Edit: This was a generally awful question, as in not well documented. It wasn't generally awful in that I truly didn't know what was going wrong, and had been searching and researching. I finally turned to ServerFault with a "BBBBLLLLaaarrggghhh" type question. The title still stands, but the body should have been:
My DNS server appears to be resolving my queries with different answers depending on what network I'm attached to. Examples are:
# DiG command
resulting output from first zone
# DiG command
resulting output from second zone
I'll gladly provide more supporting detail. Please explain how I should get the supporting detail, though.
Now back to my awful question:
I've read a lot of other ServerFault BIND9 DNS not forwarding questions and answers. Queries (using DiG) for FQDNs I expect to be forwarded respond as if the public internet has the authoritative answer. Beyond DiG, what tools can I use to trace through my BIND9 configuration? It appears the zone I'm trying to forward is not forwarding.
Specifically, I am at home with a VPN to my work. I want to access my home zone (myhome.com., with DNS server at 10.71.73.10) and also my work zone (mywork.com., with DNS server at 10.10.1.33).
Using DiG to query hostname.mywork.com, DiG reports the AUTHORITY to be the public nameserver. The local resolver seems to ignore the BIND forwarding zone (db.mywork.com).
In /etc/bind/zones/db.mywork.com
// forwards mywork queries to the mywork DNS servers
zone "mywork.com" {
type forward;
forwarders { 10.10.1.33; };
};
bind.conf: include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/rndc.key"; include "/etc/bind/named.conf.logging";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
named.conf.options
acl goodclients {
10.71.73.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8; # Google DNS #1
8.8.4.4; # Google DNS #2
};
recursion yes;
allow-query { goodclients; };
dnssec-enable no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { localhost; };
};
and named.conf.local
# Forward zone
zone "myhome.com." {
type master;
file "/etc/bind/zones/db.myhome.com";
};
# Reverse zone
zone "73.71.10.in-addr.arpa" IN {
type master;
notify no;
file "/etc/bind/zones/db.10";
};
Edit: I now have a lot more experience with domain name servers and resolvers. The root of this problem is having multiple authoritative name servers for a zone. This means two different name servers claim to be the authoritative source to resolve a DNS query for a particular zone (like 'example.com'). A nameserver claims authority via a SOA (start of authority) record, saying "Come to me for any lookups in the example.com zone."
I had used a public domain name (in this explanation, 'example.com') to refer to publicly available URLs (like www.example.com = 183.34.22.82, which gets redirected and translated to some private address like 192.168.1.2) AND for private URLs (private-server-1.example.com = 192.168.1.1). I had directed two different name servers to have authority over the same domain. The first would be a public DNS (in my case, Cloudflare). The second is my private DNS - the BIND server running on an internal, private URL (private-dns-server-1.example.com). This server would not be accessible to a computer outside my local network (the ubiquitous 192.168.x.x addresses).
This dual SOA works, but kind of. When you're at some public computer, you easily get to www.example.com because your public computer must use the public DNS as the authoritative answer to "What is the IP address of www.example.com?" The public computer can't reach the other authority (private-dns-server-1.example.com). The public computer has no knowledge of names or IP addresses within the private network. When you're at work, on the private network (you have an IP address like 192.168.1.32, and some other ranges also work), your computer will likely get the answer to "IP for www.example.com" from the internal private-dns-server-1.example.com. This will send you directly to 192.168.1.1, instead of sending you to the example public address I used above (183.34.22.82) then redirecting and translating to the private 192.168.1.1 address.
Sounds good, until you consider DNS caching. The DNS resolvers (these are 'clients' in DNS terminology) store prior answers for reuse. This speeds up your browsing, and reduces the load on servers overall. Let's re-run the example above.
While connected to the airport public wifi, you browsed to www.example.com. Your DNS resolver asked Cloudflare, and got back 183.34.22.82. The translation and redirection worked, and you saw your web page.
After returning to the office, you connected to the office wifi. You refreshed your browser, but the DNS query still directed you to 183.34.22.82, which may or may not work the same as if you went directly to 192.168.1.1. In many cases, you'll get the same web page. In some cases, you won't get the same behavior. This is the issue. Troubleshooting something that seems to behave one way at one time and another way at a different time is perhaps the most difficult task.
It's best to avoid multiple authoritative nameservers for a single zone. DNS servers like BIND9 have some clever constructs to solve this problem. An alternative is to pick an internal zone that is separate from your external zone. This doesn't mean you have to be 'example.com' to everyone, and 'awful324.int' inside your organization. You can carve out a zone within 'example.com' like 'int.example.com' as your internal addresses. Whatever you do choose, make sure you own it publicly (i.e. you've registered the domain name 'awful324.com') so nobody else registers it and creates a start of authority (SOA) record for that domain name/zone.
What I wrote a few years ago, while still flopping around with Linux and internet protocols generally:
In this case, I used
tail
to monitor the log file at /var/log/syslog by using$ tail -f /var/log/syslog
. My configuration had multiple issues:/etc/bind/named.conf.options
.ntp
on the server to resolve this issue.