Ubuntu
bind9 package

  1. Bug #1787739
  2. Comment #8

Comment 8 for bug 1787739

Revision history for this message
Mike Dotson (mgdotson) wrote :

First, I want to apologize, the Vagrant file I uploaded was apparently the incorrect one. I'm attaching the version I'm testing with. I actually found this with my internal server running as an LXD container.

With my options file set to the following (192.168.0.130 eth0 address):
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk. See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable
 // nameservers, you probably want to use them as forwarders.
 // Uncomment the following block, and insert the addresses replacing
 // the all-0's placeholder.

 forwarders {
   1.1.1.1;
 };

 //======================================================================
==
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys. See https://www.isc.org/bind-keys
 //======================================================================
==
 dnssec-validation false;

 auth-nxdomain no; # conform to RFC1035
 listen-on-v6 { any; };
 listen-on { 192.168.0.130; };
};

vagrant@ubuntu-bionic:/etc/bind$ nslookup ubuntu.com - 192.168.0.130
Server: 192.168.0.130
Address: 192.168.0.130#53

Non-authoritative answer:
Name: ubuntu.com
Address: 91.189.94.40
** server can't find ubuntu.com: SERVFAIL

vagrant@ubuntu-bionic:/etc/bind$ dig @192.168.0.130 +trace ubuntu.com

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.0.130 +trace ubuntu.com
; (1 server found)
;; global options: +cmd
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
;; Received 343 bytes from 192.168.0.130#53(192.168.0.130) in 0 ms

;; expected opt record in response
ubuntu.com. 599 IN A 91.189.94.40
. 3574 IN NS c.root-servers.net.
. 3574 IN NS d.root-servers.net.
. 3574 IN NS e.root-servers.net.
. 3574 IN NS f.root-servers.net.
. 3574 IN NS g.root-servers.net.
. 3574 IN NS h.root-servers.net.
. 3574 IN NS i.root-servers.net.
. 3574 IN NS a.root-servers.net.
. 3574 IN NS j.root-servers.net.
. 3574 IN NS k.root-servers.net.
. 3574 IN NS l.root-servers.net.
. 3574 IN NS m.root-servers.net.
. 3574 IN NS b.root-servers.net.
;; Received 271 bytes from 199.9.14.201#53(B.ROOT-SERVERS.NET) in 61 ms

vagrant@ubuntu-bionic:/etc/bind$ host -d ubuntu.com 192.168.0.130
Trying "ubuntu.com"
Using domain server:
Name: 192.168.0.130
Address: 192.168.0.130#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30799
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ubuntu.com. IN A

;; ANSWER SECTION:
ubuntu.com. 445 IN A 91.189.94.40

Received 44 bytes from 192.168.0.130#53 in 0 ms
Trying "ubuntu.com"
Host ubuntu.com not found: 2(SERVFAIL)
Received 28 bytes from 192.168.0.130#53 in 90 ms
Trying "ubuntu.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61761
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2

;; QUESTION SECTION:
;ubuntu.com. IN MX

;; ANSWER SECTION:
ubuntu.com. 2554 IN MX 10 mx.canonical.com.

;; AUTHORITY SECTION:
. 3551 IN NS k.root-servers.net.
. 3551 IN NS f.root-servers.net.
. 3551 IN NS b.root-servers.net.
. 3551 IN NS i.root-servers.net.
. 3551 IN NS g.root-servers.net.
. 3551 IN NS a.root-servers.net.
. 3551 IN NS h.root-servers.net.
. 3551 IN NS e.root-servers.net.
. 3551 IN NS c.root-servers.net.
. 3551 IN NS d.root-servers.net.
. 3551 IN NS l.root-servers.net.
. 3551 IN NS m.root-servers.net.
. 3551 IN NS j.root-servers.net.

;; ADDITIONAL SECTION:
e.root-servers.net. 2823 IN AAAA 2001:500:a8::e
g.root-servers.net. 2823 IN AAAA 2001:500:12::d0d

Received 324 bytes from 192.168.0.130#53 in 0 ms

However, I'm hesitant to say it's just an issue with nslookup as:
vagrant@ubuntu-bionic:/etc/bind$ nslookup ubuntu.com - 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: ubuntu.com
Address: 91.189.94.40

And per notes above, using Debian stretch to the same bind servers does not result in the error so there's a combination of the (bionic)nslookup and (bionic)named.

sysadmin@prometheus:~ $ lsb_release --all
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch

prometheus:~ $ nslookup ubuntu.com - 192.168.0.130
Server: 192.168.0.130
Address: 192.168.0.130#53

Non-authoritative answer:
Name: ubuntu.com
Address: 91.189.94.40

So the bind server *is* working?

Changing named.conf.options to match yours (192.168.0.130 is the vagrant eth0 address)

vagrant@ubuntu-bionic:/etc/bind$ more named.conf.options
options {
 directory "/var/cache/bind";

 forwarders {
   1.1.1.1;
 };

 dnssec-validation auto;

 auth-nxdomain no; # conform to RFC1035
 listen-on { 192.168.0.130; };
};

vagrant@ubuntu-bionic:/etc/bind$ nslookup ubuntu.com - 192.168.0.130
Server: 192.168.0.130
Address: 192.168.0.130#53

** server can't find ubuntu.com: SERVFAIL

Output for dig with same configuration:
vagrant@ubuntu-bionic:~$ dig @192.168.0.130 +trace ubuntu.com

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.0.130 +trace ubuntu.com
; (1 server found)
;; global options: +cmd
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
;; Received 267 bytes from 192.168.0.130#53(192.168.0.130) in 0 ms

;; expected opt record in response
ubuntu.com. 228 IN A 91.189.94.40
. 3203 IN NS k.root-servers.net.
. 3203 IN NS l.root-servers.net.
. 3203 IN NS m.root-servers.net.
. 3203 IN NS b.root-servers.net.
. 3203 IN NS c.root-servers.net.
. 3203 IN NS d.root-servers.net.
. 3203 IN NS e.root-servers.net.
. 3203 IN NS f.root-servers.net.
. 3203 IN NS g.root-servers.net.
. 3203 IN NS h.root-servers.net.
. 3203 IN NS i.root-servers.net.
. 3203 IN NS a.root-servers.net.
. 3203 IN NS j.root-servers.net.
;; Received 271 bytes from 199.7.91.13#53(D.ROOT-SERVERS.NET) in 16 ms

vagrant@ubuntu-bionic:~$ host -d ubuntu.com 192.168.0.130
Trying "ubuntu.com"
Using domain server:
Name: 192.168.0.130
Address: 192.168.0.130#53
Aliases:

Host ubuntu.com not found: 2(SERVFAIL)
Received 28 bytes from 192.168.0.130#53 in 4066 ms

So there's also an issue with `host` with the dnssec set to auto. Changing it back to false is the same results (only change is the ipv6 listen entry).

I've uploaded the Vagrant file I'm using to debug. It will fail upon vagrant up after the nslookup tests but you should be able to `vagrant ssh` into the system and test from there.

I would be interested to see if the Vagrant system works for you as well.