Name resolution fails if not forwarding

Mike Hoskins (michoski) michoski at
Wed Jan 9 16:20:50 UTC 2013

-----Original Message-----

From: Daniele <d.imbrogino at>
Date: Wednesday, January 9, 2013 9:17 AM
To: "bind-users at" <bind-users at>
Subject: Re: Name resolution fails if not forwarding

>This is the scenario.
>I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04,
>virtualized on VirtualBox.
>The network works properly because if I indicate a different server from
>my own BIND9 (the first line of '/etc/resolv.conf' is, for example,
>`nameserver`) the lookups and any action on the Internet
> succeed.

What are you using for a firewall?  iptables within UBUNTU, your internet
gateway, both, something else?

With iptables, it's stateful so outbound queries should allow what's
needed inbound...if it's related, you should be able to check stats and
look for drops.  It's not perfect, but on a typical small network you
should be able to use -Z (zero counters), run some queries, then use -nvL
to see what if any rules are incremented.

IPTables 'port' matches don't match UDP fragments after the first one, so
you either need to use stateful matching (-m state --state
related,established) or specifically accept trailing fragments (the
iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).

For something like a home router, it's harder...but there are sometimes
firewall-related statistics exposed through the web interfaces (varies
from vendor to vendor).  It might also be some form of masquerading
getting in the way (e.g. DNS queries get rewritten as your defgw which
confuses iptables).  Just reaching for ideas.

Regardless, spending more time with your firewall might be
worthwhile...try a few queries with it disabled just to get an idea if
that's where to look.

>BIND9 configuration is the default one.
>I deleted all local zones that I added (even if internal lookups worked
>correctly). Now there are only default zones (root, localhost,
>Options are the default ones
>options {
>    directory "/var/cache/bind";
>    dnssec-validation auto;
>    auth-nxdomain no;
>    listen-on-v6 {any;}

Is /var/cache/bind writable by the user BIND runs as (named/bind vs root)?

>In this situation, if I dig anything the lookup fails, and the log is
>full of "lame server" and "FORMERR".

Unfortunately lame server is a can of worms (search the archives), but
FORMERR in my experience often indicates firewall problems on one end or
the other (malformed responses).

>Perhaps the problem is due to the presence of ³dnssec-validaton³ line?

It shouldn't be that alone.  However, you could test...does it work fine
if you set:

dnssec-enable no;
        dnssec-validation no;

Good luck!

More information about the bind-users mailing list