RE: bind9 and dns forward
- To: Michel Verdier <mv524@free.fr>
- Cc: debian-user list <debian-user@lists.debian.org>
- Subject: RE: bind9 and dns forward
- From: Bonno Bloksma <b.bloksma@tio.nl>
- Date: Thu, 1 Jun 2023 07:32:41 +0000
- Message-id: <[🔎] AM6PR04MB509549850A51DB0A792E222B9D499@AM6PR04MB5095.eurprd04.prod.outlook.com>
- In-reply-to: <87jzwzb2h5.fsf@free.fr>
- References: <AM6PR04MB50950098FC30BF288508987E9D6B9@AM6PR04MB5095.eurprd04.prod.outlook.com> <875y9fqjbt.fsf@free.fr> <AM6PR04MB5095508A88EE5DF291C629A89D6F9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87o7n2ncbd.fsf@free.fr> <VI1PR04MB5104CB7C1B1A80DDF89292E19D729@VI1PR04MB5104.eurprd04.prod.outlook.com> <87o7myt0ww.fsf@free.fr> <AM6PR04MB5095173A16A9FEA0947844BD9D719@AM6PR04MB5095.eurprd04.prod.outlook.com> <878rdzf5fh.fsf@free.fr> <AM6PR04MB5095F6BE6C5B8B5B9A80B8879D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <AM6PR04MB50951ABCD64433E3670C53509D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87jzwzb2h5.fsf@free.fr>
Hi,
> resolv.conf must have only one search entry. And you don't want to resolv with google directly. So you should have :
Ok, I have the google dns commented. Alhough.... Now I remember why I had the google dns in there. ;-)
For my machine to create the VPN it needs to know the ip number of the gateway.
I fixed that for now with an entry in the /etc/hosts file. :-)
>> When booting if the internal bind is not up and running yet some services might need a resolver so I have 8.8.8.8 in there as well as a second dns entry.
> Ensure this in services ordering (systemd or initd). It's better and safer. And I think it's better to get an error than a false result from bind.
Ok, I get it.
-----<Quote>-----------------
linbobo:~# rndc flush
linbobo:~# dig tio.nl NS
; <<>> DiG 9.16.37-Debian <<>> tio.nl NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49974
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 52571ae710dcd2cc010000006478463be41c8b3a2afd14a5 (good)
;; QUESTION SECTION:
;tio.nl. IN NS
;; Query time: 244 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 01 09:18:19 CEST 2023
;; MSG SIZE rcvd: 63
-----<Quote>-----------------
Hmm, no answer, that is weird.
-----<Quote>-----------------
linbobo:~# ss -nap | grep named
u_dgr UNCONN 0 0 * 17532 * 12035 users:(("named",pid=554,fd=3))
u_str ESTAB 0 0 * 17082 * 17525 users:(("named",pid=554,fd=2),("named",pid=554,fd=1))
udp UNCONN 0 0 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=83))
udp UNCONN 0 0 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=85))
udp UNCONN 0 0 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=84))
udp UNCONN 0 0 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=82))
udp UNCONN 0 0 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=49))
udp UNCONN 0 0 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=50))
udp UNCONN 0 0 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=51))
udp UNCONN 0 0 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=52))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=39))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=38))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=40))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=37))
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=554,fd=60))
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=554,fd=58))
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=554,fd=59))
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=554,fd=57))
udp UNCONN 0 0 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=67))
udp UNCONN 0 0 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=69))
udp UNCONN 0 0 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=70))
udp UNCONN 0 0 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=68))
udp UNCONN 0 0 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=66))
udp UNCONN 0 0 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=75))
udp UNCONN 0 0 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=76))
udp UNCONN 0 0 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=77))
udp UNCONN 0 0 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=90))
udp UNCONN 0 0 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=91))
udp UNCONN 0 0 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=92))
udp UNCONN 0 0 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=93))
tcp LISTEN 0 10 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=87))
tcp LISTEN 0 10 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=89))
tcp LISTEN 0 10 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=88))
tcp LISTEN 0 10 172.16.1.138:53 0.0.0.0:* users:(("named",pid=554,fd=86))
tcp LISTEN 0 10 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=53))
tcp LISTEN 0 10 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=54))
tcp LISTEN 0 10 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=55))
tcp LISTEN 0 10 172.16.17.1:53 0.0.0.0:* users:(("named",pid=554,fd=56))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=41))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=42))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=43))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=554,fd=44))
tcp LISTEN 0 4096 127.0.0.1:953 0.0.0.0:* users:(("named",pid=554,fd=36))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=554,fd=63))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=554,fd=62))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=554,fd=61))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=554,fd=64))
tcp LISTEN 0 10 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=71))
tcp LISTEN 0 10 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=72))
tcp LISTEN 0 10 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=74))
tcp LISTEN 0 10 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:* users:(("named",pid=554,fd=73))
tcp LISTEN 0 10 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=78))
tcp LISTEN 0 10 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=80))
tcp LISTEN 0 10 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=81))
tcp LISTEN 0 10 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:* users:(("named",pid=554,fd=79))
tcp LISTEN 0 10 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=94))
tcp LISTEN 0 10 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=96))
tcp LISTEN 0 10 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=95))
tcp LISTEN 0 10 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:* users:(("named",pid=554,fd=97))
tcp LISTEN 0 4096 [::1]:953 [::]:* users:(("named",pid=554,fd=65))
linbobo:~#
-----<Quote>-----------------
172.16.17.1 is my machine
Same for the 2 ipv6 addresses
172.16.1.138 is my side of the VPN tunnel
From syslog after dig tio.nl NS
-----<Quote>-----------------
Jun 1 09:25:45 linbobo named[554]: validating tio.nl/NS: got insecure response; parent indicates it should be secure
Jun 1 09:25:45 linbobo named[554]: insecurity proof failed resolving 'tio.nl/NS/IN': 172.16.128.40#53
Jun 1 09:25:45 linbobo named[554]: validating tio.nl/NS: got insecure response; parent indicates it should be secure
Jun 1 09:25:45 linbobo named[554]: insecurity proof failed resolving 'tio.nl/NS/IN': 172.16.208.10#53
-----<Quote>-----------------
It is still weird. What else can we try? Is there something we can do to see what it IS getting back so we can compare it with what it should be?
I even just now tried
-----<Quote>-----------------
linbobo:/var/cache/bind# service named stop
linbobo:/var/cache/bind# ll
total 3300
-rw-r--r-- 1 bind bind 821 Jun 1 09:16 managed-keys.bind
-rw-r--r-- 1 bind bind 1856 Jun 1 09:16 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 3367966 May 8 11:37 named_dump.db
linbobo:/var/cache/bind# rm *
linbobo:/var/cache/bind# service named start
linbobo:/var/cache/bind# dig tio.nl NS
-----<Quote>-----------------
But still same result. :-(
Bonno Bloksma
Reply to: