 
#               syslog user; 
#               severity error; 
#       }; 
#       category default { syslog_errors;  }; 
# 
#       # Don't log lame server messages. 
#       category lame-servers { null; }; 
#}; 

# The following zone definitions don't need any modification.  The first one 
# is the definition of the root name servers.  The second one defines 
# localhost while the third defines the reverse lookup for localhost. 

zone "." in { 
        type hint; 
        file "root.hint"; 
}; 

zone "localhost" in { 
        type master; 
        file "localhost.zone"; 
}; 

zone "0.0.127.in-addr.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in { 
        type master; 
        file "127.0.0.zone"; 
}; 


# Include the meta include file generated by createNamedConfInclude.  This 
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from 
# /etc/sysconfig/named 

include "/etc/named.conf.include"; 
zone "bogus" in { 
        allow-transfer { any; }; 
        file "master/bogus"; 
        type master; 
}; 
zone "2.168.192.in-addr.arpa" in { 
        allow-transfer { any; }; 
        file "master/2.168.192.in-addr.arpa"; 
        type master; 
}; 

# You can insert further zone records for your own domains below or create 
# single files in /etc/named.d/ and add the file names to 
# NAMED_CONF_INCLUDE_FILES. 
# See /usr/share/doc/packages/bind/README.SUSE for more details.

/etc/named.d/forwarders.conf

### /etc/named.d/forwarders.conf is a symlink to /var/run/netconfig/bind-forwarders.conf 
### autogenerated by netconfig! 
# 
# Before you change this file manually, consider to define the 
# static DNS configuration using the following variables in the 
# /etc/sysconfig/network/config file: 
#     NETCONFIG_DNS_STATIC_SEARCHLIST 
#     NETCONFIG_DNS_STATIC_SERVERS 
#     NETCONFIG_DNS_FORWARDER 
# or disable DNS configuration updates via netconfig by setting: 
#     NETCONFIG_DNS_POLICY='' 
# 
# See also the netconfig(8) manual page and other documentation. 
# 
### Call "netconfig update -f" to force adjusting of /etc/named.d/forwarders.conf. 
forwarders { 
        192.168.2.1; 
};

Well, indeed I changed the file afterwards to allow logs

logging { 
    channel default_file { 
        file "/var/lib/named/log/default.log" versions 3 size 5m; 
        severity dynamic; 
        print-time yes; 
    }; 
   category default { default_file; };

/var/lib/named/master/bogus


[FONT=monospace]$TTL 2d 
@               IN SOA          named.  root.named. ( 
                                2021042201      ; serial 
                                3h              ; refresh 
                                1h              ; retry 
                                1w              ; expiry 
                                1d )            ; minimum 

bogus.          IN MX           0 named.bogus. 
bogus.          IN NS           named.bogus. 
test1           IN A            192.168.2.10 
named           IN A            192.168.2.70

[/FONT]

/var/lib/named/master/2.168.192.in-addr.arpa


$TTL 2d 
@               IN SOA          named.  root.named. ( 
                                2021042202      ; serial 
                                3h              ; refresh 
                                1h              ; retry 
                                1w              ; expiry 
                                1d )            ; minimum 

2.168.192.in-addr.arpa. IN NS           named. 
192.168.2.10    IN PTR          test1. 
192.168.2.70    IN PTR          named.

/etc/resolv.conf

### /etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf 
### autogenerated by netconfig! 
# 
# Before you change this file manually, consider to define the 
# static DNS configuration using the following variables in the 
# /etc/sysconfig/network/config file: 
#     NETCONFIG_DNS_STATIC_SEARCHLIST 
#     NETCONFIG_DNS_STATIC_SERVERS 
#     NETCONFIG_DNS_FORWARDER 
# or disable DNS configuration updates via netconfig by setting: 
#     NETCONFIG_DNS_POLICY='' 
# 
# See also the netconfig(8) manual page and other documentation. 
# 
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf. 
nameserver 127.0.0.1 
nameserver 192.168.2.1

Then I connect to the server from another computer and test the dns server. It works with local names but if fails with global names


fernando@andromeda:~> nslookup 
> server 192.168.2.70 
Default server: 192.168.2.70 
Address: 192.168.2.70#53 
> named.bogus 
Server:         192.168.2.70 
Address:        192.168.2.70#53 

Name:   named.bogus 
Address: 192.168.2.70 
> test1.bogus 
Server:         192.168.2.70 
Address:        192.168.2.70#53 

Name:   test1.bogus 
Address: 192.168.2.10 
> google.com 
Server:         192.168.2.70 
Address:        192.168.2.70#53 

** server can't find google.com: SERVFAIL 
>

What am I doing wrong?

best regards

arvidjaar · April 22, 2021, 10:40am

To my best knowledge you need to enable recursion in bind options, and I do not see it anywhere in output you posted:

options {
...
    recursion yes;
...
}

fperal · April 22, 2021, 11:21am

no, it didn’t work. I aded it and I tried with an without forward first


        # Enable the next entry to prefer usage of the name server declared in 
        # the forwarders section. 
       forward first; 
       recursion yes;

But something is very wrong, this is the log when I just ask for google.com (just one time)


**named:~ #** tail -f /var/lib/named/log/default.log
address not available resolving 'google.com/ANY/IN': 2001:500:12::d0d#53 
address not available resolving 'google.com/ANY/IN': 2001:500:1::53#53 
address not available resolving 'google.com/ANY/IN': 2001:500:200::b#53 
address not available resolving 'google.com/ANY/IN': 2001:500:856e::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:eea3::30#53 
address not available resolving 'google.com/ANY/IN': 2001:502:8cc::30#53 
address not available resolving 'google.com/ANY/IN': 2001:502:1ca1::30#53 
address not available resolving 'google.com/ANY/IN': 2001:501:b1f9::30#53 
address not available resolving 'google.com/ANY/IN': 2001:500:d937::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:d2d::30#53 
address not available resolving 'google.com/ANY/IN': 2001:502:7094::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:d414::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:231d::2:30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:83eb::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:39c1::30#53 
address not available resolving 'google.com/ANY/IN': 2001:503:a83e::2:30#53 
address not available resolving 'google.com/ANY/IN': 2001:4860:4802:38::a#53 
address not available resolving 'google.com/ANY/IN': 2001:4860:4802:32::a#53 
address not available resolving 'google.com/ANY/IN': 2001:4860:4802:36::a#53 
address not available resolving 'google.com/ANY/IN': 2001:4860:4802:34::a#53 
  validating com/DS: no valid signature found 
broken trust chain resolving 'google.com/ANY/IN': 216.239.38.10#53 
no valid RRSIG resolving 'com/DS/IN': 192.168.2.1#53 
address not available resolving 'com/DS/IN': 2001:500:200::b#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 199.7.83.42#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 193.0.14.129#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.5.5.241#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.203.230.10#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.33.4.12#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.58.128.30#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 199.7.91.13#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 198.41.0.4#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.112.36.4#53 
address not available resolving 'com/DS/IN': 2001:dc3::35#53 
address not available resolving 'com/DS/IN': 2001:7fe::53#53 
address not available resolving 'com/DS/IN': 2001:500:1::53#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 199.9.14.201#53 
address not available resolving 'com/DS/IN': 2001:500:9f::42#53 
address not available resolving 'com/DS/IN': 2001:7fd::1#53 
address not available resolving 'com/DS/IN': 2001:500:2f::f#53 
address not available resolving 'com/DS/IN': 2001:500:a8::e#53 
address not available resolving 'com/DS/IN': 2001:500:2::c#53 
address not available resolving 'com/DS/IN': 2001:503:c27::2:30#53 
address not available resolving 'com/DS/IN': 2001:500:2d::d#53 
address not available resolving 'com/DS/IN': 2001:503:ba3e::2:30#53 
address not available resolving 'com/DS/IN': 2001:500:12::d0d#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 202.12.27.33#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53 
validating com/DS: no valid signature found 
no valid RRSIG resolving 'com/DS/IN': 198.97.190.53#53 
validating google.com/TXT: bad cache hit (com/DS) 
validating google.com/NS: bad cache hit (com/DS) 
validating google.com/MX: bad cache hit (com/DS) 
validating google.com/CAA: bad cache hit (com/DS) 
validating google.com/SOA: bad cache hit (com/DS) 
no valid RRSIG resolving 'org/DS/IN': 192.168.2.1#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.203.230.10#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 199.7.83.42#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.5.5.241#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 193.0.14.129#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.33.4.12#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 199.7.91.13#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.58.128.30#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 198.41.0.4#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 199.9.14.201#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.112.36.4#53 
address not available resolving 'org/DS/IN': 2001:7fe::53#53 
address not available resolving 'org/DS/IN': 2001:dc3::35#53 
address not available resolving 'org/DS/IN': 2001:500:1::53#53 
address not available resolving 'org/DS/IN': 2001:500:a8::e#53 
address not available resolving 'org/DS/IN': 2001:500:9f::42#53 
address not available resolving 'org/DS/IN': 2001:500:2f::f#53 
address not available resolving 'org/DS/IN': 2001:7fd::1#53 
address not available resolving 'org/DS/IN': 2001:500:2::c#53 
address not available resolving 'org/DS/IN': 2001:500:2d::d#53 
address not available resolving 'org/DS/IN': 2001:503:c27::2:30#53 
address not available resolving 'org/DS/IN': 2001:503:ba3e::2:30#53 
address not available resolving 'org/DS/IN': 2001:500:200::b#53 
address not available resolving 'org/DS/IN': 2001:500:12::d0d#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 192.36.148.17#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 202.12.27.33#53 
validating org/DS: no valid signature found 
no valid RRSIG resolving 'org/DS/IN': 198.97.190.53#53 
broken trust chain resolving '2.opensuse.pool.ntp.org/A/IN': 192.168.2.1#53 
broken trust chain resolving '2.opensuse.pool.ntp.org/AAAA/IN': 192.168.2.1#53

dcurtisfra · April 22, 2021, 11:55am

@fperal:

Is the systemd “nscd” (name service cache daemon) service enabled?


 > systemctl list-unit-files | grep -iE 'name|nsc|dns'
avahi-dnsconfd.service                                           disabled       
chrony-dnssrv@.service                                           static         
dbus-org.freedesktop.hostname1.service                           static         
dnsmasq.service                                                  disabled       
nscd.service                                                     enabled        
systemd-hostnamed.service                                        static         
chrony-dnssrv@.timer                                             disabled       
 >

The “systemd-hostnamed.service” is static and, is normally «inactive (dead)» …

systemd-hostnamed is a system service that may be used as a mechanism to change the system’s hostname. systemd-hostnamed is automatically activated on request and terminates itself when it is unused.

The tool hostnamectl(1) is a command line client to this service.

The “dnsmasq” service is another DNS conflict possibility –

dnsmasq - A lightweight DHCP and caching DNS server.

Avahi mDNS is yet another DNS conflict possibility –

avahi-dnsconfd - Unicast DNS server from mDNS/DNS-SD configuration daemon

fperal · April 22, 2021, 11:56am

I have found some of the errors. One of them was that there was in named.conf a ipv6 zone


zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in { 
       type master; 
       file "127.0.0.zone"; 
};

I deleted it an some error were gone but not all of them. Some related to "no valid RRSIG resolving ‘org/DS/IN’: " continue appearing when starting named.

I have found taht I need to change in named.conf

[FONT=monospace]dnssec-validation no;

And then I got rid of this messages starting named


dns_rdata_fromtext: /var/lib/named/dyn//managed-keys.bind:10: near eol: unexpected end of input 
managed-keys-zone: loading from master file /var/lib/named/dyn//managed-keys.bind failed: unexpected end of input 
managed-keys-zone: loaded serial 19 
zone localhost/IN: loaded serial 42 
zone bogus/IN: loaded serial 2021042201 
zone 0.0.127.in-addr.arpa/IN: loaded serial 42 
zone 2.168.192.in-addr.arpa/IN: loaded serial 2021042202 
all zones loaded 
running 
managed-keys-zone: No DNSKEY RRSIGs found for '.': success 
resolver priming query complete

But still two error with [FONT=monospace]/var/lib/named/dyn/managed-keys.bind

And when I ask for a name it returns a lot of errors too, related to ipv6 … but it returns the address!!

[FONT=monospace]address not available resolving 'amazon.es/ANY/IN': 2001:500:12::d0d#53 
address not available resolving 'amazon.es/ANY/IN': 2001:7fe::53#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:a8::e#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:200::b#53 
address not available resolving 'amazon.es/ANY/IN': 2001:dc3::35#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:2f::f#53 
address not available resolving 'amazon.es/ANY/IN': 2001:503:c27::2:30#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:2d::d#53 
address not available resolving 'amazon.es/ANY/IN': 2001:7fd::1#53 
address not available resolving 'amazon.es/ANY/IN': 2001:503:ba3e::2:30#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:2::c#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:1::53#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:9f::42#53 
address not available resolving 'amazon.es/ANY/IN': 2001:678:40::53#53 
address not available resolving 'amazon.es/ANY/IN': 2001:678:44::53#53 
address not available resolving 'amazon.es/ANY/IN': 2001:67c:21cc:2000::64:41#53 
address not available resolving 'amazon.es/ANY/IN': 2001:678:c::1#53 
address not available resolving 'amazon.es/ANY/IN': 2001:720:418:caf1::7#53 
address not available resolving 'amazon.es/ANY/IN': 2001:1398:276:0:200:7:5:14#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:14:7001:ad::1#53 
address not available resolving 'amazon.es/ANY/IN': 2001:40b0:1:1122:ce5c:a000:0:3#53 
address not available resolving 'amazon.es/ANY/IN': 2001:500:90:1::31#53

[/FONT][/FONT][/FONT]

I have addedin /etc/sysconfig/named

NAMED_ARGS="NAMED_ARGS=" -4""

to completely disable ipv6, but still the ipv6 errors

fperal · April 22, 2021, 12:32pm

dcurtisfra:

@fperal:

Is the systemd “nscd” (name service cache daemon) service enabled?
 > systemctl list-unit-files | grep -iE 'name|nsc|dns'
avahi-dnsconfd.service                                           disabled       
chrony-dnssrv@.service                                           static         
dbus-org.freedesktop.hostname1.service                           static         
dnsmasq.service                                                  disabled       
nscd.service                                                     enabled        
systemd-hostnamed.service                                        static         
chrony-dnssrv@.timer                                             disabled       
 > 
The “systemd-hostnamed.service” is static and, is normally «inactive (dead)» …

The “dnsmasq” service is another DNS conflict possibility –

Avahi mDNS is yet another DNS conflict possibility –

yes, nscd is working

**named:~ #** systemctl list-unit-files | grep -iE 'name|nsc|dns' 
chrony-**dns**srv@.service                    static    
dbus-org.freedesktop.host**name**1.service    static    
**name**d.service                             enabled   
**nsc**d.service                              enabled   
systemd-host**name**d.service                 static    
chrony-**dns**srv@.timer                      disabled

and dnsmasq and avahi are not installed

dcurtisfra · April 22, 2021, 12:37pm

Then, try stopping the “nscd” service – you’ll also have to disable it to prevent it starting again at the next boot …

fperal · April 24, 2021, 11:03am

I found what was the problem.

in /etc/named.conf

I have to add this line


   dnssec-validation no;

fperal · April 24, 2021, 11:41am

Provided it is now working with nscd started setting the dnssec-validation to no, should I disable nscd anyway?

dcurtisfra · April 24, 2021, 8:33pm

The BIND named caches the DNS queries – which is also what nscd does, plus NSS functions …

Running two DNS caches in parallel can often lead to weird name resolution issues …

Therefore, in general, it’s not a good idea to have two DNS caching methods running in parallel …

fperal · April 25, 2021, 4:03pm

I don’t really know why I have nscd enabled, maybe it is enabled by default or maybe I enebled it some time ago for any reason.
What I have read here is that nscd isn’t working as a dns daemon because it is not listening on the DNS port and it seems taht it may cache other things more than names/ips (nfs or nis files, for instance, but I guess that being installed in the nfs/nis client) .
Anyway, I have disabled it.