DNS Query from different Subnet
Nikolai Lusan
nikolai.lusan at gmail.com
Thu Nov 15 14:20:02 UTC 2018
On Thu, 2018-11-15 at 05:49 -0600, sethologik wrote:
> But this is what i already did...
>
> could it be something with the firewall?
It _could_ be many things. You need to properly troubleshoot the issue.
1) Can a host with failing DNS resolution ping the DNS server?
2) Does a tool like nmap show what ports on the DNS server are open to a
host with failing DNS resolution?
3) Log packets that are being dropped by the firewall and inspect the logs.
4) If #2 shows TCP port 53 on the DNS server is open to the host with
failing DNS resolution check that UDP port 53 is also open (remember
that the DNS protocol uses both TCP _and_ UDP).
It is also worth remembering that unless your internal BIND server is the
primary resolver for your private zones that it is highly unlikely that you
will get those hostnames (i.e. website.test.de.webserver01.office.lan.de.
or webserver01.office.lan.de.) resolved properly as a full resolution will
start with a root server resolution of de., and then work up the chain to
lan.de., office.lan.de., etc. If at any point in that resolution path there
is no NS record for the next link up (until an A/AAAA record) your lookup
will fail. But if the host that is not getting DNS resolution can't access
your BIND server at all then the game is over before it began, and you need
to look at first getting the network connectivity functional.
Dnsmasq does some "interesting" things combining caching, forwarding,
localised lookups, and DHCP/RA - the transition from the Dnsmasq way of
doing things, to the bind way of doing things may not be as straight
forward as you assumed, properly listing zones as masters (or slaves if you
have more than one BIND server) is important, as is the proper defining of
views if you are using them.
Hopefully a full looking to the communication chain from host to server
will help you find the problematic link.
--
Nikolai Lusan <nikolai.lusan at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181116/657ce547/attachment.bin>
More information about the bind-users
mailing list