Re: DNS Query from different Subnet
I have the solution. I added another zone named only "weberver01." with one wildcard entry * IN A x.x.99.216 Now everything is working fine and windows as well as linux have proper answers while using nslookup, dig or in browser just like it was with dnsmasq Thanks for your help :-) -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Query from different Subnet
Nikolai Lusan wrote > On Thu, 2018-11-15 at 05:49 -0600, sethologik wrote: >> But this is what i already did... >> >> could it be something with the firewall? > > It _could_ be many things. You need to properly troubleshoot the issue. > 1) Can a host with failing DNS resolution ping the DNS server? > 2) Does a tool like nmap show what ports on the DNS server are open to a >host with failing DNS resolution? > 3) Log packets that are being dropped by the firewall and inspect the > logs. > 4) If #2 shows TCP port 53 on the DNS server is open to the host with >failing DNS resolution check that UDP port 53 is also open (remember >that the DNS protocol uses both TCP _and_ UDP). > > It is also worth remembering that unless your internal BIND server is the > primary resolver for your private zones that it is highly unlikely that > you > will get those hostnames (i.e. website.test.de.webserver01.office.lan.de. > or webserver01.office.lan.de.) resolved properly as a full resolution will > start with a root server resolution of de., and then work up the chain to > lan.de., office.lan.de., etc. If at any point in that resolution path > there > is no NS record for the next link up (until an A/ record) your lookup > will fail. But if the host that is not getting DNS resolution can't access > your BIND server at all then the game is over before it began, and you > need > to look at first getting the network connectivity functional. > > Dnsmasq does some "interesting" things combining caching, forwarding, > localised lookups, and DHCP/RA - the transition from the Dnsmasq way of > doing things, to the bind way of doing things may not be as straight > forward as you assumed, properly listing zones as masters (or slaves if > you > have more than one BIND server) is important, as is the proper defining of > views if you are using them. > > Hopefully a full looking to the communication chain from host to server > will help you find the problematic link. > > > -- > Nikolai Lusan > nikolai.lusan@ > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@.isc > https://lists.isc.org/mailman/listinfo/bind-users > > > signature.asc (883 bytes) > http://bind-users-forum.2342410.n4.nabble.com/attachment/6332/0/signature.asc; So... I guess I have some really interesting information about that problem... It does not have something to do with queries from a different subnet. I tested a linux live season with DNS settings to the bind9 system... It was able to show me the testwebsite without any problems. I was able to call the page "https://website.test.de.webserver01/; from a browser and because of domain-search info it connected to webserver01.office.lan.de. The MAIN Problem is, that we are only using windows VMs to test Internet Explorer and Edge and so. Here the situation is the following: Windows (7/8/ AND 10) have the DNS settings to the bind9 system (so x.x.99.201). I have manually configured the search-domain under advanced settings. When I make a nslookup webserver01 I recieve an answer like: Server: dns.office.lan.de address: x.x.99.201 name: webserver01.office.lan.de address: x.x.99.216 EVEN the query nslookup website.test.de.webserver01 gives me the right answer: Server: dns.office.lan.de address: x.x.99.201 name: website.test.de.webserver01.office.lan.de address: x.x.99.216 BUT I cannot open the website via the browser on WINDOWS Machines. This also happens in the 99.0/24 net. On the other hand when i am using a Linux or Mac System my nslookups are looking like this: nslookup webserver01 (same as windows) nslookup website.test.de.webserver01 Server: dns.office.lan.de address: x.x.99.201 ** server can't find website.test.de.webserver01: NXDOMAIN I have to make a FQDN search: nslookup website.test.de.webserver01.office.lan.de Server: dns.office.lan.de address: x.x.99.201 website.test.de.webserver01.office.lan.de canonical name = webserver01.office.lan.de. Name: webserver01.office.lan.de Address: x.x.99.216 When I make a "dig" query on webserver01 it sends an answer like this: ;; QUESTION SECTION: ;webserver01. IN A ;; AUTHORITY SECTION: . 10315 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018111600 1800 900 604800 86400 I have to dig with FQDN. But for me this is strange because those are the systems which can open the test website in browser... In my zone I have the A entry webserver01 IN A x.x.99.216 AND the "Wildcard" Entry as CNAME *.webserver01 IN CNAME webserver01 I really hope this helps you guys understanding whats going on with my BIND System. Thanks so much in advance -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ ___ Please
Re: DNS Query from different Subnet
On Thu, 2018-11-15 at 05:49 -0600, sethologik wrote: > But this is what i already did... > > could it be something with the firewall? It _could_ be many things. You need to properly troubleshoot the issue. 1) Can a host with failing DNS resolution ping the DNS server? 2) Does a tool like nmap show what ports on the DNS server are open to a host with failing DNS resolution? 3) Log packets that are being dropped by the firewall and inspect the logs. 4) If #2 shows TCP port 53 on the DNS server is open to the host with failing DNS resolution check that UDP port 53 is also open (remember that the DNS protocol uses both TCP _and_ UDP). It is also worth remembering that unless your internal BIND server is the primary resolver for your private zones that it is highly unlikely that you will get those hostnames (i.e. website.test.de.webserver01.office.lan.de. or webserver01.office.lan.de.) resolved properly as a full resolution will start with a root server resolution of de., and then work up the chain to lan.de., office.lan.de., etc. If at any point in that resolution path there is no NS record for the next link up (until an A/ record) your lookup will fail. But if the host that is not getting DNS resolution can't access your BIND server at all then the game is over before it began, and you need to look at first getting the network connectivity functional. Dnsmasq does some "interesting" things combining caching, forwarding, localised lookups, and DHCP/RA - the transition from the Dnsmasq way of doing things, to the bind way of doing things may not be as straight forward as you assumed, properly listing zones as masters (or slaves if you have more than one BIND server) is important, as is the proper defining of views if you are using them. Hopefully a full looking to the communication chain from host to server will help you find the problematic link. -- Nikolai Lusan signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Query from different Subnet
On 15.11.18 05:29, sethologik wrote: we have three subnet ( x.x.98.0/24 ; x.x.99.0/24 ; x.x.100.0/24 ) connected to a firewall wich is connected to WAN ( so the gateway always x.x.x.254 ). We wanted switch from dnsmasq to BIND9. The BIND9 and (old) dnsmasq DNS Server is in 99.0/24 net with IP 201(BIND) and 200(dnsmasq) ... From net 99.0/24 everything is working fine. ... however when I try to do so in subnet like 98.0/24 it says he can't reach this server... I can dig on website.test.de.webserver01.office.lan.de from ANY subnet and it gives me an answer like: ;; QUESTION SECTION: ; website.test.de.webserver01.office.lan.de. IN A ;; ANSWER SECTION: website.test.de.webserver01.office.lan.de. 86400 IN CNAME webserver01.office.lan.de. website.test.de.webserver01.office.lan.de. 86400 IN A x.x.99.216 ;; AUTHORITY SECTION: office.lan.de. 86400 IN NS dns.office.lan.de. ;; ADDITIONAL SECTION: dns.office.lan.de. 86400 IN A x.x.99.201 But somehow the explorer can't open up the website anyways. what site and what is the error? When I switch back to dnsmasq everything is working. It is simply configured with wildcards like this: address=/.webserver01/x.x.99.216 this is not possible with BIND, you must define zhole zone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Query from different Subnet
But this is what i already did... could it be something with the firewall? -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Query from different Subnet
sethologik wrote: > > Is there an option in BIND9 which needs to be set when I want to get full > query answers from different subnets or something like that? Exactly, yes :-) In your options section, put allow-query { x.x.98.0/24; x.x.99.0/24; x.x.100.0/24; }; Tony. -- f.anthony.n.finchhttp://dotat.at/ Southeast Fitzroy: Variable 4, becoming southeasterly 4 or 5 later. Rough. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users