Bind9 named Got recursion not available from 192.168.1.100, trying next server

Hello,
I use a Raspberry PI as bind and dhcp server.

A strange thing happens to me …

On the resolv.conf clients it looks like this:

# Generated by NetworkManager
search flab
nameserver 192.168.1.100
nameserver 8.8.8.8

the network has a machine called ipazia, IP 192.168.1.3

Command: nslookup ipazia

;; Got recursion not available from 192.168.1.100, trying next server
;; Got recursion not available from 192.168.1.100, trying next server
Server: 8.8.8.8
Address: 8.8.8.8 # 53

** server can’t find ipazia: NXDOMAIN

Command: nslookup ipazia 192.168.1.100

Server: 192.168.1.100
Address: 192.168.1.100 # 53

Name: ipazia.flab
Address: 192.168.1.3

That is, it works if I specify the server where to make the query. The query works even if the resolv.con is changed as follows:

# Generated by NetworkManager
search flab
nameserver 192.168.1.100
# deleted nameserver 8.8.8.8

but in this case servers outside the subnet are not recognized. I made various tests … without finding a solution.

Following named.conf.options:

cl goodclients {
    192.168.1.0/24;
    localhost;
    localnets;
};

options {
        directory "/ var / cache / bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk. See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        // 0.0.0.0;
        //};

        // forwarders {
        // 8.8.8.8;
        // 8.8.4.4;
        //};

        forwarders {
                8.8.4.4;
        };

        // forward only;


        // =============================================== ========================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys. See https://www.isc.org/bind-keys
        // =============================================== ========================


        dnssec-validation auto;

        // dnssec-enable yes;
        // dnssec-validation yes;


        listen-on-v6 {any; };

        //MARCO
       recursion yes;
        allow-query {goodclients; };
        allow-recursion {goodclients; };
        allow-transfer {goodclients; };

        allow-query {any; };
        allow-recursion {any; };
        allow-transfer {any; };
        allow-query-cache {any; };
        notify yes;

        allow-recursion {127.0.0.1; 192.168.1.0/24; };

        #querylog yes;

        auth-nxdomain no;

        listen-on {any; }
};

Dig gives me the following answers:

Command: dig ipazia

; << >> DiG 9.16.6 << >> ipazia
;; global options: + cmd
;; Got answer:
;; - >> HEADER << - opcode: QUERY, status: REFUSED, id: 13439
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags :; udp: 4096
; COOKIE: 6f54b031555c3e42010000005f9aaeae29abdb401bc977b8 (good)
;; QUESTION SECTION:
; hypatia. IN A

;; Query time: 3 msec
;; SERVER: 192.168.1.100 # 53 (192.168.1.100)
;; WHEN: Thu Oct 29 12:59:42 CET 2020
;; MSG SIZE rcvd: 63

Command: dig @ 192.168.1.100 ipazia

; << >> DiG 9.16.6 << >> @ 192.168.1.100 ipazia
; (1 server found)
;; global options: + cmd
;; Got answer:
;; - >> HEADER << - opcode: QUERY, status: REFUSED, id: 55099
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags :; udp: 4096
; COOKIE: 6d3ed396d7e62a5f010000005f9aaed458609fe61b6fc588 (good)
;; QUESTION SECTION:
; hypatia. IN A

;; Query time: 0 msec
;; SERVER: 192.168.1.100 # 53 (192.168.1.100)
;; WHEN: Thu Oct 29 13:00:20 CET 2020
;; MSG SIZE rcvd: 63

Tips?

Thank you

use fqdn on a real domain on an internet facing dns.
create a lan zone where your local bind is authoritative e.g.

domain.tld hosted somewhere with a dns management system

  • create lan zone lan.domain.tld and set NS for the zone to you local raspberry pi
  • create local zone file for lan.domain.tld
  • create reverse zone file for lan.domain.tld
  • map your devices server.lan.domain.tld - client.lan.domain.tld

This is the only way you can ensure you never get nxdomain

May you suggest me a guide?

I don’t have one - just the knowledge accumulated over the years - and a lot of trial and error.

A search is your friend :wink:

DISCLAIMER

This is reference material only. The underlying principles of networking are same. Network knowledge and understanding of DNS, nameservers and zones are mandatory.

Not a guide

Difficulty: ★★★★★
I have edited my notes for publication at root.nix.dk. They are not based on Manjaro - but on Raspian - and therefore not a guide to bind and dhcp server on Manjaro.

1 Like