BIND9 v9.18 improves support for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). However, while the [docs](https://bind9.readthedocs.io/en/v9_18_11/) explain how to use TLS for the server part, it does not reveal how to enable DNS-over-TLS for query forwarding. Does BIND9 v9.18 support it? How does the config snippet need to be tweaked to use DoT for the forwarders?

options {
        […]
        forwarders {
                // Forward to Cloudflare public DNS resolver
                1.1.1.1;
                1.0.0.1;
        };
        […]
}

Simply adding port 853 and expecting some magic to happen does not seem to be enough.

working I installed and setup Bind9 official package to test DNS forward zones based on source IP/subnets which unbound doesn't support I properly set NAT forwards, changed listening ports on Bind9 and configured it for DNS over TLS (see below) All works properly and DNS requests are properly forwarded and use TLS until I uncomment remote-hostname and/or ca-file options. Without them, as per Bind9 doc, encryption is granted but not TLS authentication If I enable those options to ensure strict TLS authentication, clients cannot resolve DNS entries and I get the below errors in logs:

Jul 29 00:50:29	named	92197	query-errors: debug 4: fetch completed for readaloud.googleapis.com.intranet/A in 0.056869: TLS peer certificate verification failed/success [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Jul 29 00:50:29	named	92197	query-errors: info: client @0x1414c4b10800 10.0.31.62#9512 (readaloud.googleapis.com.intranet): query failed (TLS peer certificate verification failed) for readaloud.googleapis.com.intranet/IN/A at query.c:7836

I tried with different ca-file values, but no success **My working Bind9 config (with remote-hostname commented):**

tls cloudflare-tls {
//    ca-file "/usr/local/share/certs/ca-root-nss.crt";
//    ca-file "/usr/local/etc/ssl/cert.pem";
//    ca-file "/usr/share/certs/trusted/IdenTrust_Commercial_Root_CA_1.pem";
//    remote-hostname "one.one.one.one";
    prefer-server-ciphers yes;
};

options {
    forwarders {
        1.1.1.1 port 853 tls cloudflare-tls;
        1.0.0.1 port 853 tls cloudflare-tls;
        2606:4700:4700::1111 port 853 tls "cloudflare-tls";
        2606:4700:4700::1001 port 853 tls "cloudflare-tls";
    };
};

* **Bind9 Docs:** [https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers](https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers) > Strict TLS provides server authentication via a pre-configured > hostname for outgoing connections. This mechanism offers both channel > confidentiality and channel authentication (of the server). In order > to achieve Strict TLS, one needs to use remote-hostname and, > optionally, ca-file options in the tls statements used for > establishing outgoing connections (e.g. the ones used to download zone > from primaries via TLS). Providing any of the mentioned options will > enable server authentication. If remote-hostname is provided but > ca-file is missed, then the platform-specific certificate authority > certificates are used for authentication. The set roughly corresponds > to the one used by WEB-browsers to authenticate HTTPS hosts. On the > other hand, if ca-file is provided but remote-hostname is missing, > then the remote side’s IP address is used instead. Any help why enabling tls auth fails?

I cannot *for the life of me* work out **why** BIND9 is refusing queries. I have followed so many tutorials and watched so many configuration setup videos, both using Webmin and in the CLI, following them to the letter, but my BIND9 simply will not answer queries. BIND9 is installed on a debian VM on Proxmox. - I can ping the server - I can SSH to the server - I can access Webmin and configure everything in there - named-checkzone returns OK - neither iptables nor ufw are installed - the Proxmox Firewall is disabled at the Datacenter, Host and VM levels - the server can reach the internet - nslookup and dig both fail on the DNS server itself using nslookup example.com 127.0.0.1 and dig @127.0.0.1 example.com

admin@vm-server:~$ nslookup example.com localhost
Server:         localhost
Address:        ::1#53

** server can't find example.com: REFUSED

admin@vm-server:~$ dig @127.0.0.1 example.com

; > DiG 9.18.28-1~deb12u2-Debian > @127.0.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };
logging {
        };

**/etc/bind/named.conf.options**:

options {
	directory "/var/cache/bind";

	dnssec-validation auto;

	listen-on-v6 { any; };
	listen-on port 53 {
		127.0.0.1;
    	127.0.1.1;
		10.0.0.2;
		};
	allow-query {
		localhost;
    	ACL_RFC1918;
		};
	multiple-cnames yes;
};

**/etc/bind/named.conf.local**:

zone "example.com" {
	type master;
	file "/var/lib/bind/example.com.hosts";
	};

**/etc/bind/named.conf.default-zones**:

zone "." {
	type hint;
	file "/usr/share/dns/root.hints";
};

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

**/var/lib/bind/example.com.hosts**:

$ttl 3600
example.com.	IN	SOA	vm-server. admin.example.com. (
			2025042448
			3600
			600
			1209600
			3600 )
example.com.	IN	NS	vm-server.example.com.
vm-server.example.com.	IN	A	10.0.0.2
dns.example.com.	IN	CNAME	vm-server

**/etc/bind/rndc.conf**:

key "rndc-key" {
	algorithm hmac-sha256;
	secret "";
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};

**/etc/bind/rndc.key**:

key "rndc-key" {
	algorithm hmac-sha256;
	secret "";
};

The following are bind9-dnsutils tools: delv dig dnstap-read mdig nslookup nsupdate List taken from: https://manpages.debian.org/bookworm/bind9-dnsutils/index.html I know nslookup is deprecated and dig is not (dig is replacement). But what about other 4 tools, are they either deprecated or obsolete or still valid?\ And if so, what are replacements?

I have a dnsmasq server (10.0.0.1) with knowledge of a hostnames and IP addresses for couple of local networks, say a Guest Wireless and Wired Networks. I also have a bind9 DNS running on a separate server (192.168.1.1), which is the authoritative DNS for the LAN. I'd like forward queries asked to the bind9 server to be resolved by the dnsmasq server. It would be acceptable if all the queries should share a common top-level domain, e.g. myhostname.lan, or myhostname.arpa, etc. What I have tried: I setup a "lan" zone with "masters" set to the dnsmasq server, similar to the setup in this article

zone "lan" 
  type slave;   
  masters { 10.0.0.225; };
};

However, this fails in a way similar to what is described in this forum question

==> /var/log/named/general.log  /var/log/named/xfer-in.log <==                                                                       12-Mar-2025 21:26:06.894 zone lan/IN: Transfer started.
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: failed to connect: connection refused  12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer status: connection refused
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.003 secs (0 bytes/sec) (serial 0)

I've also tried to simply set up 10.0.0.1 as a forwarder in the bind9 configuration:

...
forwarders {
	  10.0.0.1;
};
...

But I get bind9 errors of the form:

12-Mar-2025 21:13:45.884 zone lan/IN: refresh: unexpected rcode (REFUSED) from primary 10.0.0.1#53 (source 0.0.0.0#0)

I also tried simply adding 10.0.0.1 as a resolver in /etc/resolv.conf, but I still see those unexpected rcode errors. How can I set up bind9 to use my dnsmasq server at 10.0.0.1 to resolve DNS queries?

Currently I'm using the "hosts" file for this, but that's getting harder to maintain over multiple workstations... I'd like to setup a nameserver in our local network which can overwrite or append hosts to existing domains. Eg. sql.ourdomain.tld is defined in the "master dns" SOA dns.ourdomain.tld with IN A 80.90.100.200 and I like to overwrite it with IN A 192.168.15.5 in our local nameserver. So its "answer locally first, forward every NXDOMAIN to a different resolver" I guess there is such a solution because "pihole" does similar things.

I have bind9 running for local LAN DNS. I also have an APT caching server. So, I set up an RPZ file to poison certain domain names and have them resolve to my internal caching server instead. Running e.g. apt update is returning resolution errors _I think_ because the caching server is unable to resolve the true (external) records and fetch the data. I think this means I’d have to set up a view for the caching server as a /32. So the question is, can I set it up so that my caching server hitting domains in the poisoned zone just get forwarded, while the rest of the network gets the poisoned data? I’m just not sure how to go about doing that.

I am currently configuring the DNS on Ubuntu servers for an assignment, and am encountering issues with reverse lookups. Below are the details from the configuration files and the results of the commands I've run: **p04ldns1.pod04.lan = master server [10.4.30.4]** - Can resolve client1.pod04.lan to 10.4.30.10 - Can resolve p04ldns2.pd04.lan to 10.4.30.5 - Cannot resolve 10.4.30.10 to client1.pod04.lan - Cannot resolve 10.4.30.5 to p04ldns2.pd04.lan **p04ldns2.pod04.lan = slave server [10.4.30.5]** - Can resolve p04ldns1.pd04.lan to 10.4.30.4 - Cannot resolve client1.pod04.lan to 10.4.30.10 - Cannot resolve 10.4.30.4 to p04ldns1.pd04.lan - Cannot resolve 10.4.30.10 to client1.pod04.lan **client1.pod04.lan = client [10.4.30.10]** - Can ping 10.4.30.4 & 10.4.30.5 - Can get out to the internet using 10.4.30.4 & 10.4.30.5 as DNS servers **Forward Lookup Zone Configuration on Master (/etc/bind/named.conf.local)** // Forward Lookup Zone zone "pod04.lan" { type master; // Confirmed as master file "/etc/bind/db.pod04.lan"; // Correct file path }; // Reverse Lookup Zone zone "30.4.10.in-addr.arpa" { type master; // Confirmed as master file "/etc/bind/30.4.10.in-addr.arpa"; // Correct file path }; **Zone File for pod04.lan on Master (/etc/bind/db.pod04.lan)** $TTL 604800 $ORIGIN pod04.lan. @ IN SOA p04ldns1.pod04.lan. admin.pod04.lan. ( 2023100805 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS p04ldns1.pod04.lan. @ IN NS p04ldns2.pod04.lan. p04ldns1 IN A 10.4.30.4 p04ldns2 IN A 10.4.30.5 client1 IN A 10.4.30.10 **Zone File for Reverse Lookup on Master (/etc/bind/30.4.10.in-addr.arpa)** $TTL 604800 $ORIGIN 30.4.10.in-addr.arpa. @ IN SOA p04ldns1.pod04.lan. admin.pod04.lan. ( 2023100805 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS p04ldns1.pod04.lan. @ IN NS p04ldns2.pod04.lan. 10 IN PTR client1.pod04.lan. **Slave zone file** The slave cannot resolve client1.pod04.lan to 10.4.30.10 // FORWARD LOOKUP ZONE zone "pod04.lan" { type slave; file "/var/cache/bind/db.pod04.lan"; masters { 10.4.30.4; }; # P04LDNS1's IP Address }; // REVERSE LOOKUP ZONE zone "30.4.10.in-addr.arpa" { type slave; file "/var/cache/bind/30.4.10.in-addr.arpa"; masters { 10.4.30.4; }; # P04LDNS1's IP Address }; **I have set the permissions for the reverse zone file as follows:**

sudo chown bind:bind /etc/bind/30.4.10.in-addr.arpa
sudo chmod 644 /etc/bind/30.4.10.in-addr.arpa

**Testing Commands and Results** **Forward Lookup:** dig @10.4.30.4 client1.pod04.lan Result: Successfully resolves to 10.4.30.10. **Reverse Lookup:** dig -x 10.4.30.10 Result: NXDOMAIN, indicating the reverse lookup is not resolving. dig -x 10.4.30.10 @10.4.30.4 Result: Also returns NXDOMAIN. sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 53 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 53 (v6) ALLOW Anywhere (v6) Have tried sudo systemctl restart bind9 many times on master and slave dns servers **dig @10.4.30.4 pod04.lan AXFR on SLAVE** ; > DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu > @10.4.30.4 pod04.lan AXFR ; (1 server found) ;; global options: +cmd pod04.lan. 604800 IN SOA p04ldns1.pod04.lan. admin.pod04.lan. 2023100805 604800 86400 2419200 604800 pod04.lan. 604800 IN NS p04ldns1.pod04.lan. pod04.lan. 604800 IN NS p04ldns2.pod04.lan. client1.pod04.lan. 604800 IN A 10.4.30.10 p04ldns1.pod04.lan. 604800 IN A 10.4.30.4 p04ldns2.pod04.lan. 604800 IN A 10.4.30.5 pod04.lan. 604800 IN SOA p04ldns1.pod04.lan. admin.pod04.lan. 2023100805 60480

I've recently stood up a new DNS server using Bind (v9.18.28-1) and I'm getting repeating blocks of errors in my "general" log file: 02-Oct-2024 09:49:09.723 resolver: DNS format error from 2001:7fe::53#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.755 resolver: DNS format error from 2001:dc3::35#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.787 resolver: DNS format error from 2001:500:2f::f#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.819 resolver: DNS format error from 2001:500:12::d0d#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.851 resolver: DNS format error from 2001:503:c27::2:30#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.883 resolver: DNS format error from 2001:500:2::c#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.919 resolver: DNS format error from 2001:500:2d::d#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.951 resolver: DNS format error from 2001:7fd::1#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:09.991 resolver: DNS format error from 2001:500:9f::42#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.027 resolver: DNS format error from 2801:1b8:10::b#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.059 resolver: DNS format error from 2001:500:a8::e#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.095 resolver: DNS format error from 2001:500:1::53#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.127 resolver: DNS format error from 2001:503:ba3e::2:30#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.163 resolver: DNS format error from 192.36.148.17#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.183 resolver: DNS format error from 202.12.27.33#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.207 resolver: DNS format error from 192.5.5.241#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.227 resolver: DNS format error from 192.112.36.4#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.251 resolver: DNS format error from 192.58.128.30#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.275 resolver: DNS format error from 192.33.4.12#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.299 resolver: DNS format error from 199.7.91.13#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.323 resolver: DNS format error from 193.0.14.129#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.347 resolver: DNS format error from 199.7.83.42#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.371 resolver: DNS format error from 170.247.170.2#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.395 resolver: DNS format error from 192.203.230.10#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.423 resolver: DNS format error from 198.97.190.53#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.447 resolver: DNS format error from 198.41.0.4#53 resolving ./NS for : non-improving referral 02-Oct-2024 09:49:10.447 resolver: resolver priming query complete: failure It appears that these are all of the root name servers I've got listed in the /usr/share/dns/root.hints file. This file is referenced via this zone block in my named configuration file: // prime the server with knowledge of the root servers zone "." { type hint; file "/usr/share/dns/root.hints"; }; Here's the options that I've got set: options { directory "/var/cache/bind"; allow-query { any; }; forwarders { 1.1.1.1; }; allow-recursion { xx.xx.xx.xx/29; //10.0.0.0/8; 10.1.0.0/16; }; // hide version # version "unknown"; dnssec-validation auto; }; Any idea as to what is causing these format errors and is there anything I can do about it? Thanks folks!

I'm finding quite a few of these types of messages in my postfix log: 17:40:55 smtpd: warning: 34.77.82.185.b.barracudacentral.org: RBL lookup error: Host or domain name not found. Name service error for name=34.77.82.185.b.barracudacentral.org type=A: Host not found, try again 17:41:05 smtpd: warning: 34.77.82.185.hostkarma.junkemailfilter.com: RBL lookup error: Host or domain name not found. Name service error for name=34.77.82.185.hostkarma.junkemailfilter.com type=A: Host not found, try again 18:15:02 smtpd: warning: ptmail1.patrontechnology.com.dbl.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=ptmail1.patrontechnology.com.dbl.spamhaus.org type=A: Host not found, try again 18:40:27 smtpd: warning: 177.141.213.134.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=177.141.213.134.zen.spamhaus.org type=A: Host not found, try again I am trying to understand if there is something wrong with my configuration or if these messages are (as I have read non-authoritatively elsewhere) merely a slightly weird way of indicating that the sender is not black-listed by the given service. Certainly some (maybe all) of the emails which generate these messages are genuine and are indeed forwarded correctly and successfully by postfix. These are the relevant lines of my smtp_recipient_restrictions: reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2 reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org

After upgrading a CentOS 7 server to AlmaLinux 9, and BIND along with it, I receive a new error message without changing (bind/named) configuration files: systemctl status named × named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Mon 2024-07-29 17:21:47 UTC; 19min ago Process: 948 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Process: 949 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE) CPU: 33ms Jul 29 17:21:47 ns42.example.org named: directory '/var/named' is not writable Jul 29 17:21:47 ns42.example.org named: /etc/named.conf:22: parsing failed: permission denied Jul 29 17:21:47 ns42.example.org loading configuration: permission denied Jul 29 17:21:47 ns42.example.org exiting (due to fatal error) Why would (this newer version of) named need to write its zone files? This is a non-recursive secondary/backup name server and this instance of BIND/named is not to change zones. So I suppose the question could be: **How can I tell BIND not to try to write into its zone directory and not to complain about not being able to?** Bind version is bind-9.16.23-18.el9_4.1.x86_64 EDIT: Out of curiosity I temporarily made the folder writable by the named group and started the service. This is what it wrote: -rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/localhost_resolver.mkeys.jnl -rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/external.mkeys.jnl -rw-r--r--. 1 named named 1045 Jul 29 17:51 /var/named/internal.mkeys.jnl -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/internal.mkeys -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/external.mkeys -rw-r--r--. 1 named named 821 Jul 29 17:52 /var/named/localhost_resolver.mkeys So, these are some type of journal files. **How can disable writing these journal entries as the zones are read-only anyway?**

I want to create a Debian based DNS Server to run BIND9. There is plenty of information on package dependencies. but it is all about how to install required packages when installing package-x.y.z. However, I cannot find *anything* about how to find out all the packages that are ***not*** required by package-x.y.z and uninstall them. What I want to be able to do is get the answer to this question: What are the *absolute minimum* set of packages required in order to successfully run BIND9, such that I can uninstall (or not install in the first place) all packages that are **not** required (directly or indirectly) in order to run BIND9? For example, it's obvious that named/bind requires network connectivity, else it could not serve inbound DNS queries, so we *know* all packages and drivers for IP networking will be required. We also know we must have NTP because that serves a pretty important time keeping function which, although maybe not directly required or used by the named/bind process, is definitely indirectly required in order to enforce DNSSEC and other PKI tasks. We obviously also need everything for local user authentication, and also for running the SSH service to allow server management. Perhaps I really should be asking - what is the absolute bare minimum Debian install that I can build, onto which I would only need to install BIND9?

## The Setup I have a containerized named service which is given their own IP with the following container file

FROM alpine:latest
RUN apk --no-cache add bind bind-tools bind-dnssec-tools bind-dnssec-root

COPY --chmod=500 --chown=root:root init.sh /usr/sbin/init

COPY --chmod=444 --chown=root:root bindetc/named.conf /etc/bind/named.conf

RUN chmod 770 /var/bind
RUN chown root:named /var/bind

COPY --chmod=440 --chown=root:named bindetc/direct.db /var/bind/direct.db
COPY --chmod=440 --chown=root:named bindetc/reverse.db /var/bind/reverse.db

VOLUME "/var/bind"
EXPOSE 53/tcp 53/udp
CMD /usr/sbin/named -f -g -u named

I have a mix of an authority server and an recursive one with the following configuration bindetec/named.conf

acl LAN {
  192.168.0.0/24;
}

options {
  directory "/var/bind";

  allow-recursion {
    192.168.0.0/24;
    127.0.0.1/32; // localhost      
  };

  forwarders {          
    1.1.1.1; // Cloudflare
    208.67.222.222; // OpenDNS
  };

  listen-on { 192.168.0.136; 127.0.0.1; };
  listen-on-v6 { none; };

  allow-transfer port 53 { 192.168.0.136; 0.0.0.0; };
  allow-query { localhost; LAN; };

  recursion yes;

  pid-file "/var/run/named/named.pid";
  dump-file "/var/bind/data/cache_dump.db";
  statistics-file "/var/bind/data/named_stats.txt";
  memstatistics-file "/var/bind/data/named_mem_stats.txt";
};

zone "." IN {
  type master;
  file "/var/bind/direct.db";
  allow-update { none; };
};

zone "in-addr.arpa" IN {
  type master;
  file "/var/bind/reverse.db";
  allow-update { none; };
};

With the the following bindetc/direct.db:

$TTL 3600
$ORIGIN intranet.domain.
@ IN SOA ns1.intranet.domain. postmaster.intranet.domain. (909090 9000 900 604800 1800)

@ IN NS ns1.intranet.domain.

ns1    IN A 192.168.0.136

and the following bindetc/reverse.db:

$TTL 604800
@ IN SOA ns1.intranet.domain. postmaster.intranet.domain. (909090 9000 900 604800 1800)

@   IN NS ns1.intranet.domain.

136.0.168.192   IN PTR ns1.intranet.domain.

The IP of the container is 192.168.0.136. ## The problem When trying to resolve any public dns record like for example google.com it gives basically and empty response like the following instead of asking Cloudflare or OpenDNS what is the IP of such DNS record.

; > DiG 9.16.44 > google.com @192.168.0.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27326
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1f5514b62f24a19b0100000065ed3501a3ae047abe73afef (good)
;; QUESTION SECTION:
;google.com.			IN	A

;; Query time: 48 msec
;; SERVER: 192.168.0.136#53(192.168.0.136)
;; WHEN: Sat Mar 09 22:20:17 CST 2024
;; MSG SIZE  rcvd: 67

I have installed BIND9 on my Ubuntu 22.04 LTS server as my Primary nameserver for the domain home.twelsh.co.uk. It was installed via apt and the config files were hand rolled with guidance from a Digital Ocean how-to When I execute a dig request on a client PC, for name servers I get a correct answer twelsh@builder-box:~$ dig @192.168.0.86 NS home.twelsh.co.uk ; > DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu > @192.168.0.86 NS home.twelsh.co.uk ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu > @192.168.0.86 A calvin ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7947 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 751c6a8a04abd91b0100000065d90ad04417a14eccdffc7f (good) ;; QUESTION SECTION: ;calvin. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign- grs.com. 2024022301 1800 900 604800 86400 ;; Query time: 32 msec ;; SERVER: 192.168.0.86#53(192.168.0.86) (UDP) ;; WHEN: Fri Feb 23 21:14:56 UTC 2024 ;; MSG SIZE rcvd: 138 As far as I am aware my zone file is fine twelsh@ns1:~$ sudo named-checkzone home.twelsh.co.uk /etc/bind/zones/db.home.twelsh.co.uk zone home.twelsh.co.uk/IN: loaded serial 11 OK and my reverse lookup twelsh@ns1:~$ sudo named-checkzone 0.168.192.in-addr.arpa /etc/bind/zones/db.192.168.0 zone 0.168.192.in-addr.arpa/IN: loaded serial 10 OK Here are my Zone and reverse lookup files /etc/bind/zones/db.home.twelsh.co.uk ;; Optimized BIND9 Forward Zone File $ORIGIN home.twelsh.co.uk. $TTL 5m @ IN SOA ns1.home.twelsh.co.uk root.home.twelsh.co.uk. ( 11 ; Serial 7d ; Refresh 1d ; Retry 28d ; Expire 7d ) ; Minimum TTL IN NS ns1.home.twelsh.co.uk. IN NS ns2.home.twelsh.co.uk. n8n IN A 192.168.0.79 builder-box IN A 192.168.0.82 dev-server IN A 192.168.0.83 staging-server IN A 192.168.0.84 ns1 IN A 192.168.0.86 ns2 IN A 192.168.0.88 calvin IN A 192.168.0.89 Reverse zone file $ORIGIN 0.168.192.in-addr.arpa. $TTL 5m @ IN SOA home.twelsh.co.uk. root.home.twelsh.co.uk. ( 10 ; serial number incrementation example here 7d ; refresh interval 1d ; retry interval 28d ; expiry time 7d ) ; minimum cache lifetime IN NS ns1.home. IN NS ns2.home. 86 IN PTR ns1.home. 88 IN PTR ns2.home. 79 IN PTR n8n.home. 82 IN PTR builder-box.home. 83 IN PTR dev-server.home. 84 IN PTR staging-server.home. 86 IN PTR ns1.home. 88 IN PTR ns2.home. 89 IN PTR calvin.home. /etc/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "home.twelsh.co.uk" { type master; file "/etc/bind/zones/db.home.twelsh.co.uk"; # zone file path allow-transfer {192.168.0.88; }; # ns2 private IP address - secondary }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.192.168.0.0"; # 192.168.0.0/24 subnet allow-transfer { 192.168.0.88; }; # ns2 private IP address - secondary };

Today I see on my bind9 log directory a lot of log (empty!) files. querylog.1.1.1.2.2.1.1.1.2.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.1.2 update-debug.log.3.1.1.1.1.2 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.1.2.1 update-debug.log.3.1.1.1.1.2.1 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.2 update-debug.log.3.1.1.1.2 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.1.2.1 update-debug.log.3.1.1.1.2.1 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.1.1.1 querylog.2.1.1.1.2.1.1.1.1.1.2.1.2 update-debug.log.3.1.1.2 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.2.1.2.1 update-debug.log.3.1.1.2.1 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.1.2.1 querylog.2.1.1.1.2.1.1.1.1.1.2.2 update-debug.log.3.1.2 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.2.2.1 update-debug.log.3.1.2.1 querylog.1.1.1.2.2.1.1.1.2.1.1.1.1.2.1 querylog.2.1.1.1.2.1.1.1.1.1.3 update-debug.log.3.2 querylog.1.1.1.2.2.1.1.1.2.1.1.1.2 querylog.2.1.1.1.2.1.1.1.1.1.3.1 update-debug.log.3.2.1 the list is incomplete, there are over 7000 files. This is the configuration of logging on named.conf logging { channel update_debug { file "/var/log/update-debug.log"; severity debug 1; print-category yes; print-severity yes; print-time yes; }; channel security_info { file "/var/log/named-auth.info"; severity info; print-category yes; print-severity yes; print-time yes; }; channel querylog { file "/var/log/querylog"; severity debug 1; print-category yes; print-severity yes; print-time yes; }; category update { update_debug; }; category security { security_info; }; category queries { querylog; }; }; How to avoid this fragmentation?

I installed DNS Server (bind9) in my ubuntu server and I am able to do name resolution from hostname to ip address using nslooup and dig; however when I try to do reverse lookups I get an error nslookup 192.168.137.5 ** server can't find 5.137.168.192.in-addr.arpa: NXDOMAIN that ip address is the ip address of the local server which is also the nameserver with bind9 installed. if I do forward lookups works just fine nslookup example.com Server: 192.168.137.5 Address: 192.168.137.5#53 Name: example.com Address: 192.168.137.5 Name: example.com Address: ::1 Here are my configuration files 3 in total: named.config.local, forward.example.com, reverse.example.com named.conf.local zone "example.com" IN { type master; file "/etc/bind/forward.example.com"; }; zone "137.168.192.in-addr.arpa" IN { type master; file "/etc/bind/reverse.example.com"; }; forward.example.com $TTL 604800 @ IN SOA example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS home-server.example.com. @ IN A 192.168.137.5 @ IN AAAA ::1 home-server IN A 192.168.137.5 wintop IN A 192.168.137.1 reverse.example.com $TTL 604800 @ IN SOA example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS home-server. @ IN PTR example.com. @ IN AAAA ::1 home-server IN A 192.168.137.5 host IN A 192.168.137.5 wintop IN A 192.168.137.1 10 IN PTR home-server.example.com. 11 IN PTR wintop.example.com.

I have the following setup: - DNS-Server reachable from the internet, is authoritative for zone foo.com - DNS-Server reachable only locally, should be authoritative for zone test.lab.foo.com What I try to achieve: When a DNS query from the outside world reaches the first DNS server for a record belonging to the zone test.lab.foo.com, I want it to make a recursive request to the second DNS server and then forward the records. I explicitly don't want to do zone transfers or make the second DNS server reachable from the internet. my configuration looks like this: (I only copied the [what I think] important parts to here) On the first DNS-Server

options {
    allow-recursion {
        localnets;
        localhost;
        internal;
        my-datacenter;
        mc-office;
    };
};

zone "test.lab.foo.com" {
        forward only;
        forwarders {
            ;
        };
        type forward;
    };

   zone "foo.com" {
        file "/etc/bind/zones/foo.com.zone";
        type master;
    };

My issue: When I am in a local network, that is whitelisted in the allow-recursion block, then it works as expected. When I try the DNS lookup from the internet, then i get a NOERROR with an empty response back. During debugging, I adjusted the allow-recursion list and added any to it. Then it was working. But I don't want my DNS server to allow any kind of recursion. I actually only want "outside" lookups for this one specific zones to be recursive. How can I set allow-recursion for just one zone?

I tried to block the .zip TLD on my laptop (running fedora 38) with bind. 1. Installing bind 2. Updating named.conf:

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory 	"/var/named";
        dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file	"/var/named/data/named.secroots";
        recursing-file	"/var/named/data/named.recursing";
        allow-query     { localhost; };

        /* 
        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
        - If you are building a RECURSIVE (caching) DNS server, you need to enable 
        recursion. 
        - If your recursive DNS server has a public IP address, you MUST enable access 
        control to limit queries to your legitimate users. Failing to do so will
        cause your server to become part of large scale DNS amplification 
        attacks. Implementing BCP38 within your network would greatly
        reduce such attack surface 
        */
        recursion yes;

        forwarders { 8.8.8.8; };

        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";
        geoip-directory "/usr/share/GeoIP";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy  */
        include "/etc/crypto-policies/back-ends/bind.config";

        /* this makes it block everything */
        // response-policy { zone "zip"; };
    };

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };

    zone "zip" IN {
        type master;
        file "zip-rpz";
        allow-update { none; };
    };

    zone "." IN {
        type hint;
        file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

3. Added /var/named/zip-rpz:

$TTL 1D                ; default expiration time (in seconds) of all RRs without their own TTL value
    @       IN  SOA   ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 )
    @       IN      NS      ns1                    ; nameserver
    *       IN      A       127.0.0.1              ; localhost
            IN      AAAA    ::                     ; localhost

4. Apply temporarily

sudo systemctl enable named
    sudo service named restart
    resolvectl dns wlp0s20f3 127.0.0.1

However, running dig url.zip returns 127.0.0.1 only for the next minute or so – after that it shows the "correct" ip (and I can visit the site in the Browser again). Why is it getting reset? If I remove the forwarders line, same result. If I set recursion no;, I am unable to resolve anything _other_ than .zip urls (those point to 127.0.0.1)

with BIND version 9.8 how can I use the old format zone files? example.com. IN NS ns1.example.com. instead of the new one $ORIGIN example. etc etc thank you so much

My end goal is to setup a DNS server to use in the network 10.0.0.0/24, the network consists of a TP-Link home switch and a workstation running runtu(ubuntu)linux and a laptop connect to that switch, the DNS server should be used to resolve ip address in the network 10.0.0.0/24 only the server 10.0.0.1 runs ssh,dhcp and hopefully dns I installed bind9 and created the following setup /etc/bind/named

OPTIONS="-4 -u bind"

/etc/bind/named.conf.local

zone "workstation.local" {
	type master;
	file "/etc/bind/forward.workstation.local";
};

zone "10.0.0.in-addr.arpa" {
	type master;
	file "/etc/bind/reverse.workstation.local";	# 10.0.0.0/24
};

/etc/bind/forward.workstation.local

$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      1		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	ns1.workstation.localhost.
@	IN	A	10.0.0.1

/etc/bind/reverse.workstation.local

$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      1		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	ns1.workstation.local.
1	IN	PTR	ns1.workstation.local.

when trying the command host workstation.local I get the output

workstation.local not found: 2(SERVFAIL)

How to properly setup the dns server so that the laptop can connect to the ip 10.0.0.1 using the workstation.local This is my first time setting up a dns server in linux, I could use all the help possible Update I tried to use home instead of local but I still can't reach the server from the laptop