Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

DNS Forwarder. I'm missing something

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
bakerjw
Posts: 9
Joined: 2022-05-10 18:55
Has thanked: 2 times
Been thanked: 1 time

DNS Forwarder. I'm missing something

#1 Post by bakerjw »

Good day, all. We have a test environment that I manage and I am trying to get a DNS forwarder running.
Most of the systems that we use are in a network that is firewalled from our production network. This network contains a Windows 2019/2022 domain with 2 DCs that provide DNS services.

We also have an isolated "test" network that uses a supernet 192.168.0.0/20. Devices on this test network often require access to a DNS server and multi homing one of our DCs to both the firewall and our isolated "Test" network is obviously a security risk. Security approves using Debian deployments to act as gateways/relays/forwarders to meet our needs.

The basic network configuration
Firewall Network - ###.218.133.0/24
"Test" network - 192.168.0.0/20
DC1 DNS - ###.218.133.18/24
DC2 DNS - ###.218.133.19/24

I have a Debian 11 core build that resides on both the firewalled and "Test" networks. It has 2 static interfaces, firewall and "Test" with the firewalled interface configured to use the IP addresses of our 2 DC DNS servers. I can ping devices on both networks and resolve addresses from our domain, the corporate world and the internet. From the local system all IP functionality works as expected.

/etc/resolv.conf is
domain jocy.OurDomain.net
search jocy.OurDomain.net
nameserver ###.218.133.18
nameserver ###.218.133.19

The first step was to install bind9 and bind9utils and configure named.conf.options

options {
directory "/var/cache/bind";
// I do not know if this is necessary. e do not need to limit access.
//allow-query { 192.168.0.0/20; 127.0.0.1; };
forwarders {
161.218.133.18;
161.218.133.19;
};
recursion yes;
forward only;
dnssec-validation auto;
listen-on { 192.168.0.2; };
//listen-on-v6 { any; };
};

running named-checkconf /etc/bind/named.conf shows no errors.

service bind status gives
named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-22 11:10:25 EDT; 31s ago
Docs: man:named(8)
Main PID: 1125 (named)
Tasks: 8 (limit: 4679)
Memory: 20.9M
CPU: 74ms
CGroup: /system.slice/named.service
└─1125 /usr/sbin/named -f -u bind

Jul 22 11:10:43 JOCY-DNS-Gateway named[1125]: validating europe.cp.wd.microsoft.com/CNAME: bad cache hit (com/DS)
Jul 22 11:10:43 JOCY-DNS-Gateway named[1125]: broken trust chain resolving 'europe.cp.wd.microsoft.com/A/IN': ###.218.133.19#53
Jul 22 11:10:45 JOCY-DNS-Gateway named[1125]: validating ctldl.windowsupdate.com/CNAME: bad cache hit (com/DS)
Jul 22 11:10:45 JOCY-DNS-Gateway named[1125]: broken trust chain resolving 'ctldl.windowsupdate.com/A/IN': ###.218.133.18#53
Jul 22 11:10:47 JOCY-DNS-Gateway named[1125]: validating qagpublic.ipinsplus.OurDomain.com/A: bad cache hit (com/DS)
Jul 22 11:10:47 JOCY-DNS-Gateway named[1125]: broken trust chain resolving 'qagpublic.ipinsplus.OurDomain.com/A/IN': ###.218.133.18#53
Jul 22 11:10:47 JOCY-DNS-Gateway named[1125]: validating ctldl.windowsupdate.com/CNAME: bad cache hit (com/DS)
Jul 22 11:10:47 JOCY-DNS-Gateway named[1125]: broken trust chain resolving 'ctldl.windowsupdate.com/A/IN': ###.218.133.18#53
Jul 22 11:10:51 JOCY-DNS-Gateway named[1125]: validating ctldl.windowsupdate.com/CNAME: bad cache hit (com/DS)
Jul 22 11:10:51 JOCY-DNS-Gateway named[1125]: broken trust chain resolving 'ctldl.windowsupdate.com/A/IN': ###.218.133.18#53


#host jocy.OurDomain.net 192.168.0.2
Using domain server:
Name: 192.168.0.2
Address: 192.168.0.2#53
Aliases:

Host jocy.siemens.net not found: 2(SERVFAIL)

I am sure that I am missing something simple. Any ideas of where to look first?

flashydolphin8827
Posts: 18
Joined: 2022-08-15 23:15
Has thanked: 2 times

Re: DNS Forwarder. I'm missing something

#2 Post by flashydolphin8827 »

/etc/resolv.conf is
domain jocy.OurDomain.net
search jocy.OurDomain.net
nameserver ###.218.133.18
nameserver ###.218.133.19

Can you successfully resolve a dns record on the internet like google.com or https://account.dyn.com? If so this is a good indicator of weather or not you or one of your other sysadmin either joiner or senior might have inadvertently missed a semicolon in one of the bind9 configuration files. So I would recommend that you go back and take a fine toothed comb approach to debugging your bind9 and named configuration files keeping in mind that one absent or misplaced semicolon can cause a huge headache. I'd also recommend adding a couple of more dns severs the providers that I like to use are quad nine and opendns both of whoms servers addresses iwill provide after this paragraph.

quad9
nameserver 9.9.9.9
nameserver 9.9.8.8

opendns

nameserver 208.67.222.222
nameserver 208.67.220.220

I have had exceptional results using both of these providers name servers as matter of fact I am using them as we speak on the ChromeBook that I am typing this reply on.

Post Reply