-----Original Message----- From: Daniele <d.imbrog...@gmail.com> Date: Wednesday, January 9, 2013 9:17 AM To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: Name resolution fails if not forwarding
>This is the scenario. > >I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04, >virtualized on VirtualBox. >The network works properly because if I indicate a different server from >my own BIND9 (the first line of '/etc/resolv.conf' is, for example, >`nameserver 8.8.8.8`) the lookups and any action on the Internet > succeed. What are you using for a firewall? iptables within UBUNTU, your internet gateway, both, something else? With iptables, it's stateful so outbound queries should allow what's needed inbound...if it's related, you should be able to check stats and look for drops. It's not perfect, but on a typical small network you should be able to use -Z (zero counters), run some queries, then use -nvL to see what if any rules are incremented. IPTables 'port' matches don't match UDP fragments after the first one, so you either need to use stateful matching (-m state --state related,established) or specifically accept trailing fragments (the iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6). For something like a home router, it's harder...but there are sometimes firewall-related statistics exposed through the web interfaces (varies from vendor to vendor). It might also be some form of masquerading getting in the way (e.g. DNS queries get rewritten as your defgw which confuses iptables). Just reaching for ideas. Regardless, spending more time with your firewall might be worthwhile...try a few queries with it disabled just to get an idea if that's where to look. >BIND9 configuration is the default one. >I deleted all local zones that I added (even if internal lookups worked >correctly). Now there are only default zones (root, localhost, >127.in-addr.arpa, 0.in-addr.arpa, 255.in-addr.arpa). >Options are the default ones >options { > directory "/var/cache/bind"; > dnssec-validation auto; > auth-nxdomain no; > listen-on-v6 {any;} >}; Is /var/cache/bind writable by the user BIND runs as (named/bind vs root)? >In this situation, if I dig anything the lookup fails, and the log is >full of "lame server" and "FORMERR". Unfortunately lame server is a can of worms (search the archives), but FORMERR in my experience often indicates firewall problems on one end or the other (malformed responses). >Why? >Perhaps the problem is due to the presence of ³dnssec-validaton³ line? It shouldn't be that alone. However, you could test...does it work fine if you set: dnssec-enable no; dnssec-validation no; Good luck! _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users