Web lists-archives.com

Re: Setting up a local DNS server but clients that use it can't access the internet




On 24 February 2018 at 10:26, Reco <recoverym4n@xxxxxxxxx> wrote:
        Hi.

Please don't use pastebin for this. This list archives should contain
not only the solution, but a clear problem statement also.

So, following "show, don't tell principle":

# dig in a debian.org +trace +recurse

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
;; global options: +cmd
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
couldn't get address for 'A.ROOT-SERVERS.NET': failure
couldn't get address for 'J.ROOT-SERVERS.NET': failure
couldn't get address for 'L.ROOT-SERVERS.NET': failure
couldn't get address for 'C.ROOT-SERVERS.NET': failure
couldn't get address for 'M.ROOT-SERVERS.NET': failure
couldn't get address for 'E.ROOT-SERVERS.NET': failure
couldn't get address for 'I.ROOT-SERVERS.NET': failure
couldn't get address for 'K.ROOT-SERVERS.NET': failure
couldn't get address for 'G.ROOT-SERVERS.NET': failure
couldn't get address for 'F.ROOT-SERVERS.NET': failure
couldn't get address for 'B.ROOT-SERVERS.NET': failure
couldn't get address for 'H.ROOT-SERVERS.NET': failure
couldn't get address for 'D.ROOT-SERVERS.NET': failure
dig: couldn't get address for 'A.ROOT-SERVERS.NET': no more

And that output is enough to tell you this:

1) Your nameserver tries to do the right thing - to do recursion.

2) Your named.conf apparently lacks "forwarders" section, so the only
thing that BIND can do here - is to query root DNSes.

3) And root DNSes aren't accessible to your BIND.

In conclusion, your setup is clearly broken, you need to fix it.

Reco


Ok well I wasn't aware pastebin wasn't allowed, I was wary of pasting a huge wall of text from all the commands and the output of the files I was asked for right into an email.

The output sadly told me nothing as I didn't understand it.

My named.conf.options file does have a "forwarders" section in it.

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                194.168.4.100;
                194.168.8.100;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Is there a reason as to why the root DNSes aren't accessible to my BIND?

Yes I am aware I need to fix it, hence the reason why I posted in the first place, do you have any idea as to what needs to be fixed? as I have no idea what I should do from here.

Virus-free. www.avast.com