For doc purposes, I've had an interesting time debugging why the bind9 forwarding didn't work to a host running dnsmasq/libvirt (DNS server).
After some tcpdump comparisons against a local dig client that worked fine, it turns out that dnssec-validation must be changed from 'auto' to 'yes', and then bind9 forwarding worked OK! bind forwarder / default (see percent symbol): FAIL / NotImp --- $ sudo tcpdump -i vnet9 'port 53' ... 22:59:07.461914 IP 192.168.122.11.48475 > rotom.domain: 36180+% [1au] A? ubuntu.com. (51) 22:59:07.462424 IP rotom.domain > 192.168.122.11.48475: 36180 NotImp 0/0/1 (62) ... local client (no percent symbol): PASS --- $ sudo tcpdump -i lo 'port 53' ... 22:58:24.444288 IP rotom.47673 > rotom.domain: 30984+ [1au] A? ubuntu.com. (51) 22:58:24.444915 IP rotom.domain > rotom.47673: 30984 4/0/1 A 91.189.88.181, A 91.189.91.44, A 91.189.91.45, A 91.189.88.180 (103) ... bind forwarder / dnssec-validation yes (NO percent symbol): PASS --- $ sudo tcpdump -i vnet9 'port 53' ... 23:04:28.551700 IP 192.168.122.11.47530 > rotom.domain: 36699+ [1au] A? ubuntu.com. (51) 23:04:28.648898 IP rotom.domain > 192.168.122.11.47530: 36699 4/0/1 A 91.189.91.45, A 91.189.88.181, A 91.189.88.180, A 91.189.91.44 (126) ... Reference: https://serverfault.com/questions/399911/tcpdump-dns-output-codes#400044 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1909950 Title: named: TCP connections sometimes never close due to race in socket teardown To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1909950/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs