DNS Query from different Subnet

sethologik m.bartkowiak at bitmotion.de
Fri Nov 16 09:42:34 UTC 2018 

Nikolai Lusan wrote
> On Thu, 2018-11-15 at 05:49 -0600, sethologik wrote:
>> But this is what i already did...
>> 
>> could it be something with the firewall?
> 
> It _could_ be many things. You need to properly troubleshoot the issue.
> 1) Can a host with failing DNS resolution ping the DNS server?
> 2) Does a tool like nmap show what ports on the DNS server are open to a
>    host with failing DNS resolution?
> 3) Log packets that are being dropped by the firewall and inspect the
> logs.
> 4) If #2 shows TCP port 53 on the DNS server is open to the host with
>    failing DNS resolution check that UDP port 53 is also open (remember
>    that the DNS protocol uses both TCP _and_ UDP).
> 
> It is also worth remembering that unless your internal BIND server is the
> primary resolver for your private zones that it is highly unlikely that
> you
> will get those hostnames (i.e. website.test.de.webserver01.office.lan.de.
> or webserver01.office.lan.de.) resolved properly as a full resolution will
> start with a root server resolution of de., and then work up the chain to
> lan.de., office.lan.de., etc. If at any point in that resolution path
> there
> is no NS record for the next link up (until an A/AAAA record) your lookup
> will fail. But if the host that is not getting DNS resolution can't access
> your BIND server at all then the game is over before it began, and you
> need
> to look at first getting the network connectivity functional.
> 
> Dnsmasq does some "interesting" things combining caching, forwarding,
> localised lookups, and DHCP/RA - the transition from the Dnsmasq way of
> doing things, to the bind way of doing things may not be as straight
> forward as you assumed, properly listing zones as masters (or slaves if
> you
> have more than one BIND server) is important, as is the proper defining of
> views if you are using them.
> 
> Hopefully a full looking to the communication chain from host to server
> will help you find the problematic link.
> 
> 
> -- 
> Nikolai Lusan <

> nikolai.lusan@

> >
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list

> bind-users at .isc

> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> signature.asc (883 bytes)
> <http://bind-users-forum.2342410.n4.nabble.com/attachment/6332/0/signature.asc>


So... I guess I have some really interesting information about that
problem...

It does not have something to do with queries from a different subnet.

I tested a linux live season with DNS settings to the bind9 system...
It was able to show me the testwebsite without any problems.

I was able to call the page "https://website.test.de.webserver01/" from a
browser and because of domain-search info it connected to
webserver01.office.lan.de.

The MAIN Problem is, that we are only using windows VMs to test Internet
Explorer and Edge and so.

Here the situation is the following:

Windows (7/8/ AND 10) have the DNS settings to the bind9 system (so
x.x.99.201).
I have manually configured the search-domain under advanced settings.

When I make a nslookup webserver01 I recieve an answer like:

Server: dns.office.lan.de
address: x.x.99.201

name: webserver01.office.lan.de
address: x.x.99.216

EVEN the query nslookup website.test.de.webserver01 gives me the right
answer:

Server: dns.office.lan.de
address: x.x.99.201

name: website.test.de.webserver01.office.lan.de
address: x.x.99.216

BUT I cannot open the website via the browser on WINDOWS Machines.
This also happens in the 99.0/24 net.

On the other hand when i am using a Linux or Mac System my nslookups are
looking like this:

nslookup webserver01 (same as windows)

nslookup website.test.de.webserver01

Server: dns.office.lan.de
address: x.x.99.201

** server can't find website.test.de.webserver01: NXDOMAIN

I have to make a FQDN search:

nslookup website.test.de.webserver01.office.lan.de

Server: dns.office.lan.de
address: x.x.99.201

website.test.de.webserver01.office.lan.de	canonical name =
webserver01.office.lan.de.
Name:	webserver01.office.lan.de
Address: x.x.99.216


When I make a "dig" query on webserver01 it sends an answer like this:

;; QUESTION SECTION:
;webserver01.			IN	A

;; AUTHORITY SECTION:
.			10315	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018111600 1800
900 604800 86400



I have to dig with FQDN.

But for me this is strange because those are the systems which can open the
test website in browser...


In my zone I have the A entry
webserver01			IN	A     x.x.99.216


AND the "Wildcard" Entry as CNAME
*.webserver01			IN	CNAME     webserver01


I really hope this helps you guys understanding whats going on with my BIND
System.

Thanks so much in advance



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/

More information about the bind-users mailing list