• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved Bind not serving zone

fullauto2012

Active Member

Thanks: 27
Messages: 162

#1
Got a split-horizon DNS going with 3 zones. The other 2 are working flawlessly. However the new zone I just added will not be found.

Code:
root@gateway:/usr/local/etc/namedb # uname -a
FreeBSD gateway 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
Code:
root@gateway:/usr/local/etc/namedb # named -v
BIND 9.9.9-P6 (Extended Support Version) <id:67d38a6>
Code:
root@gateway:/usr/local/etc/namedb # cat named.conf
// $FreeBSD: branches/2017Q1/dns/bind99/files/named.conf.in 382109 2015-03-24 15:22:51Z mat $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

acl serverlauget {
                xxx.xx.xxx.x/32;
                xxx.xx.xxx.x/32;
        };


options {
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       { 127.0.0.1; 192.168.1.1; <STATIC IP>; };
        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        forwarders { 8.8.8.8; 8.8.4.4; };
        allow-query { any; };
};

###############################################################################
###############################################################################

view "Internal" {
        match-clients { 127.0.0.1; 192.168.1.0/24; };
        recursion yes;
        zone "firstzone.com" {
                type master;
                file "/usr/local/etc/namedb/working/firstzone.com-Internal";
        };

        zone "secondzone.org" {
                type master;
                file "/usr/local/etc/namedb/working/secondzone.org-Internal";
        };

        zone "thirdzone.com" {
                type master;
                file "/usr/local/etc/namedb/working/thirdzone.com-Internal";
        };

        zone "1.168.192.in-addr.arpa" {
                type master;
                file "/usr/local/etc/namedb/working/1.168.192.in-addr.arpa";
        };

        zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

        include "/usr/local/etc/namedb/empty.zones";
};

view "External" {
        match-clients { "any"; };
        recursion no;

        allow-transfer { serverlauget; };

        zone "firstzone.com" {
                type master;
                file "/usr/local/etc/namedb/working/firstzone.com";
        };

        zone "thirdzone.com" {
                type master;
                file "/usr/local/etc/namedb/working/thirdzone.com";
        };

        zone "1.168.192.in-addr.arpa" {
                type master;
                file "/usr/local/etc/namedb/working/1.168.192.in-addr.arpa";
        };

        zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

        include "/usr/local/etc/namedb/empty.zones";
};
Code:
root@gateway:/usr/local/etc/namedb/working # cat thirdzone.com
$TTL 3600        ; 1 hour default TTL
thirdzone.com. IN      SOA      ns1.firstzone.com. tim.falardeau@firstzone.com. (
                                2017030922      ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                300             ; Negative Response TTL
                        )

; DNS Servers
                IN      NS      ns1.firstzone.com.
                IN      NS      ns1.serverlauget.no.

; MX Records
                IN      MX 10   mail.thirdzone.com.

                IN      A       <STATIC IP>

; Machine Names
ns1             IN      A       <STATIC IP>

; Aliases
www             IN      CNAME   @
gateway         IN      CNAME   @
mail            IN      CNAME   @
Code:
root@gateway:/usr/local/etc/namedb/working # cat thirdzone.com-Internal
$TTL 3600        ; 1 hour default TTL
thirdzone.com. IN      SOA      ns1.firstzone.com. tim.falardeau@firstzone.com. (
                                2017030620      ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                300             ; Negative Response TTL
                        )

; DNS Servers
                IN      NS      ns1.firstzone.

; MX Records
                IN      MX 10   mail.thirdzone.com.

                IN      A       192.168.1.10

; Machine Names
gateway         IN      A       192.168.1.1
kif             IN      A       192.168.1.10

; Aliases
www             IN      CNAME   kif
mail            IN      CNAME   kif
Code:
root@kif:/usr/local/www/opencart # host firstzone.com
firstzone.com has address 192.168.1.10
firstzone.com mail is handled by 10 mail.firstzone.com.
Code:
root@kif:/usr/local/www/opencart # host thirdzone.com ns1
Using domain server:
Name: ns1
Address: 192.168.1.1#53
Aliases:

Host thirdzone.com not found: 3(NXDOMAIN)
I'm really at a loss.
 

poorandunlucky

Well-Known Member

Thanks: 25
Messages: 359

#2
Simplify it...

Just delete everything for the zone you're adding, copy your first zone's file, copy the first zone's configuration block/include block, change the serial in the zone you copied, have the server re-read the configuration...

There's also a utility to check file syntax if I'm not mistaken...
 

fullauto2012

Active Member

Thanks: 27
Messages: 162

#3
copy the other files is what I did. Thats why Im so confused.
 

usdmatt

Daemon

Thanks: 419
Messages: 1,210

#4
Do you get anything in the logs when starting Bind?
Does running named-checkzone thirdzone.com /path/to/zone/file show anything useful?

Edit: spotted one issue though. Don't know if it'll stop the zone loading but named-checkzone will tell you that. Your email address user@domain.com. should be user.domain.com. in the SOA record. @ has a special meaning and needs to use a dot instead. The first dot is normally replaced by an @ symbol by anything that uses this information, which also means that it's not a good idea to try and use an email address which has a dot in the prefix here... (Edit 2: after testing it looks like Bind might let you put an @ symbol but historically you always used a dot..)

Also NS record in the internal file is wrong but again probably won't stop zone loading.
 

sko

Well-Known Member

Thanks: 131
Messages: 296

#5
Contents of /var/log/named/named.log?
Bind is usually quite chatty about what it loads and what it doesn't recognize.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,509
Messages: 25,699

#7
The working directory is for temporary files, your master zones should be saved under the master directory.
 

fullauto2012

Active Member

Thanks: 27
Messages: 162

#8
Turns out Bind9 will REPORT a zone is loaded if it has a cname record in the MX path. However it will not actually LOAD the zone and begin serving it.
usdmatt; Thanks for pointing me to named-checkzone. I didn't know that existed.
SirDice ; I didn't know about the dir structure. Thank you.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,509
Messages: 25,699

#9
The master directory can be read-only, so it's good for static master zones. Use the dynamic directory to store slave and/or DDNS zones.
 

fullauto2012

Active Member

Thanks: 27
Messages: 162

#10
The WHOLE dir? Files and all?

Code:
mv /usr/local/etc/named/working/* /usr/local/etc/named/master/
chmod -R 444 /usr/local/etc/named/master
???
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,509
Messages: 25,699

#11
Not entirely sure if the directory can also be read-only but the files certainly can. I tend to make them read-write for the owner, with root being the owner. And make them read-only for the bind group. In case somebody hacks themselves in as the bind user they can't change any of the zone files.

Dynamic zones (slave, DDNS) do require write access in order to update the zone files. Which is why there are two directories, master and dynamic. So you can easily set them to different permissions.

Edit: just checked my own server. The master directory is read-only for the bind user.

Code:
dice@maelcum:/var/named/usr/local/etc/namedb % ll
total 71
-rw-r--r--  1 root  wheel   3923 Nov 26 01:19 bind.keys
drwxr-xr-x  2 bind  wheel      7 Dec 19 16:42 dynamic/
drwxr-xr-x  2 root  wheel      6 Nov 28 21:54 master/
-rw-r--r--  1 root  wheel  33654 Aug 27 19:09 named.conf
-rw-r--r--  1 root  wheel  21681 Nov 26 01:19 named.conf.sample
-rw-r--r--  1 root  wheel   3373 Nov 26 01:19 named.root
-rw-r--r--  1 root  wheel   1439 Nov 26 01:19 rndc.conf.sample
-rw-------  1 bind  wheel     97 Aug 27 19:00 rndc.key
drwxr-xr-x  2 bind  wheel      2 Nov 26 01:19 slave/
drwxr-xr-x  2 bind  wheel      2 Nov 28 22:03 working/
 

fullauto2012

Active Member

Thanks: 27
Messages: 162

#12
I'm learning more and more every day..
Some day I will be able to actually answer some questions!