Alright, I am going to state up front that this question may be too involved (amount of detail not complexity) for this medium. But I figured this was the best place to start.
I am attempting to setup a proof of concept project and my BIND configuration is my first big hurdle. I want to setup 3 DNS servers on 3 physical boxes. None of these boxes needs to resolve public addresses, this is internal only. I have read through how to setup internal roots in the (mostly) excellent DNS & BIND 5th ed book. But my translation of their example is not functional. All IP’s are RFC 1918 non-routable.
Box 1 will be authoritative for addresses on the box1.bogus domain, and Box 2 will be authoritative for addresses on the box2.bogus domain. Box 3 will act as both an internal root and the TLD server for the domain bogus.
Current unresolved issues:
-
I have a hints file on box 1 and 2 that contains a single NS record to the NS definition of the root zone. Additionally there is an A record that translates the NS to the ip of the root. if I
dig .from box 1 I get an authority Section with the NS name, not an answer and additional record section. Therefore I am unable to actually resolve the IP of the root server from box 1. -
If I point my
/etc/resolv.conffrom box 1 directly at the root server and do adig box1.bogusI get the ns.box1.bogus answer record and the translation in the additional section. However on the next iteration (when should get the A record) I getdig: couldn't get address for ns.box1.bogus
Obviously my configs are not correct. I don’t see a way to attach them to this post, so if people want to walk through this step by step I will cut’n’paste them into a comment for this question. Otherwise I am open to taking this ‘offline’ with a ‘DNS guy’ to figure out where I’m missing a ‘.’ or have one too many!
I personally think the web could do with another internal root example that doesn’t make use of the Movie-U example.
OK, if we are going to do this, then we should use a concrete example eh? I have 3 machines setup on a private VLAN for testing this. As a sanity check I paired down all my relevant configs, condensed when able, and redeployed 2 of the namesevers. I left out Scratchy for now. Same results as above. Here are the configs and initial dig outputs.
Bogus
Machine Name: Bogus (I just realized I should change this...) Role: Internal Root and TLD Nameserver IP: 10.0.0.1 BIND: 9.5.0-16.a6.fc8 /etc/named.conf
// Controls who can make queries of this DNS server. Currently only the // local test bed. When there is a standardized IP addr scheme, we can have // those addr ranges enabled so that even if firewall rules get broken, the // public internet can't query the internal DNS. // acl 'authorized' { localhost; // localhost 10.0.0.0/24; // Local Test }; options { listen-on port 53 { 127.0.0.1; 10.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory '/var/named'; dump-file '/var/named/data/cache_dump.db'; statistics-file '/var/named/data/named_stats.txt'; memstatistics-file '/var/named/data/named_mem_stats.txt'; pid-file '/var/run/named/named.pid'; allow-query { any; }; recursion no; }; logging { channel default_debug { file 'data/named.run'; severity dynamic; }; }; // // The fake root. // zone '.' { type master; file 'master/root'; allow-query { authorized; }; }; // // The TLD for testing // zone 'bogus' { type master; file 'master/bogus'; allow-query { authorized; }; allow-transfer { authorized; }; }; /var/named/master/root
$TTL 3600 . SOA ns.bogustld. hostmaster.internal.bogus. ( 2008101601 ; serial 1H ; refresh 2H ; retry 14D ; expire 5M ) ; minimum ; ; Fake root zone servers defined. ; . NS ns.bogustld. ns.bogustld. A 10.0.0.1 ; ; Testing TLD ; bogus NS ns1.bogus. ns1.bogus. A 10.0.0.1 /var/named/master/bogus
$TTL 3600 @ SOA ns1.internal.bogus. hostmaster.internal.bogus. ( 2008102201 ; serial date +seq 1H ; refresh 2H ; retry 14D ; expire 5M) ; min TTL ; NS ns1.internal.bogus. ; ; Auth servers ; ns1.internal.bogus. A 10.0.0.1 ; ; Customer delegations each customer 2nd level domain has it's ; own zone file. ; ;Modified to be unique nameservers in the bogus domain itchy NS ns1-itchy.bogus. ns1-itchy.bogus. A 10.0.0.2 ; scratchy NS ns1-scratchy.bogus. ns1-scratchy.bogus. A 10.0.0.3 Output from dig .
; <<>> DiG 9.5.0-P2 <<>> . ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57175 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;. IN A ;; AUTHORITY SECTION: . 300 IN SOA ns.bogustld. hostmaster.internal .bogus. 2008101601 3600 7200 1209600 300 ;; Query time: 1 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Tue Oct 21 12:23:59 2008 ;; MSG SIZE rcvd: 88 Output from dig +trace itchy.bogus
; <<>> DiG 9.5.0-P2 <<>> +trace itchy.bogus ;; global options: printcmd . 3600 IN NS ns.bogustld. ;; Received 57 bytes from 10.0.0.1#53(10.0.0.1) in 1 ms itchy.bogus. 3600 IN NS ns1-itchy.bogus. ;; Received 69 bytes from 10.0.0.1#53(ns.bogustld) in 0 ms itchy.bogus. 3600 IN A 10.0.0.2 itchy.bogus. 3600 IN NS ns1.itchy.bogus. ;; Received 79 bytes from 10.0.0.2#53(ns1-itchy.bogus) in 0 ms Itchy
Machine Name: Itchy Role: SLD Nameserver (supposed to be owner of itchy.bogus) IP: 10.0.0.2 BIND: 9.5.0-16.a6.fc8 /etc/named.conf
// Controls who can make queries of this DNS server. Currently only the // local test bed. When there is a standardized IP addr scheme, we can have // those addr ranges enabled so that even if firewall rules get broken, the // public internet can't query the internal DNS. // acl 'authorized' { localhost; // localhost 10.0.0.0/24; // LAN Test }; options { listen-on port 53 { 127.0.0.1; 10.0.0.2; }; listen-on-v6 port 53 { ::1; }; directory '/var/named'; dump-file '/var/named/data/cache_dump.db'; statistics-file '/var/named/data/named_stats.txt'; memstatistics-file '/var/named/data/named_mem_stats.txt'; pid-file '/var/run/named/named.pid'; allow-query { any; }; recursion no; }; logging { channel default_debug { file 'data/named.run'; severity dynamic; }; }; zone '.' IN { type hint; file 'master/root.hint'; }; zone 'itchy.bogus' { type master; file 'master/itchy.bogus'; allow-query { authorized; }; allow-transfer { authorized; }; }; /var/named/master/itchy.bogus
$TTL 3600 @ SOA ns1.itchy.bogus. hostmaster.itchy.bogus. ( 2008102202 ; serial 1H ; refresh 2H ; retry 14D ; expire 5M ) ; minimum ; A 10.0.0.2 NS ns1.itchy.bogus. ns1 A 10.0.0.2 /var/named/master/root.hint
. 3600000 NS ns.bogustld. ns.bogustld. 3600000 A 10.0.0.1 ; End of File /etc/resolv.conf
nameserver 10.0.0.2 Output from dig .
; <<>> DiG 9.5.0-P2 <<>> . ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31291 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;. IN A ;; AUTHORITY SECTION: . 3600000 IN NS ns.bogustld. ;; Query time: 0 msec ;; SERVER: 10.0.0.2#53(10.0.0.2) ;; WHEN: Tue Oct 21 17:09:53 2008 ;; MSG SIZE rcvd: 41 Output from dig + trace itchy.bogus
; <<>> DiG 9.5.0-P2 <<>> +trace itchy.bogus ;; global options: printcmd . 3600000 IN NS ns.bogustld. ;; Received 41 bytes from 10.0.0.2#53(10.0.0.2) in 0 ms dig: couldn't get address for 'ns.bogustld': failure
By using @, you’re defining itchy.bogus. You can’t then redefine it further down in the zone with the itchy.bogus line.
Try this:
Since this is the zone file for itchy.bogus, that should do the right thing.