Re: Setting up a local DNS server but clients that use it can't access the internet

On 24 February 2018 at 10:26, Reco <recoverym4n@gmail.com> wrote:

Hi.

Please don't use pastebin for this. This list archives should contain
not only the solution, but a clear problem statement also.

So, following "show, don't tell principle":

# dig in a debian.org +trace +recurse

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
;; global options: +cmd
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
couldn't get address for 'A.ROOT-SERVERS.NET': failure
couldn't get address for 'J.ROOT-SERVERS.NET': failure
couldn't get address for 'L.ROOT-SERVERS.NET': failure
couldn't get address for 'C.ROOT-SERVERS.NET': failure
couldn't get address for 'M.ROOT-SERVERS.NET': failure
couldn't get address for 'E.ROOT-SERVERS.NET': failure
couldn't get address for 'I.ROOT-SERVERS.NET': failure
couldn't get address for 'K.ROOT-SERVERS.NET': failure
couldn't get address for 'G.ROOT-SERVERS.NET': failure
couldn't get address for 'F.ROOT-SERVERS.NET': failure
couldn't get address for 'B.ROOT-SERVERS.NET': failure
couldn't get address for 'H.ROOT-SERVERS.NET': failure
couldn't get address for 'D.ROOT-SERVERS.NET': failure
dig: couldn't get address for 'A.ROOT-SERVERS.NET': no more

And that output is enough to tell you this:

1) Your nameserver tries to do the right thing - to do recursion.

2) Your named.conf apparently lacks "forwarders" section, so the only
thing that BIND can do here - is to query root DNSes.

3) And root DNSes aren't accessible to your BIND.

In conclusion, your setup is clearly broken, you need to fix it.

Reco

Ok well I wasn't aware pastebin wasn't allowed, I was wary of pasting a huge wall of text from all the commands and the output of the files I was asked for right into an email.

The output sadly told me nothing as I didn't understand it.

My named.conf.options file does have a "forwarders" section in it.

options {

directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple

// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.

// Uncomment the following block, and insert the addresses replacing

// the all-0's placeholder.

forwarders {

194.168.4.100;

194.168.8.100;

};

//========================================================================

// If BIND logs error messages about the root key being expired,

// you will need to update your keys. See https://www.isc.org/bind-keys

//========================================================================

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

listen-on-v6 { any; };

};

Is there a reason as to why the root DNSes aren't accessible to my BIND?

Yes I am aware I need to fix it, hence the reason why I posted in the first place, do you have any idea as to what needs to be fixed? as I have no idea what I should do from here.