Internal DNS configuration woes

Question

Alright, I am going to state up front that this question may be too involved (amount of detail not complexity) for this medium. But I figured this was the best place to start.

I am attempting to setup a proof of concept project and my BIND configuration is my first big hurdle. I want to setup 3 DNS servers on 3 physical boxes. None of these boxes needs to resolve public addresses, this is internal only. I have read through how to setup internal roots in the (mostly) excellent DNS & BIND 5th ed book. But my translation of their example is not functional. All IP's are RFC 1918 non-routable.

Box 1 will be authoritative for addresses on the box1.bogus domain, and Box 2 will be authoritative for addresses on the box2.bogus domain. Box 3 will act as both an internal root and the TLD server for the domain bogus.

Current unresolved issues:

• I have a hints file on box 1 and 2 that contains a single NS record to the NS definition of the root zone. Additionally there is an A record that translates the NS to the ip of the root. if I dig . from box 1 I get an authority Section with the NS name, not an answer and additional record section. Therefore I am unable to actually resolve the IP of the root server from box 1.

• If I point my /etc/resolv.conf from box 1 directly at the root server and do a dig box1.bogus I get the ns.box1.bogus answer record and the translation in the additional section. However on the next iteration (when should get the A record) I get dig: couldn't get address for ns.box1.bogus

Obviously my configs are not correct. I don't see a way to attach them to this post, so if people want to walk through this step by step I will cut'n'paste them into a comment for this question. Otherwise I am open to taking this 'offline' with a "DNS guy" to figure out where I'm missing a '.' or have one too many!

I personally think the web could do with another internal root example that doesn't make use of the Movie-U example.

OK, if we are going to do this, then we should use a concrete example eh? I have 3 machines setup on a private VLAN for testing this. As a sanity check I paired down all my relevant configs, condensed when able, and redeployed 2 of the namesevers. I left out Scratchy for now. Same results as above. Here are the configs and initial dig outputs.

---

Bogus

Machine Name: Bogus (I just realized I should change this...)  
Role:         Internal Root and TLD Nameserver  
IP:           10.0.0.1  
BIND:         9.5.0-16.a6.fc8

/etc/named.conf

// Controls who can make queries of this DNS server. Currently only the
// local test bed. When there is a standardized IP addr scheme, we can have
// those addr ranges enabled so that even if firewall rules get broken, the
// public internet can't query the internal DNS.
//
acl "authorized" {
        localhost;   // localhost
        10.0.0.0/24;          // Local Test
};

options {
    listen-on port 53 {
     127.0.0.1;
     10.0.0.1;
    };
    listen-on-v6 port 53 { ::1; };
    directory  "/var/named";
    dump-file  "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/var/run/named/named.pid";
    allow-query     { any; };
    recursion no;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

//
// The fake root.
//
zone "." {
    type master;
    file "master/root";
    allow-query { authorized; };
};

//
// The TLD for testing
//
zone "bogus" {
    type master;
    file "master/bogus";
    allow-query { authorized; };
    allow-transfer { authorized; };
};

/var/named/master/root

$TTL    3600
.             SOA ns.bogustld. hostmaster.internal.bogus. (
               2008101601 ; serial
                 1H  ; refresh
               2H  ; retry
               14D  ; expire
               5M )  ; minimum
;
; Fake root zone servers defined.
;
.             NS ns.bogustld.
ns.bogustld.     A 10.0.0.1
;
; Testing TLD
;
bogus     NS ns1.bogus.
ns1.bogus.           A 10.0.0.1

/var/named/master/bogus

$TTL 3600
@     SOA ns1.internal.bogus. hostmaster.internal.bogus. (
       2008102201 ; serial date +seq
       1H  ; refresh
       2H  ; retry
       14D  ; expire
       5M)  ; min TTL
;
      NS ns1.internal.bogus.
;
; Auth servers
;
ns1.internal.bogus. A 10.0.0.1
;
; Customer delegations each customer 2nd level domain has it's
; own zone file.
;
;Modified to be unique nameservers in the bogus domain
itchy     NS ns1-itchy.bogus.
ns1-itchy.bogus.    A 10.0.0.2
;
scratchy     NS ns1-scratchy.bogus.
ns1-scratchy.bogus. A 10.0.0.3

Output from dig .

; <<>> DiG 9.5.0-P2 <<>> .
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57175
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      A

;; AUTHORITY SECTION:
.                       300     IN      SOA     ns.bogustld. hostmaster.internal
.bogus. 2008101601 3600 7200 1209600 300

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Tue Oct 21 12:23:59 2008
;; MSG SIZE  rcvd: 88

Output from dig +trace itchy.bogus

; <<>> DiG 9.5.0-P2 <<>> +trace itchy.bogus
;; global options:  printcmd
.                       3600    IN      NS      ns.bogustld.
;; Received 57 bytes from 10.0.0.1#53(10.0.0.1) in 1 ms

itchy.bogus.            3600    IN      NS      ns1-itchy.bogus.
;; Received 69 bytes from 10.0.0.1#53(ns.bogustld) in 0 ms

itchy.bogus.            3600    IN      A       10.0.0.2
itchy.bogus.            3600    IN      NS      ns1.itchy.bogus.
;; Received 79 bytes from 10.0.0.2#53(ns1-itchy.bogus) in 0 ms

---

Itchy

Machine Name: Itchy   
Role:         SLD Nameserver (supposed to be owner of itchy.bogus) 
IP:           10.0.0.2  
BIND:         9.5.0-16.a6.fc8

/etc/named.conf

// Controls who can make queries of this DNS server. Currently only the
// local test bed. When there is a standardized IP addr scheme, we can have
// those addr ranges enabled so that even if firewall rules get broken, the
// public internet can't query the internal DNS.
//
acl "authorized" {
        localhost;   // localhost
        10.0.0.0/24;          // LAN Test
};

options {
    listen-on port 53 {
     127.0.0.1;
     10.0.0.2;
    };
    listen-on-v6 port 53 { ::1; };
    directory  "/var/named";
    dump-file  "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/var/run/named/named.pid";
    allow-query     { any; };
    recursion no;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "master/root.hint";
 };

zone "itchy.bogus" {
    type master;
    file "master/itchy.bogus";
    allow-query { authorized; };
    allow-transfer { authorized; };
};

/var/named/master/itchy.bogus

$TTL    3600
@    SOA     ns1.itchy.bogus. hostmaster.itchy.bogus. (
       2008102202 ; serial
       1H  ; refresh
       2H  ; retry
       14D  ; expire
       5M )  ; minimum
;
     A 10.0.0.2
     NS      ns1.itchy.bogus.
ns1  A 10.0.0.2

/var/named/master/root.hint

.                        3600000      NS    ns.bogustld.
ns.bogustld.      3600000       A    10.0.0.1
; End of File

/etc/resolv.conf

nameserver 10.0.0.2

Output from dig .

; <<>> DiG 9.5.0-P2 <<>> .
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31291
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      A

;; AUTHORITY SECTION:
.                       3600000 IN      NS      ns.bogustld.

;; Query time: 0 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Tue Oct 21 17:09:53 2008
;; MSG SIZE  rcvd: 41

Output from dig + trace itchy.bogus

; <<>> DiG 9.5.0-P2 <<>> +trace itchy.bogus
;; global options:  printcmd
.                       3600000 IN      NS      ns.bogustld.
;; Received 41 bytes from 10.0.0.2#53(10.0.0.2) in 0 ms

dig: couldn't get address for 'ns.bogustld': failure

Answer 1

Assuming that you've checked all of the obvious things - such as ensuring that the main bind configuration file is what you think it is. Firstly check that the that you think named is using are the right ones - sometimes it's easy to edit a file that's in the wrong directory and wonder why changes aren't noticed.

Also have you used named-checkconf and named-checkzone

It is hard enough to debug bind, but without seeing the config files it is almost impossible, so please add them to the original post.

(I've added this as a comment to the question - I've posted as an answer because the OP is new here).

Answer 2

Each of the 3 servers needs to have the same hints file. It should have an NS record for "." with the name of the root server and an A record for that name.

The root server should have the "." zone set up. The "." zone needs to have "bogus" with an ns record for itself. It then should have A records for box1.bogus going to box1 and box2.bogus going off to box2.

Note that you should not use box1 and box2 both as the hostnames and the names of the 2nd level domains. Let's say that the domains are zone1.bogus and zone2.bogus instead.

So box1 and box2 should be in the bogus zone, complete with A records. zone1 and zone2 should be NS records pointing to box1 and box2.

Clear as mud? :)

Answer 3

Ok. I see you've aded your configs. Excellent.

I would change the root zone thusly:

;Should this be ns1.itchy.bogus or ns1.itchy.internal.bogus??
itchy                   NS      ns1-itchy.bogus.
ns1-itchy.bogus.    A   10.0.0.2
;
scratchy        NS      ns1-scratchy.bogus.
ns1-scratchy.bogus. A   10.0.0.3

I think the issue is that you're delegating itchy.bogus, so you can't put names inside there.

The "com" name servers, I believe, use hints so that they can serve A records for name servers for delegated zones, but in your case, it's just cleaner to insure that any given zone being served only has delegations for sub-zones AND hosts within the current zone.

Answer 4

(Note: I'm not sure if this should be in the answers or (a series of) comment(s) to a previous answer. Ettiquette?)

Alright, this looks like progress AND education!! I modified the configs and resulting output up above. The dig +trace itchy.bogus from the root now correctly navigates to the itchy machine (at least I think so), but my itchy machine isn't setup correctly yet either.

Here is what I THINK I have defined, hopefully someone can correct my fallacy.

On the itchy machine I have a zone 'itchy.bogus' with a Start of Authority being the hostname 'ns1.itchy.bogus'. 'ns1.itchy.bogus' has an A record for itself. But I don't think I have a definition for the hostname 'itchy.bogus' defined anywhere. I tried changing Itchy's /var/named/master/itchy.bogus to

$TTL    3600
@    SOA     ns1.itchy.bogus. hostmaster.itchy.bogus. (
       2008102201 ; serial
       1H  ; refresh
       2H  ; retry
       14D  ; expire
       5M )  ; minimum
;
     NS      ns1.itchy.bogus.
ns1  A 10.0.0.2

itchy.bogus.    A       10.0.0.2

But I still can't get an IP back for the hostname 'itchy.bogus'. I believe this is my next problem, and I think it stems from my imperfect understanding of the relationship(s) between zone names, hostnames and delegations. Since adding the A record for itchy.bogus. didn't seem to help I left the configs in the original question unaltered on the Itchy machine. I also tried a CNAME from itchy.bogus. to ns1.itchy.bogus. with no effect either, just to see what would happen.

Answer 5

By using @, you're defining itchy.bogus. You can't then redefine it further down in the zone with the itchy.bogus line.

Try this:

@       SOA     ns1.itchy.bogus. hostmaster.itchy.bogus. (
                        2008102201      ; serial
                        1H              ; refresh
                        2H              ; retry
                        14D             ; expire
                        5M )            ; minimum
;
            NS      ns1
            A       10.0.0.2
    ns1     A       10.0.0.2

Since this is the zone file for itchy.bogus, that should do the right thing.

Answer 6

Now my delegation issues look resolved, but I am still having trouble with the root lookup (which I thought would be soooo easy.)

I think the problem stems from the fact that when I dig from the itchy machine I get an authority record instead of an answer record. I'm just not sure what I did (or didn't) to cause that.

If you "dig [no args]" from a machine using the typical hint file for the internet you get a block of answers for the root nameservers and the translation in the additional section.

if I do that from the bogus machine (root and TLD nameserver) I get

;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       3600    IN      NS      ns.bogustld.

;; ADDITIONAL SECTION:
ns.bogustld.            3600    IN      A       10.0.0.1

If I do that from the itchy machine I get

;; QUESTION SECTION:
;.                              IN      NS

;; AUTHORITY SECTION:
.                       3600000 IN      NS      ns.bogustld.

;; Query time: 0 msec

It get's more interesting if you try dig +trace .

Internet box

; <<>> DiG 9.5.0a6 <<>> +trace .
;; global options:  printcmd
.                       3005    IN      NS      C.ROOT-SERVERS.NET.
.                       3005    IN      NS      D.ROOT-SERVERS.NET.
.                       3005    IN      NS      E.ROOT-SERVERS.NET.
.                       3005    IN      NS      F.ROOT-SERVERS.NET.
.                       3005    IN      NS      G.ROOT-SERVERS.NET.
.                       3005    IN      NS      H.ROOT-SERVERS.NET.
.                       3005    IN      NS      I.ROOT-SERVERS.NET.
.                       3005    IN      NS      J.ROOT-SERVERS.NET.
.                       3005    IN      NS      K.ROOT-SERVERS.NET.
.                       3005    IN      NS      L.ROOT-SERVERS.NET.
.                       3005    IN      NS      M.ROOT-SERVERS.NET.
.                       3005    IN      NS      A.ROOT-SERVERS.NET.
.                       3005    IN      NS      B.ROOT-SERVERS.NET.
;; Received 500 bytes from 64.105.172.26#53(64.105.172.26) in 19 ms

.                       86400   IN      SOA     a.root-servers.net. nstld.verisi
gn-grs.com. 2008102201 1800 900 604800 86400
;; Received 92 bytes from 128.63.2.53#53(H.ROOT-SERVERS.NET) in 84 ms

My internal root box (Bogus)

; <<>> DiG 9.5.0-P2 <<>> +trace .
;; global options:  printcmd
.                       3600    IN      NS      ns.bogustld.
;; Received 57 bytes from 10.0.0.1#53(10.0.0.1) in 1 ms

.                       3600    IN      NS      ns.bogustld.
;; Received 72 bytes from 10.0.0.1#53(ns.bogustld) in 0 ms

Itchy

; <<>> DiG 9.5.0-P2 <<>> +trace .
;; global options:  printcmd
.                       3600000 IN      NS      ns.bogustld.
;; Received 41 bytes from 10.0.0.2#53(10.0.0.2) in 0 ms

dig: couldn't get address for 'ns.bogustld': failure

Why does my internet facing machine find a SOA, but none of my internal machines?

Answer 7

Like the highlander, there can be only one.

By using the normal internet root hints, you're more or less precluded from using your own internal root, because none of the real Internet root servers know about "bogus".

Your only choice would be to mirror the root "." zone from within your ".", but then add "bogus" to it. You'd do this by periodically dumping the root zone and running it through some processing to add your custom zone to it.

Some of the alternate DNS root providers do this, but they supply root hints for their "customers" to use that do not reference the "real" root servers at all.

... Am I understanding the question correctly? Not sure.

Answer 8

Sorry I wasn't very clear in my previous post. I want my Bogus machine to be the Highlander. And to make life easy these 3 boxes live on an island with no communication in or out ;) I do not want to deal with split-horizon configurations right now.

I was providing the output from a separate internet facing machine for compare / contrast purposes.

So I guess what I was trying to say above is this...

When I dig the universal roots with a client I get an answer and an additional record. In my parallel universe when I query my local root with a client I am told where the authorative server is....

or in graphic form laptop -> a.root-server = answer record (and additional record) Itchy -> Bogus = authorative record directing to Bogus (no additional, no IP's anywhere)

Answer 9

dig . @10.0.0.1 (bogus) should return authoritative records for '.', since it is indeed authoritative for the zone.

dig . @10.0.0.2 (itchy) should not return authoritative records for '.', since it isn't. It may return an authoritative record the first time you query for a name in the root zone, because it has to recurse and fetch an authoritative record from the authoritative server. But if you do it a 2nd time, you'll get a cached result and the 'aa' flag will be clear.

Answer 10

Ahh ha. You mention the word recurse. I have recursion turned off on both of these nameservers. That shouldn't matter though I don't think.

so if I am on a machine that has it's resolver pointed to itchy (10.0.0.2) which is what I want, here's some output from various dig statements.

/etc/resolv.conf

nameserver 10.0.0.1

*I can't use nameserver ns1.itchy.bogus though I am having trouble seeing why not...at any rate

dig .

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10347
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      A

;; AUTHORITY SECTION:
.                       3600000 IN      NS      ns.bogustld.

;; Query time: 0 msec

dig . @ns.bogustld

(doing the iterative lookups myself)

dig: couldn't get address for 'ns.bogustld': failure

dig . @10.0.0.1

(try again with the known to me IP)

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39951
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      A

;; ANSWER SECTION:
.                       3600    IN      A       10.0.0.1

;; AUTHORITY SECTION:
.                       3600    IN      NS      ns.bogustld.

;; ADDITIONAL SECTION:
ns.bogustld.            3600    IN      A       10.0.0.1

;; Query time: 1 msec

In my mind dig . @ns.bogustld should be equivalent to dig . @10.0.0.1.

In fact in the root.hint file I (think I) have that mapping already

.                        3600000      NS    ns.bogustld.
ns.bogustld.             3600000       A    10.0.0.1

So if Itchy has

zone "." IN {
    type hint;
    file "master/root.hint";
 };

What am I doing wrong?

Answer 11

Your name server won't use the hint to give answers to dig. That is, it won't give the hint back to dig as an answer. It will insist on actually querying 10.0.0.1 for bogustld. I don't think you have bogustld set up as a zone, just bogus.

You should probably change ns.bogustld to ns.bogus. Give 10.0.0.1 the name ns.bogus.

Alternatively, you could add an NS and an SOA record in . for bogustld.

If you dig ns1.bogus. @10.0.0.2, that works, right (assuming the config above is still in place)?