Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Feb 24, 2018 at 07:43:16PM +0300, Reco wrote:
>   Hi.

[...]

> Figures. Certain ISPs are unable to implement DNSSec even if someone's
> life would depend on it. A figure of speech, just in case.

Touché :-D

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqRltYACgkQBcgs9XrR2kb7IACeNzC67eOxFVTvImtOnmWI8aPi
iAMAn1R0cRTEZUG2stkRGf0OBrrfFY4R
=pMy7
-END PGP SIGNATURE-

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Reco 
Hi.

Let me reorder it a bit.

On Sat, Feb 24, 2018 at 02:20:57PM +, Aero Maxx wrote:
> On 24 February 2018 at 13:16, Aero Maxx  wrote:
> 
> > On 24 February 2018 at 12:56, Reco  wrote:
> >
> >> So, a SERVFAIL. That's curious, to say the least.
> >>
> >> OK, let's try this:
> >>
> >> 1) Put "dnssec-validation no;" in your named.conf.options.
> >>
> >> 2) Restart (as in - stop then start) BIND.
> >>
> >> 3) Execute "dig in a debian.org @127.0.0.1" once more.
> >>
> >> 4) Please provide BIND logs from its last restart.
> >>
> >
> > I made those changes and apt-get update now works.

Figures. Certain ISPs are unable to implement DNSSec even if someone's
life would depend on it. A figure of speech, just in case.


> > Have attached the output of the commands, and my syslog file as I didn't
> > have a log file specifically for bind9.

Your e-mail came without the logs, but it hardly matters now, as we have
a viable workaround.
In Modern™ Debian one should be able to get BIND log like this:

grep named /var/log/daemon.log


> Is there anything I can do to make it work with dnssec-validation set to
> auto?

I suggest you to bring it to Virgin Media. After all, its them who
deliberately crippled their DNS, or used some toy instead of a real DNS.


> If I change the forwarding ip addresses to the google public dns servers it
> works with auto, but the other virgin media address for dns don't work with
> auto, why is that, have they configured something different to google?

Sure they are.

Exibit 1 (Amazon AWS, just in case):

$ dig in a debian.org +trace +recurse

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
;; global options: +cmd
.   518400  IN  NS  B.ROOT-SERVERS.NET.
...
org.172800  IN  NS  d0.org.afilias-nst.org.
org.86400   IN  DS  9795 7 1 364D...
org.86400   IN  DS  9795 7 2 3922...
org.86400   IN  RRSIG   DS 8 1 86400
2018030905 2018022404 41824 . ..
;; Received 812 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 2 ms

debian.org. 86400   IN  NS  dnsnode.debian.org.
debian.org. 86400   IN  DS  6487 8 2 A952...
debian.org. 86400   IN  RRSIG   DS 7 2 86400 20...
;; Received 364 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in
74 ms

debian.org. 300 IN  A   5.153.231.4
debian.org. 300 IN  A   128.31.0.62
debian.org. 300 IN  A   130.89.148.14
debian.org. 300 IN  A   149.20.4.15
debian.org. 300 IN  RRSIG   A 8 2 300 20180...
;; Received 337 bytes from 192.174.68.100#53(sec1.rcode0.net) in 75 ms

Observe numerous DS and RRSIG records, which are provided by every DNS
starting from the root one.


Exibit 2 (Google DNS)

$ dig in a debian.org +trace +recurse @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
...
.   129251  IN  NS  m.root-servers.net.
.   129251  IN  RRSIG   NS 8 0 518400 20...
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 2 ms



As long as your forwarder provides a valid RRSIG record - your DNSSec
validation is a go.


Apparently your forwarders do not bother with RRSIG.
Since you have your DNS working - you might as well check it out, and
share a result with the community.

Reco

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Aero Maxx 
Is there anything I can do to make it work with dnssec-validation set to
auto?

If I change the forwarding ip addresses to the google public dns servers it
works with auto, but the other virgin media address for dns don't work with
auto, why is that, have they configured something different to google?

On 24 February 2018 at 13:16, Aero Maxx  wrote:

> On 24 February 2018 at 12:56, Reco  wrote:
>
>> So, a SERVFAIL. That's curious, to say the least.
>>
>> OK, let's try this:
>>
>> 1) Put "dnssec-validation no;" in your named.conf.options.
>>
>> 2) Restart (as in - stop then start) BIND.
>>
>> 3) Execute "dig in a debian.org @127.0.0.1" once more.
>>
>> 4) Please provide BIND logs from its last restart.
>>
>
> I made those changes and apt-get update now works.
>
> Have attached the output of the commands, and my syslog file as I didn't
> have a log file specifically for bind9.
>
>
> 
>  Virus-free.
> www.avast.com
> 
> <#m_4849929349726157538_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Reco 
Hi.

On Sat, Feb 24, 2018 at 12:42:04PM +, Aero Maxx wrote:
> On 24 February 2018 at 12:36, Reco  wrote:
> 
> > Ok, what about this (again, run it from the malfunctioning DNS, root is
> > needed for the second and third command):
> >
> > dig in a debian.org @127.0.0.1
> >
> > ss -nplu
> >
> > iptables-save
> >
> 
> I've attached the output of those commands also now.

So, a SERVFAIL. That's curious, to say the least.

OK, let's try this:

1) Put "dnssec-validation no;" in your named.conf.options.

2) Restart (as in - stop then start) BIND.

3) Execute "dig in a debian.org @127.0.0.1" once more.

4) Please provide BIND logs from its last restart.

Reco

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Aero Maxx 
On 24 February 2018 at 12:36, Reco  wrote:

> Ok, what about this (again, run it from the malfunctioning DNS, root is
> needed for the second and third command):
>
> dig in a debian.org @127.0.0.1
>
> ss -nplu
>
> iptables-save
>

I've attached the output of those commands also now.


> > As previously mentioned each server and client has 2 network cards, one
> > which provides internet access to the client or server, and the other
> > provides internal services that are on the local network after the
> > firewall, the DNS server shouldn't be accessible by any clients or
> servers
> > that are on the internet/external side of my router/firewall.
>
> You're talking about inbound connections, but your problem may lie with
> the outbound ones.
>

Oh right I see.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
root@debian:~# dig in a debian.org @127.0.0.1

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22821
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debian.org.IN  A

;; Query time: 336 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 24 12:38:39 GMT 2018
;; MSG SIZE  rcvd: 39

root@debian:~# ss -nplu
State   Recv-Q Send-Q Local Address:Port
Peer Address:Port
UNCONN  0  0  10.0.2.20:53  
   *:*   
users:(("named",pid=1193,fd=515))
UNCONN  0  0   192.168.0.61:53  
   *:*   
users:(("named",pid=1193,fd=514))
UNCONN  0  0  127.0.0.1:53  
   *:*   
users:(("named",pid=1193,fd=513))
UNCONN  0  0  *:68  
   *:*   
users:(("dhclient",pid=456,fd=6))
UNCONN  0  0 :::53  
  :::*   
users:(("named",pid=1193,fd=512))
root@debian:~# iptables-save
root@debian:~#

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Reco 
Hi.

On Sat, Feb 24, 2018 at 12:13:31PM +, Aero Maxx wrote:
> On 24 February 2018 at 11:37, Reco  wrote:
> 
> > Ok, that actually gives us something.
> >
> > First things first, Virgin Media uses different nameservers, according
> > to the RIPE, at least. They are ns[1-4].virginmedia.net.
> >
> > Second, these cache[12].service.viginmedia.net you're trying to use as
> > forwarders may or may not be operational.
> > A couple of quick tests should clarify it (run it from the malfunctioning
> > DNS):
> >
> > dig in a debian.org @194.168.4.100
> > dig in a debian.org @194.168.8.100
> 
> The above IP addresses are the ones that debian found by itself when I
> installed it, and were already in the resolv.conf file prior to me editting
> it.

That can mean anything. But the good news are, forwarders are operational.

Ok, what about this (again, run it from the malfunctioning DNS, root is
needed for the second and third command):

dig in a debian.org @127.0.0.1

ss -nplu

iptables-save

> > Is there a reason as to why the root DNSes aren't accessible to my BIND?
> >
> > You forgot to put your DNS server at DMZ.
> > They block udp:53 and tcp:53 at Virgin Media.
> > Someone at *your* premises does the same.
> 
> 
> As previously mentioned each server and client has 2 network cards, one
> which provides internet access to the client or server, and the other
> provides internal services that are on the local network after the
> firewall, the DNS server shouldn't be accessible by any clients or servers
> that are on the internet/external side of my router/firewall.

You're talking about inbound connections, but your problem may lie with
the outbound ones.

Reco

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Aero Maxx 
On 24 February 2018 at 11:37, Reco  wrote:

> Ok, that actually gives us something.
>
> First things first, Virgin Media uses different nameservers, according
> to the RIPE, at least. They are ns[1-4].virginmedia.net.
>
> Second, these cache[12].service.viginmedia.net you're trying to use as
> forwarders may or may not be operational.
> A couple of quick tests should clarify it (run it from the malfunctioning
> DNS):
>
> dig in a debian.org @194.168.4.100
> dig in a debian.org @194.168.8.100


The above IP addresses are the ones that debian found by itself when I
installed it, and were already in the resolv.conf file prior to me editting
it.

Have attached the output of the above commands.

> Is there a reason as to why the root DNSes aren't accessible to my BIND?
>
> You forgot to put your DNS server at DMZ.
> They block udp:53 and tcp:53 at Virgin Media.
> Someone at *your* premises does the same.


As previously mentioned each server and client has 2 network cards, one
which provides internet access to the client or server, and the other
provides internal services that are on the local network after the
firewall, the DNS server shouldn't be accessible by any clients or servers
that are on the internet/external side of my router/firewall.



Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
root@debian:~$ dig in a debian.org @194.168.4.100

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org @194.168.4.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30672
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;debian.org.IN  A

;; ANSWER SECTION:
debian.org. 28  IN  A   5.153.231.4
debian.org. 28  IN  A   149.20.4.15
debian.org. 28  IN  A   130.89.148.14
debian.org. 28  IN  A   128.31.0.62

;; Query time: 17 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Sat Feb 24 11:55:05 GMT 2018
;; MSG SIZE  rcvd: 103

root@debian:~$ dig in a debian.org @194.168.8.100

; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org @194.168.8.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25990
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;debian.org.IN  A

;; ANSWER SECTION:
debian.org. 20  IN  A   128.31.0.62
debian.org. 20  IN  A   5.153.231.4
debian.org. 20  IN  A   149.20.4.15
debian.org. 20  IN  A   130.89.148.14

;; Query time: 17 msec
;; SERVER: 194.168.8.100#53(194.168.8.100)
;; WHEN: Sat Feb 24 11:55:14 GMT 2018
;; MSG SIZE  rcvd: 103

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Reco 
Hi.

There's no need to Cc me, I'm subscribed to the list.

On Sat, Feb 24, 2018 at 10:58:49AM +, Aero Maxx wrote:
> Ok well I wasn't aware pastebin wasn't allowed, I was wary of pasting a
> huge wall of text from all the commands and the output of the files I was
> asked for right into an email.

That's why they invented archives and e-mail attachments.


> The output sadly told me nothing as I didn't understand it.
> 
> My named.conf.options file does have a "forwarders" section in it.
> 
> options {
..
> forwarders {
> 194.168.4.100;
> 194.168.8.100;

Ok, that actually gives us something.

First things first, Virgin Media uses different nameservers, according
to the RIPE, at least. They are ns[1-4].virginmedia.net.

Second, these cache[12].service.viginmedia.net you're trying to use as
forwarders may or may not be operational.
A couple of quick tests should clarify it (run it from the malfunctioning
DNS):

dig in a debian.org @194.168.4.100
dig in a debian.org @194.168.8.100


> Is there a reason as to why the root DNSes aren't accessible to my BIND?

You forgot to put your DNS server at DMZ.
They block udp:53 and tcp:53 at Virgin Media.
Someone at *your* premises does the same.

There are many things that can go wrong.

Reco

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Aero Maxx 
On 24 February 2018 at 10:26, Reco  wrote:

> Hi.
>
> Please don't use pastebin for this. This list archives should contain
> not only the solution, but a clear problem statement also.
>
> So, following "show, don't tell principle":
>
> # dig in a debian.org +trace +recurse
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
> ;; global options: +cmd
> .   360 IN  NS  A.ROOT-SERVERS.NET.
> .   360 IN  NS  J.ROOT-SERVERS.NET.
> .   360 IN  NS  L.ROOT-SERVERS.NET.
> .   360 IN  NS  C.ROOT-SERVERS.NET.
> .   360 IN  NS  M.ROOT-SERVERS.NET.
> .   360 IN  NS  E.ROOT-SERVERS.NET.
> .   360 IN  NS  I.ROOT-SERVERS.NET.
> .   360 IN  NS  K.ROOT-SERVERS.NET.
> .   360 IN  NS  G.ROOT-SERVERS.NET.
> .   360 IN  NS  F.ROOT-SERVERS.NET.
> .   360 IN  NS  B.ROOT-SERVERS.NET.
> .   360 IN  NS  H.ROOT-SERVERS.NET.
> .   360 IN  NS  D.ROOT-SERVERS.NET.
> couldn't get address for 'A.ROOT-SERVERS.NET': failure
> couldn't get address for 'J.ROOT-SERVERS.NET': failure
> couldn't get address for 'L.ROOT-SERVERS.NET': failure
> couldn't get address for 'C.ROOT-SERVERS.NET': failure
> couldn't get address for 'M.ROOT-SERVERS.NET': failure
> couldn't get address for 'E.ROOT-SERVERS.NET': failure
> couldn't get address for 'I.ROOT-SERVERS.NET': failure
> couldn't get address for 'K.ROOT-SERVERS.NET': failure
> couldn't get address for 'G.ROOT-SERVERS.NET': failure
> couldn't get address for 'F.ROOT-SERVERS.NET': failure
> couldn't get address for 'B.ROOT-SERVERS.NET': failure
> couldn't get address for 'H.ROOT-SERVERS.NET': failure
> couldn't get address for 'D.ROOT-SERVERS.NET': failure
> dig: couldn't get address for 'A.ROOT-SERVERS.NET': no more
>
> And that output is enough to tell you this:
>
> 1) Your nameserver tries to do the right thing - to do recursion.
>
> 2) Your named.conf apparently lacks "forwarders" section, so the only
> thing that BIND can do here - is to query root DNSes.
>
> 3) And root DNSes aren't accessible to your BIND.
>
> In conclusion, your setup is clearly broken, you need to fix it.
>
> Reco
>
>
Ok well I wasn't aware pastebin wasn't allowed, I was wary of pasting a
huge wall of text from all the commands and the output of the files I was
asked for right into an email.

The output sadly told me nothing as I didn't understand it.

My named.conf.options file does have a "forwarders" section in it.

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
194.168.4.100;
194.168.8.100;
};


//
// If BIND logs error messages about the root key being expired,
// you will need to update your keys.  See
https://www.isc.org/bind-keys

//
dnssec-validation auto;

auth-nxdomain no;# conform to RFC1035
listen-on-v6 { any; };
};

Is there a reason as to why the root DNSes aren't accessible to my BIND?

Yes I am aware I need to fix it, hence the reason why I posted in the first
place, do you have any idea as to what needs to be fixed? as I have no idea
what I should do from here.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Reco 
Hi.

On Sat, Feb 24, 2018 at 10:13:18AM +, Aero Maxx wrote:
> Firstly thank you all very much for the replies, and sorry for the vague
> information, that wasn't intentional I didn't know what you would need and
> also I wasn't aware of the commands you ask for the output from.
> 
> On 23 February 2018 at 18:06, Reco  wrote:
> 
> > Please invoke this on one of the problematic client hosts:
> >
> > dig in a debian.org +trace +recurse
> >
> > dig in a google.com +trace +recurse
> 
> Output from the dig commands: https://pastebin.com/7CDMit1R

Please don't use pastebin for this. This list archives should contain
not only the solution, but a clear problem statement also.

So, following "show, don't tell principle":

# dig in a debian.org +trace +recurse
 
; <<>> DiG 9.10.3-P4-Debian <<>> in a debian.org +trace +recurse
;; global options: +cmd
.   360 IN  NS  A.ROOT-SERVERS.NET.
.   360 IN  NS  J.ROOT-SERVERS.NET.
.   360 IN  NS  L.ROOT-SERVERS.NET.
.   360 IN  NS  C.ROOT-SERVERS.NET.
.   360 IN  NS  M.ROOT-SERVERS.NET.
.   360 IN  NS  E.ROOT-SERVERS.NET.
.   360 IN  NS  I.ROOT-SERVERS.NET.
.   360 IN  NS  K.ROOT-SERVERS.NET.
.   360 IN  NS  G.ROOT-SERVERS.NET.
.   360 IN  NS  F.ROOT-SERVERS.NET.
.   360 IN  NS  B.ROOT-SERVERS.NET.
.   360 IN  NS  H.ROOT-SERVERS.NET.
.   360 IN  NS  D.ROOT-SERVERS.NET.
couldn't get address for 'A.ROOT-SERVERS.NET': failure
couldn't get address for 'J.ROOT-SERVERS.NET': failure
couldn't get address for 'L.ROOT-SERVERS.NET': failure
couldn't get address for 'C.ROOT-SERVERS.NET': failure
couldn't get address for 'M.ROOT-SERVERS.NET': failure
couldn't get address for 'E.ROOT-SERVERS.NET': failure
couldn't get address for 'I.ROOT-SERVERS.NET': failure
couldn't get address for 'K.ROOT-SERVERS.NET': failure
couldn't get address for 'G.ROOT-SERVERS.NET': failure
couldn't get address for 'F.ROOT-SERVERS.NET': failure
couldn't get address for 'B.ROOT-SERVERS.NET': failure
couldn't get address for 'H.ROOT-SERVERS.NET': failure
couldn't get address for 'D.ROOT-SERVERS.NET': failure
dig: couldn't get address for 'A.ROOT-SERVERS.NET': no more


And that output is enough to tell you this:

1) Your nameserver tries to do the right thing - to do recursion.

2) Your named.conf apparently lacks "forwarders" section, so the only
thing that BIND can do here - is to query root DNSes.

3) And root DNSes aren't accessible to your BIND.

In conclusion, your setup is clearly broken, you need to fix it.

Reco

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-24 Thread Aero Maxx 
Firstly thank you all very much for the replies, and sorry for the vague
information, that wasn't intentional I didn't know what you would need and
also I wasn't aware of the commands you ask for the output from.

On 23 February 2018 at 18:06, Reco  wrote:

> Please invoke this on one of the problematic client hosts:
>
> dig in a debian.org +trace +recurse
>
> dig in a google.com +trace +recurse


Output from the dig commands: https://pastebin.com/7CDMit1R

On 23 February 2018 at 18:09, Roberto C. Sánchez  wrote:

> What is the output of 'ip addr ls' and 'ip route ls' on one of the Linux
> clients? What are the contents of /etc/resolv.conf and /etc/hosts on one
> of the Linux clients? What are the contents of /etc/bind/named.conf*
> (that is, all the configuration files with names starting with
> /etc/bind/named.conf)? What is the actual output where you see errors?
> For example, if nslookup fails, please provide the complete command-line
> and the complete error output. Same for apt-get or any other thing that
> is failing.
>

Output from 'ip addr ls': https://pastebin.com/rU27NbhQ
Output from 'ip route ls': https://pastebin.com/NGZeYuBD
Contents of '/etc/resolv.conf': https://pastebin.com/NtvT1Gf0
Contents of '/etc/hosts': https://pastebin.com/hA0Gm00p
Contents of '/etc/bind/named.conf': https://pastebin.com/qFQQWbLB
Contents of '/etc/bind/named.conf.default-zones':
https://pastebin.com/jmNEz1Mm
Contents of '/etc/bind/named.conf.options': https://pastebin.com/GUevb0t7
Contents of '/etc/bind/named.conf.local': https://pastebin.com/t85npbxG

Contents of '/etc/bind/db.nhs2.uk': https://pastebin.com/tk2P9C1S
Contents of '/etc/bind/db.10': https://pastebin.com/tLeEBsRR

Output from 'apt-get update' showing errors: https://pastebin.com/xfeUhG2p
Output from nslookup commands: https://pastebin.com/X6iyYByj
Contents of '/etc/network/interfaces': https://pastebin.com/Z5UtC3rs

Output from 'ifconfig': https://pastebin.com/vGABwGt7

On 23 February 2018 at 18:26, Greg Wooledge  wrote:

> What domain name did you choose for your local area network?
>

Domain name: nhs2.uk


> What software are you using on the DNS server?  How is it configured?
>

Software: Bind for DNS - Configured as per the instructions here:
https://help.ubuntu.com/lts/serverguide/dns-configuration.html


> Did you use a combined nameserver + recursive resolver on a single
> host, or did you separate the functionality?
>

I am not sure, I think I have only configured a nameserver, I basically
just followed the instructions in the ubuntu dns configuration guide.


> Plus, all the other excellent questions others have already given.
> In short, you must give details.  All of the details.


Thank you,


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-23 Thread Greg Wooledge 
On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
> Basically I have local clients that are a mixture of windows and linux,
> these clients need to be able to access the internet for updates and so on,
> but to also access services that are on the local network by a hostname
> that has been setup correctly I believe on the local DNS server.

What domain name did you choose for your local area network?

What software are you using on the DNS server?  How is it configured?

Did you use a combined nameserver + recursive resolver on a single
host, or did you separate the functionality?

Plus, all the other excellent questions others have already given.
In short, you must give details.  All of the details.

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-23 Thread Roberto C . Sánchez 
On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
>I was wondering if someone would be as so kind to point me in the right
>direction for what I am trying to achieve.

[snip vague problem description]

What is the output of 'ip addr ls' and 'ip route ls' on one of the Linux
clients? What are the contents of /etc/resolv.conf and /etc/hosts on one
of the Linux clients? What are the contents of /etc/bind/named.conf*
(that is, all the configuration files with names starting with
/etc/bind/named.conf)? What is the actual output where you see errors?
For example, if nslookup fails, please provide the complete command-line
and the complete error output. Same for apt-get or any other thing that
is failing.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Setting up a local DNS server but clients that use it can't access the internet

2018-02-23 Thread Reco 
Hi.

On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
> If someone is able to point in the right direction I would be ever so
> grateful!

Please invoke this on one of the problematic client hosts:

dig in a debian.org +trace +recurse

dig in a google.com +trace +recurse

Reco

Setting up a local DNS server but clients that use it can't access the internet

2018-02-23 Thread Aero Maxx 
I was wondering if someone would be as so kind to point me in the right
direction for what I am trying to achieve.

Basically I have local clients that are a mixture of windows and linux,
these clients need to be able to access the internet for updates and so on,
but to also access services that are on the local network by a hostname
that has been setup correctly I believe on the local DNS server.

The clients are able to use the dns server when specified as a nameserver
on linux in the resolv.conf file and as a dns server on windows, I have
only tested this with the linux clients at present but when they are using
the local dns server as the sole name server the linux clients can do an
nslookup on domains such as google for example, and get google's ip
address.  So it would seem as that internet access works, but when trying
to do updates from apt-get this fails as ***.debian.org fails to resolve to
an ip address, and nslookup debian.org doesn't work, no ip address is
returned.

The local domain and subdomains that are setup on the local dns server do
work, the clients are able to access the correct services, in order for the
linux clients to do updates the isp name servers have to be put back in
resolv.conf then updates work, and then the file has to be changed back to
the local dns server once again.

I have followed the ubuntu guide at the link below, and yes I realise I am
not using ubuntu and using debian instead, but as these are both debian
like and/or based distro's I didn't think it would be an issue.

https://help.ubuntu.com/lts/serverguide/dns-configuration.html

I am not sure if this is relevant, but each server and client has two
network cards the first network card is for internet access only and DHCP
addresses are provided to that card, the other network card is access to a
vlan that the servers and other clients are on, no internet access is
possible through the second network card.  This setup isn't something that
can be changed and so the solution would need to work with this setup.

If someone is able to point in the right direction I would be ever so
grateful!

Thank you.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>