For doc purposes, I've had an interesting time
debugging why the bind9 forwarding didn't work
to a host running dnsmasq/libvirt (DNS server).
After some tcpdump comparisons against a local
dig client that worked fine, it turns out that
dnssec-validation must be changed from 'auto'
to 'yes', and then bind9 forwarding worked OK!
$ sudo tcpdump -i lo 'port 53'
...
22:58:24.444288 IP rotom.47673 > rotom.domain: 30984+ [1au] A? ubuntu.com. (51)
22:58:24.444915 IP rotom.domain > rotom.47673: 30984 4/0/1 A 91.189.88.181, A 91.189.91.44, A 91.189.91.45, A 91.189.88.180 (103)
...
bind forwarder / dnssec-validation yes (NO percent symbol): PASS
---
$ sudo tcpdump -i vnet9 'port 53'
...
23:04:28.551700 IP 192.168.122.11.47530 > rotom.domain: 36699+ [1au] A? ubuntu.com. (51)
23:04:28.648898 IP rotom.domain > 192.168.122.11.47530: 36699 4/0/1 A 91.189.91.45, A 91.189.88.181, A 91.189.88.180, A 91.189.91.44 (126)
...
For doc purposes, I've had an interesting time
debugging why the bind9 forwarding didn't work
to a host running dnsmasq/libvirt (DNS server).
After some tcpdump comparisons against a local
dig client that worked fine, it turns out that
dnssec-validation must be changed from 'auto'
to 'yes', and then bind9 forwarding worked OK!
bind forwarder / default (see percent symbol): FAIL / NotImp
---
$ sudo tcpdump -i vnet9 'port 53' 122.11. 48475 > rotom.domain: 36180+% [1au] A? ubuntu.com. (51) 122.11. 48475: 36180 NotImp 0/0/1 (62)
...
22:59:07.461914 IP 192.168.
22:59:07.462424 IP rotom.domain > 192.168.
...
local client (no percent symbol): PASS
---
$ sudo tcpdump -i lo 'port 53'
...
22:58:24.444288 IP rotom.47673 > rotom.domain: 30984+ [1au] A? ubuntu.com. (51)
22:58:24.444915 IP rotom.domain > rotom.47673: 30984 4/0/1 A 91.189.88.181, A 91.189.91.44, A 91.189.91.45, A 91.189.88.180 (103)
...
bind forwarder / dnssec-validation yes (NO percent symbol): PASS
---
$ sudo tcpdump -i vnet9 'port 53' 122.11. 47530 > rotom.domain: 36699+ [1au] A? ubuntu.com. (51) 122.11. 47530: 36699 4/0/1 A 91.189.91.45, A 91.189.88.181, A 91.189.88.180, A 91.189.91.44 (126)
...
23:04:28.551700 IP 192.168.
23:04:28.648898 IP rotom.domain > 192.168.
...
Reference: https:/ /serverfault. com/questions/ 399911/ tcpdump- dns-output- codes#400044