Setting up a private root DNS server using BIND9

I’m implementing a full DNS hierarchy using BIND9 and raspberryPis. I have set up a private authoritative name server, a TLD name server and a resolver. I’m trying to set up a root server and need the resolver to get redirected from root->TLD->Authoritative NS.

I updated the root hints file (“db.root” on the resolver) to hold the private IP address of the new root.

.           36000 IN NS ROOT. ROOT. 36000 IN A 

When I use the resolver to perform a “dig +trace”, I receive NS ROOT. in the authority section but the additional section does not contain it’s IP. Dig gives the following error

couldn't get address for 'ROOT': not found 

I think I’m facing the same problem being redirected from my TLD NS as well, but I guess fixing this would also fix that.

Are there any special settings related to the configuration or DNSSec that are preventing me from implementing a private DNS tree?

Bind9 DNS reverse lookup fail with no reason

Okay so I got a problem, that my reverse lookup fail on my bind9 dns

# nslookup  Server: Address:  ** server can't find NXDOMAIN  # nano /var/named/ $  TTL 86400 @ IN SOA localhost ( 991079290 ; serial 28800 ; refresh  14400 ; retry  3600000 ; expire  86400 ; default_ttl  )  IN NS localhost.  6.1 IN PTR localhost. ;  # nano /etc/bind/named.conf.local zone “” { type master; file “/var/named/”     allow-update {key rndc-key; };  };  # /etc/bind/named.conf   include "/etc/bind/named.conf.options";  include "/etc/bind/named.conf.local";  include "/etc/bind/named.conf.default-zones"; 

as I see it, everything looks fine. what could cause the problem?

Keeping DNSSEC KSKs offline with BIND9

I am looking to move the private part of the KSK for my domains off my main nameserver. I’ve tried this with a test domain and get errors like this:

dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/ file not found ... dns_dnssec_findzonekeys2: error reading /etc/bind/keys/ file not found 

This guide recommends keeping the private KSKs offline without much further comment so I’m guessing it’s ok to ignore these warnings? The zone continues to operate as expected and I can make changes fine (the errors just keep appearing).

If it is ok to ignore the warning, is there a way to disable it so the logs don’t get filled up?

create SRV record using bind9

i’m new to ubuntu bind9 DNS service.

in my zone file – which is pre-existing in company and working fine for CNAME records i’m trying to setup a SRV record

_http._tcp.jenkins-xxx IN SRV 10 10 8080 myjenkinsserver

i restarted the bind9 service. it is not nslookuping the record for some reason…

I need to define the jenkins host to be accessed using a service record in the DNS.

i really went over lots of posts online about this before asking the question… is it really not possible to setup a SRV record? only by using reverse proxy?

ISC-DHCPD & BIND9: Dynamic DNS interaction

I am running isc-dhcpd-4.4.1 and BIND 9.11.6 servers on FreeBSD 11.2 for a small company.

DHCPD serves a number of Windows stations (assigning them mostly static IP addresses), several special-purpose devices (getting static public IP addresses – must be available to our clients) and also different portable devices connecting the network through WiFi (which get addresses from a predefined range The dynamically assigned clients get registered by the BIND named and their names are available both for forward and reverse DNS resolution. As the lease time for portable devices is short, they are automatically removed from DNS whenever they cease communicating.

So far, this arrangement works perfectly.

Now my questions:

  1. Is it possible to force DNS registration/removal for some specific portable devices that are expected to get always the same (statically defined) address? If so, how to configure it?
  2. Some portable devices ask for lease by host names that do not conform to standards (e.g., hostname contains ‘_’) which results in DNS registration refusal. Is there any way to correct the registration names by a “filter” (e.g., sed script)?

BIND9 SERVFAIL using dig on UBUNTU server 18

I am setting up a nextcloud+onlyoffice server on ubuntu server 18 and a LAN DNS for my office to go with it. I’m not a real IT guy but I follow tutorials and read forums. Also, being in China I don’t have google and most my searches find irrelevant answers… I still saw many people had an error similar to mine but no solution worked for me. I’m sure it’s a stupid obvious mistake but since I’m not familiar with the BIND9 syntax, I just don’t see it… Here is my named.conf.local :

    zone "plateforme.local" IN {     type master;     file "/etc/bind/zones/db.plateforme.local";     //allow-transfer{;};     allow-update { none; };     allow-query { any; }; };  zone "" IN {     type master;     file "/etc/bind/zones/db.rev.plateforme.local";     allow-update {none;}; }; 

my db.plateforme.local :

; ; BIND data file for local loopback interface ; $  TTL    604800 @   IN  SOA ns.plateforme.local. root.plateforme.local. (                   33    ; Serial              604800     ; Refresh               86400     ; Retry             2419200     ; Expire              604800 )   ; Negative Cache TTL ;  ; name servers - NS info         NS  ns.plateforme.local.  ; name servers - adress ns  IN  A  ; name servers - A records nextcloud   IN  A onlyoffice  IN  A 

Here is db.rev.plateforme.local :

; ; BIND reverse data file for local loopback interface ; $  TTL    604800 @   IN  SOA ns.plateforme.local. root.plateforme.local. (                   17    ; Serial              604800     ; Refresh               86400     ; Retry             2419200     ; Expire              604800 )   ; Negative Cache TTL ;  ; name servers - NS info     IN  NS  ns.plateforme.local.     IN  NS  localhost.  ; name servers - adress 29  IN  NS  ns.plateforme.local.  29  IN  PTR nextcloud.plateforme. 29  IN  PTR onlyoffice.plateforme.local. 

Here is the result of dig nextcloud.plateforme.local :

nextcloud@nextcloud-server:/etc/bind/zones$   dig nextcloud.plateforme.local. ; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> nextcloud.plateforme.local. ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42787 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;nextcloud.plateforme.local.    IN  A  ;; Query time: 0 msec ;; SERVER: ;; WHEN: mar. mars 12 10:25:52 HKT 2019 ;; MSG SIZE  rcvd: 55 

and the reverse dig dig -x that surprisingly works :

nextcloud@nextcloud-server:/etc/bind/zones$   dig -x  ; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> -x ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;    IN  PTR  ;; ANSWER SECTION: 0   IN  PTR nextcloud-server. 0   IN  PTR nextcloud-server.local.  ;; Query time: 120 msec ;; SERVER: ;; WHEN: mar. mars 12 10:39:53 HKT 2019 ;; MSG SIZE  rcvd: 121 

I’d be very thankful if someone could help… I’m setting up this server for our team of 16 teachers because I had some computer science training over a decade ago, because we have need for such server and the offer in mainland China is limited and abroad out of reach… but I do it in addition to my duties as a teacher and it is draining my free time. I would greatly appreciate the help and advice of experts. Thank you in advance for your time !

bind9 resolve to ip

the company has changed to Zscaler private access, and now connections for an IP are no longer working.

What is working, is a hostname, as it get’s translated to 100.64.x.y and then routed to the drop off in the datacenter.

My question now: is there a way to tell bind, to resolve something like to without adding 16M records? Something like “* IN A *” is not working?


DNS Spoofing Bind9 DNS Server

I configure ubuntu server 18.04 as master DNS server. zone ==>

; ; BIND data file for local loopback interface ; $  TTL    12h  @   IN  SOA (                   2     ; Serial              604800     ; Refresh               86400     ; Retry             2419200     ; Expire              604800 )   ; Negative Cache TTL ; @     IN    NS ns1   IN    A www   IN    A   <fake IP> mail    IN  A   <fake IP>   

I configure client to use this server as DNS server.

when I enter in client’s browser i got ssl ERR. how browser understand this issue. client’s browser is up to date.

How do I modify DNS-posts/zones in Bind9 on a Samba4-server (Zentyal?)

I’m running a Zentyal Samba4 server as a DNS server as well as an Active Directory domain controller. I’ve been having some issues lately with DNS. There are 2 ways that I know of to update DNS on that server, either via the Zentyal GUI, or by launching Windows’ DNS management tool (runas /netonly /\Administrator cmd.exe). I’ve noticed that only the latter actually works, and that modifying and creating DNS-posts via Zentyal’s GUI has no effect whatsoever (I have tried looking at the logs at /var/log/samba/* and /var/log/zentyal/*, but to no avail).

When I check what is going on in /etc/bind/named.conf.local (as Zentyal uses BIND9), I see the following:

// Generated by Zentyal  acl "trusted" {     localhost;     localnets; };  acl "internal-local-nets" {; };  dlz "AD DNS Zone" {     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/"; }; 

Which leads me to believe that DNS is being managed by a binary file/application.

Now, the big question is, suppose I would like to make updates on the DNS-server from a non-Windows computer, how do I do that? I’ve been trying to look for the appropriate CLI-commands, but I hadn’t found anything. Surely there is a way to do that from within the server?

Any insights would be very appreciated!