Need Help With Setting up a Recursive Nameserver

Fri Apr 30 15:03:52 UTC 2021

On 2021-04-30 07:20, Sainik Biswas via bind-users wrote:
>    I need some help setting up a recursive nameserver for my internal
> network using BIND 9. The recursive name server is not resolving any
> domains.
> 
> I am running the BIND 9 package from the ppa:isc/bind repo.
> BIND Version Number: 9.16.15
> OS: Ubuntu 18.04 LTS
> 
> This is the named.conf.options config file for my caching name server
> 
> acl internalnetwork { 192.168.1.0/24 [1]; 192.168.58.0/24 [2]; };

I hope that [1] and [2] are not actually there.  Please turn off HTML
when posting to lists.  Thank you.

Also note that your acl does not include the host itself, loopback 
address
127.0.0.1.  See the "localhost" and "localnets" built-in acls.

> options {
>     directory        "/var/cache/bind";
>     dnssec-validation    no;
>     listen-on        { 127.0.0.1; 192.168.58.8; };

Do you need to change this from the default, "any;"?

>     listen-on-v6        { none; };
>     recursion               yes;
>     allow-recursion         { internalnetwork; };

In fact "localhost; localnets;" is the default for allow-recursion.

>     allow-query        { internalnetwork; };
>     allow-transfer        { none; };
> };

[snip]
> Error Log [lame-servers.log]
> 
> 2021-04-30T11:53:25.385Z info: FORMERR resolving './NS/IN':
> 202.12.27.33#53

[snip]
> Error Log [resolver.log]
> 
> 2021-04-30T11:58:17.784Z notice: DNS format error from 198.41.0.4#53
> resolving ./NS for <unknown>: non-improving referral

[snip]
> My ISP most probably uses some kind of transparent DNS proxy. I have

Probably so.  This is what you get when an ISP hijacks all outbound
53/udp packets and redirects them to their own recursive resolver[s].

> come to that conclusion based on running the test at dnsleaktest.com
> [3]. It does not matter which DNS I set in my laptop or desktop, the
> DNS IP always shows up as the ISP's DNS [203.171.240.10,
> 203.171.240.11]. The only way I could bypass this was by using
> DNSCrypt Proxy. Is it possible that my ISP is preventing the root
> nameservers from resolving correctly which is preventing my caching
> nameserver from working correctly?

Yes; named as recursive resolver requires authoritative responses to
the iterative queries it makes to resolve the root, and then to top-
level domains, and so on.  "Lame server" means you're trying to contact
authoritative NS hosts and receiving non-authoritative replies.

You can prove this to yourself with directed dig commands.  I will give
my domain as an example:

dig nodns4.us. ns @208.94.237.158

You should see "aa" among the flags and a warning, "recursion requested
but not available".  But you won't.  Your query was hijacked.

> Or maybe I have incorrectly configured something?
> 
> Can anyone help me figure out what exactly is the problem?

You are correct.  Complain to the ISP.  Good luck.