How to make sure that BIND DNS IS GOOD CONFIGURED?

Issues related to configuring your network
Post Reply
bktpl
Posts: 2
Joined: 2018/03/23 16:39:16

How to make sure that BIND DNS IS GOOD CONFIGURED?

Post by bktpl » 2018/03/23 17:10:36

Hi there, i need your help to be sure that i made good configuration of BIND in 9.9 version and my dig and nslookup works correctly.
I am not sure that all is ok but i have NO IDEA where and what i should change.

First of all, why im trying to confirm all this:
after using systemctl status named -l i got this:

Code: Select all

Mar 23 00:08:55 dc1.sub.domain.com named[1164]: all zones loaded
Mar 23 00:08:55 dc1.sub.domain.com named[1164]: running
Mar 23 00:08:55 dc1.sub.domain.com systemd[1]: Started Berkeley Internet Name Domain (DNS).
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: no longer listening on 192.168.1.100#53
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: no longer listening on 127.0.0.1#53
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: not listening on any interfaces
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: not listening on any interfaces
Mar 23 17:14:36 dc1.sub.domain.com named[1164]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 23 17:14:40 dc1.sub.domain.com named[1164]: listening on IPv4 interface enp0s3, 192.168.1.100#53
Mar 23 17:23:28 dc1.sub.domain.com named[1164]: [b]client 127.0.0.1#58024 (dc1): query (cache) 'dc1/A/IN' denied[/b]
Also, status samba shows:

Code: Select all

Mar 23 00:08:57 dc1.sub.domain.com winbindd[1334]: [2018/03/23 00:08:57.626359,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 23 00:08:57 dc1.sub.domain.com winbindd[1334]:   STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Mar 23 16:43:49 dc1.sub.domain.com winbindd[1359]: [2018/03/23 16:43:49.619082,  0] ../source3/winbindd/winbindd_dual.c:107(child_write_response)
Mar 23 16:43:49 dc1.sub.domain.com winbindd[1359]:   [b]Could not write result[/b]
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]: [2018/03/23 16:43:51.310978,  0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]:  [b] ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110[/b]
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]: [2018/03/23 16:43:51.311524,  0] ../source4/dsdb/dns/dns_update.c:313(dnsupdate_spnupdate_done)
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]:   ../source4/dsdb/dns/dns_update.c:313: Failed SPN update - with error code 110
Mar 23 16:43:51 dc1.sub.domain.com smbd[1332]: [2018/03/23 16:43:51.733542,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 23 16:43:51 dc1.sub.domain.com smbd[1332]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections

And after using nslookup:

Code: Select all

[root@dc1 ~]# nslookup
> dc1
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find dc1: NXDOMAIN
> dc1.sub.domain.com
Server:         192.168.1.100
Address:        192.168.1.100#53

Name:   dc1.sub.domain.com
Address: 192.168.122.1
Name:   dc1.sub.domain.com
Address: 192.168.1.100
> vsfiles
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find vsfiles: NXDOMAIN
> vsfiles.sub.domain.com
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find vsfiles.sub.domain.com: NXDOMAIN

After using dig:

Code: Select all

[root@dc1 ~]# dig dc1

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23884
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.                           IN      A

;; AUTHORITY SECTION:
.                       8491    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2018032201 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:30 CET 2018
;; MSG SIZE  rcvd: 107

[root@dc1 ~]# dig dc1.sub.domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1.sub.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52581
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.sub.domain.com.             IN      A

;; ANSWER SECTION:
dc1.sub.domain.com.      900     IN      A       192.168.1.100
dc1.sub.domain.com.      900     IN      A       192.168.122.1

;; AUTHORITY SECTION:
sub.domain.com.          900     IN      NS      dc1.sub.domain.com.

;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:39 CET 2018
;; MSG SIZE  rcvd: 92

[root@dc1 ~]# dig dc1.sub.domain.com.

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1.sub.domain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19681
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.sub.domain.com.             IN      A

;; ANSWER SECTION:
dc1.sub.domain.com.      900     IN      A       192.168.122.1
dc1.sub.domain.com.      900     IN      A       192.168.1.100

;; AUTHORITY SECTION:
sub.domain.com.          900     IN      NS      dc1.sub.domain.com.

;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:44 CET 2018
;; MSG SIZE  rcvd: 92

[root@dc1 ~]# dig vsfiles.sub.domain.com.

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles.sub.domain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41015
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.sub.domain.com.         IN      A

;; AUTHORITY SECTION:
sub.domain.com.          3600    IN      SOA     dc1.sub.domain.com. hostmaster.sub.domain.com. 21 900 600 86400 3600

;; Query time: 6 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:06 CET 2018
;; MSG SIZE  rcvd: 101

[root@dc1 ~]# dig vsfiles.sub.domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles.sub.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6486
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.sub.domain.com.         IN      A

;; AUTHORITY SECTION:
sub.domain.com.          3600    IN      SOA     dc1.sub.domain.com. hostmaster.sub.domain.com. 21 900 600 86400 3600

;; Query time: 7 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:19 CET 2018
;; MSG SIZE  rcvd: 101

[root@dc1 ~]# dig vsfiles

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25419
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.                       IN      A

;; AUTHORITY SECTION:
.                       8425    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2018032300 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:28 CET 2018
;; MSG SIZE  rcvd: 111


Why i dont have answer for vsfiles record? Are other queries ok? Shouldn't it be ANSWER:1 not 0 for some questions?
I got vsfiles added to domain, i can see it as computer account in rsat from windows, i do not have any idea why i dont get information about this machine.

My named.conf:

Code: Select all

#Global BIND configuration optionsGlbal BIND configuration options
include "/usr/local/samba/private/named.conf";
options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;
    tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
    listen-on port 53 {
                127.0.0.1;
                192.168.1.100;};

allow-query {
        127.0.0.1;
        localhost;
        192.168.1.0/24;

# add other networks you want to allow to query your DNS
    };

    allow-recursion {
        192.168.1.0/24;

 # add other networks you want to allow to do recursive queries
    };

    forwarders {
        # Google public DNS server here - replace with your own if necessary
        8.8.8.8;
        8.8.4.4;
    };

    allow-transfer {
        # this config is for a single master DNS server
     localhost;
    };

};


# Root servers (required zone for recursive queries)
zone "." {
   type hint;
   file "named.root";
};

# Required localhost forward-/reverse zones
zone "domain.com" {
    type master;
    file "master/sub.domain.com.zone";
};

zone "1.168.192.in-addr.arpa" {
    type master;
    file "master/192.168.1.zone";
};
My zone files:

Code: Select all

$TTL 1D

@       IN      SOA     sub.domain.com.  root.sub.domain.com. (
                                        2018032301      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        IN NS           dc1.sub.domain.com.
                        ;IN NS           srv12.linuxphobia.com.

                        IN MX 5 smpt.sub.domain.com.

dc1.sub.domain.com.   IN      A       192.168.1.100
dc2.sub.domain.com.   IN     A       192.168.1.200


mail.sub.domain.com.   IN      CNAME   smtp.sub.domain.com.

;webserver.linuxphobia.com. IN   A       192.168.1.111

;sai-scan.linuxphobia.com.       IN      A       192.168.1.71
;                                IN      A       192.168.1.72
;                                IN      A       192.168.1.73
;                                IN      TXT     "Round-robin IP for Scan"

sub.domain.com.        IN      A       192.168.1.100
smtp.sub.domain.com.   IN      A       192.168.1.111
;www                     IN      CNAME   webserver.linuxphobia.com

vsfiles.sub.domain.com. IN A 192.168.1.101

Code: Select all

$TTL 1D

@       IN      SOA     sub.domain.com.  root.sub.domain.com. (
                                        2018032301      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                         NS           dc1.sub.domain.com.

                        ;IN NS           srv12.linuxphobia.com.
;                        IN MX 5 smpt.sub.domain.com.
;dc1.sub.domain.com.   IN      A       192.168.1.100
;dc2.sub.domain.com.   IN     A       192.168.1.200
;mail.sub.domain.com.   IN      CNAME   smtp.sub.domain.com.
;webserver.linuxphobia.com. IN   A       192.168.1.111
;sai-scan.linuxphobia.com.       IN      A       192.168.1.71
;                                IN      A       192.168.1.72
;                                IN      A       192.168.1.73
;                                IN      TXT     "Round-robin IP for Scan"
;sub.domain.com.        IN      A       192.168.1.100
;www                     IN      CNAME   webserver.linuxphobia.com.

100 IN PTR dc1.sub.domain.com.
200 IN PTR dc2.sub.domain.com.

100 IN PTR sub.domain.com.
101 IN PTR vsfiles.sub.domain.com.
~
What i did wrong?

Post Reply