DNS Forwarding

We have recently loaded a new CentOS 6 server and installed Virtualmin for development purposes. It is essential that we can resolve local websites as well as external websites. With the default installation of Bind we have configured the DNS Forwarders and Transfers to direct traffic to external DNS servers if no records exist in local DNS. This component however appears to not function as expected.

When we configured our local workstations to point to the CentOS box as a primary DNS server we can resolve local websites just fine however we are unable to reach anything on the internet.

After reading some documentation on BIND we attempted to add the allow-recursion directive to the options. This also is not working. I have also included a copy of our named.conf file for reference.

Any assistance would be greatly appreciated.

Thank you, Dustin Harrell

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 {
                any;
                };
        listen-on-v6 port 53 {
                any;
                };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        /* Setup DNS Forwarders for local internet access */
        forwarders {
                172.15.190.1;
                208.67.222.222;
                208.67.220.220;
                8.8.8.8;
                };

        /* Allow DNS recursion for local IP's to resolve to external DNS */
        allow-recursion {
                172.15.190.0/24;
                192.168.10.0/24;
                192.168.3.0/24;
        };

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "local" {
        type master;
        file "/var/named/local.hosts";
        };
server 8.8.8.8 {
        };
Status: 
Closed (fixed)

Comments

Are you sure the addresses you entered for allow-recursion are correct with the /32 mask? That mask indicates a single IP address, but with the .0 at the end, the addresses look more like they should be /24.

Yes, you are correct. However, I have updated the config, restarted named, and flushed dns to no avail. Any ideas?

Yeah the allow-recursion line there really should allow those particular networks.

Just to rule some unusual problems out -- what you may want to try is to comment out that entire allow-recursion block, and see if suddenly everyone is allowed to perform recursive queries.

In theory, by specifying no IP addresses, and with the "recursion yes" statement at the top, it should be able to work for all systems.

Also, just as a test, you could try explicitly adding some IP addresses, rather than using the network addresses listed there now.

Can you post the output of a "dig" command on a client that fails to use the forwarding server? We need to find out what exactly goes wrong, i.e. if clients can't reach the server, if the server can't reach the outside, or if it's actually a permissions problem.

Also, BIND has debug logging features which you might want to turn on, it might help identify the problem.

I have loaded a new server and have the same issue. Below is my output from dig (on my windows workstation) when using a locally hosted address (stored in BIND) that succeeds and an external address (google.com) with DNS forwarding turned on in BIND (forwarding to 8.8.8.8) that fails.

C:\tools\bind\application\bin>dig grassrootsoutdoors.local

; <<>> DiG 9.9.4-P1 <<>> grassrootsoutdoors.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45045
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;grassrootsoutdoors.local.      IN      A

;; ANSWER SECTION:
grassrootsoutdoors.local. 38400 IN      A       172.15.190.247

;; AUTHORITY SECTION:
grassrootsoutdoors.local. 38400 IN      NS      s1.thedatabackup.com.

;; Query time: 1 msec
;; SERVER: 172.15.190.247#53(172.15.190.247)
;; WHEN: Fri Nov 22 10:22:25 Eastern Standard Time 2013
;; MSG SIZE  rcvd: 103


C:\tools\bind\application\bin>dig google.com

; <<>> DiG 9.9.4-P1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24544
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 695 msec
;; SERVER: 172.15.190.247#53(172.15.190.247)
;; WHEN: Fri Nov 22 10:22:31 Eastern Standard Time 2013
;; MSG SIZE  rcvd: 39


C:\tools\bind\application\bin>ping google.com
Ping request could not find host google.com. Please check the name and try again
.

C:\tools\bind\application\bin>

Below are the same dig commands ran directly from the Linux server where local DNS is hosted.

[root@wmdev-new ~]# dig grassrootsoutdoors.local

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> grassrootsoutdoors.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11113
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;grassrootsoutdoors.local.      IN      A

;; ANSWER SECTION:
grassrootsoutdoors.local. 38400 IN      A       172.15.190.247

;; AUTHORITY SECTION:
grassrootsoutdoors.local. 38400 IN      NS      s1.thedatabackup.com.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 22 10:28:29 2013
;; MSG SIZE  rcvd: 92

[root@wmdev-new ~]# dig google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32512
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 949 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 22 10:28:35 2013
;; MSG SIZE  rcvd: 28

[root@wmdev-new ~]# ping google.com
PING google.com (74.125.139.113) 56(84) bytes of data.
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=1 ttl=49 time=13.1 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=2 ttl=49 time=10.9 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=3 ttl=49 time=13.2 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=4 ttl=49 time=32.7 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=5 ttl=49 time=17.3 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=6 ttl=49 time=11.1 ms
64 bytes from yn-in-f113.1e100.net (74.125.139.113): icmp_seq=7 ttl=49 time=24.8 ms
^C
--- google.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6864ms
rtt min/avg/max/mdev = 10.967/17.632/32.723/7.606 ms
[root@wmdev-new ~]#

Below is the new named.conf file from the server.

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 {
                any;
                };
        listen-on-v6 port 53 {
                any;
                };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
        forwarders {
                8.8.8.8;
                };
        forward first;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "grassrootsoutdoors.local" {
        type master;
        file "/var/named/grassrootsoutdoors.local.hosts";
        allow-transfer {
                127.0.0.1;
                localnets;
                };
        };

On another interesting note the linux server has issues resolving addresses when I have local dns as the 1st nameserver in my resolv.conf file. I've noticed this installing packages with yum and using wget. However if I make google dns the 1st nameserver and local dns the 2nd I can download packages using yum and files using wget.

[root@wmdev-new ~]# cat /etc/resolv.conf
# search store.thewiredmouse.com
nameserver 127.0.0.1
nameserver 8.8.8.8
# nameserver 127.0.0.1
nameserver 172.15.190.1

Below is a trace to google.com using dig if this helps at all. You will also notice that the trace fails to find the address for the root servers however using ping I can see the ip's.

[root@wmdev-new ~]# dig google.com +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> google.com +trace
;; global options: +cmd
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
dig: couldn't get address for 'K.ROOT-SERVERS.NET': no more



[root@wmdev-new ~]# ping K.ROOT-SERVERS.NET
PING K.ROOT-SERVERS.NET (193.0.14.129) 56(84) bytes of data.
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=1 ttl=52 time=180 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=2 ttl=52 time=190 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=3 ttl=52 time=193 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=4 ttl=52 time=186 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=5 ttl=52 time=190 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=6 ttl=52 time=189 ms
^C
--- K.ROOT-SERVERS.NET ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5695ms
rtt min/avg/max/mdev = 180.576/188.581/193.351/4.092 ms

Does your setup work prior to changing any DNS settings?

That is, when using only 127.0.0.1 in /etc/resolv.conf, and not using a DNS forwarder in the BIND config, are you able to resolve addresses properly?

I just tested your suggestion and I can only get to local items on both the server and my workstation. Nothing else will resolve.

From Server:

[root@wmdev-new etc]# ping google.com
ping: unknown host google.com
[root@wmdev-new etc]# ping grassrootsoutdoors.local
PING grassrootsoutdoors.local (172.15.190.247) 56(84) bytes of data.
64 bytes from 172.15.190.247: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from 172.15.190.247: icmp_seq=2 ttl=64 time=0.039 ms
64 bytes from 172.15.190.247: icmp_seq=3 ttl=64 time=0.045 ms
64 bytes from 172.15.190.247: icmp_seq=4 ttl=64 time=0.058 ms

--- grassrootsoutdoors.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4144ms
rtt min/avg/max/mdev = 0.039/0.051/0.062/0.009 ms

From Workstation:

C:\tools\bind\application\bin>ping google.com
Ping request could not find host google.com. Please check the name and try again
.

C:\tools\bind\application\bin>ping grassrootsoutdoors.local

Pinging grassrootsoutdoors.local [172.15.190.247] with 32 bytes of data:
Reply from 172.15.190.247: bytes=32 time<1ms TTL=64
Reply from 172.15.190.247: bytes=32 time<1ms TTL=64
Reply from 172.15.190.247: bytes=32 time<1ms TTL=64

Ping statistics for 172.15.190.247:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Hmm, is it possible that your ISP is blocking DNS lookups to DNS servers other than the ones they provide?

We have occasionally heard of ISP's that do that.

I don't think so. We have an NGINX box running CentOS in our office that we currently use for web development and we don't have resolution issues with it at all. I have been reviewing the configuration on this appliance and trying to mirror as much of the configuration as possible.

What output do you receive if you run this command from your server:

dig a virtualmin.com @8.8.8.8

Erutan409's picture
Submitted by Erutan409 on Tue, 04/10/2018 - 12:02

Obviously, this is an old one - but I'm suffering the EXACT same issue with a fresh auto install on Ubuntu 16. Can't resolve anything outside of the box, itself. So, no updates for this server, I guess...

You'd want to ensure that you can resolve DNS requests using the nameserver mentioned in /etc/resolv.conf. If you're using 127.0.0.1, ensure that BIND is running and not showing any errors in the logs when receiving requests.

It's rare that an ISP blocks DNS lookups altogether, but in certain circumstances they might prevent lookups against all but their own nameservers... so you could try using your own ISP's nameservers in /etc/resolv.conf.

If you have any additional questions, as it looks like you're using Virtualmin GPL there, you'd want to use the Forums for support. Please feel free to start a new thread there about the issues you're seeing, and we can do some troubleshooting on the exact nature of the problem. Thanks!