1

I cannot for the life of me work out why BIND9 is refusing queries. I have followed so many tutorials and watched so many configuration setup videos, both using Webmin and in the CLI, following them to the letter, but my BIND9 simply will not answer queries.

BIND9 is installed on a debian VM on Proxmox.

  • I can ping the server
  • I can SSH to the server
  • I can access Webmin and configure everything in there
  • named-checkzone returns OK
  • neither iptables nor ufw are installed
  • the Proxmox Firewall is disabled at the Datacenter, Host and VM levels
  • the server can reach the internet
  • nslookup and dig both fail on the DNS server itself using nslookup example.com 127.0.0.1 and dig @127.0.0.1 example.com
admin@vm-server:~$ nslookup example.com localhost
Server:         localhost
Address:        ::1#53

** server can't find example.com: REFUSED

admin@vm-server:~$ dig @127.0.0.1 example.com

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9301
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f3659938b2dbd14601000000680afc5c25de00e6f55a99e3 (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;example.com.                   IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 25 13:07:08 AEST 2025
;; MSG SIZE  rcvd: 74

admin@vm-server:~$

Recursion should totally irrelevant since this server should be authoritative for this domain and should be able to answer the query authoritatively.

Can anyone, ANYONE, please tell me what I am doing wrong?

/etc/bind/named.conf:

acl ACL_untrusted {
        0.0.0.0/0;
        };
acl ACL_RFC1918 {
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;
        };
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key rndc-key {
        algorithm hmac-sha256;
        secret "<MY_SECRET_RNDC_KEY>";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };
logging {
        };

/etc/bind/named.conf.options:

options {
    directory "/var/cache/bind";

    dnssec-validation auto;

    listen-on-v6 { any; };
    listen-on port 53 {
        127.0.0.1;
        127.0.1.1;
        10.0.0.2;
        };
    allow-query {
        localhost;
        ACL_RFC1918;
        };
    multiple-cnames yes;
};

/etc/bind/named.conf.local:

zone "example.com" {
    type master;
    file "/var/lib/bind/example.com.hosts";
    };

/etc/bind/named.conf.default-zones:

zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
};

zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};

/var/lib/bind/example.com.hosts:

$ttl 3600
example.com.    IN  SOA vm-server. admin.example.com. (
            2025042448
            3600
            600
            1209600
            3600 )
example.com.    IN  NS  vm-server.example.com.
vm-server.example.com.  IN  A   10.0.0.2
dns.example.com.    IN  CNAME   vm-server

/etc/bind/rndc.conf:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "<MY_SECRET_RNDC_KEY>";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};

/etc/bind/rndc.key:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "<MY_SECRET_RNDC_KEY>";
};
Improve this question
3
  • 2
    What do the log files say? Without looking at these you're just guessing. Read up on enabling debugging at kb.isc.org/docs/aa-01526. You probably want to enable debugging (eg rndc trace 1) and then look at the file /var/cache/bind/named.run (the file will be in the directory specified by named.conf*'s directory setting) Commented Apr 25 at 12:03
  • And while we're here, do you really need multiple-cnames yes? If in doubt remove it as it was a compatibility hack that goes against the protocol standards Commented Apr 25 at 12:07
  • Thanks, I will check the standard. I was unaware of that. Commented Jun 5 at 3:42

1 Answer 1

Reset to default
3

(mostly comment - but space and formatting limited)

admin@vm-server:~$ dig @127.0.0.1 example.com

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @127.0.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9301

...

    allow-query {
        localhost;
        ACL_RFC1918;
        };

That you get a refused response means there is no firewall issue and (probably) no routing issue.

Did you check bind was actually running with this config? Reboot and/or run checkconf & checkzone (restart may ignore the new config if there is an issue).

Suggestions here: https://serverfault.com/questions/345911/how-do-you-open-up-debug-logging-for-bind-on-ubuntu on how to debug Bind requests.

Improve this answer
2
  • Thanks, I shall reboot, recheck and restart, but I do not expect it to work. Will report back... Commented Apr 25 at 10:24
  • Ok, so in a brief passing comment in this video youtube.com/… he mentions to "Apply zone" and "Apply configuration" in Webmin (what I am using). This got it working. I need to find the Webmin logs to see exactly what commands those two buttons execute, but I am sure restarting named is one of them. Commented Jun 4 at 23:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.