My Introduction and current issues -

bind9 at clearviz.biz bind9 at clearviz.biz
Sat May 10 12:10:30 UTC 2025 

On 2025-05-10 04:26, Ondřej Surý wrote:

> I think there's too many moving parts.
> 
> Personally, I would suggest to remove systemd-resolved as a first step 
> and configure the system to use the configured resolver directly.
> 
> Systemd-resolved was disabled a while ago.  One of the first things I 
> did.
> 
> However, it is also unclear to me whether the desktop station in 
> question is Linux, Windows and if it is Linux what distribution does it 
> use.
> 
> I have both. Mostly, I'm using a Windows 7 desktop (the one I'm on 
> right now) to do testing. I also have two Windows 10 laptops. There is 
> also one Ubuntu client (22.04, same as the server).
> 
> As I said - too many moving parts and it's not even clear where to 
> start the debugging.
> 
> I appreciate your help, nonetheless.  I will try to stabilize things to 
> make the parts "less moving."  I will focus upon eliminating any 
> remnants of Systemd-resolved first and then take it from there.
> 
> Ondrej
> 
> -- Ondřej Surý -- ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not 
> feel obligated to reply outside your normal working hours.
> 
>> On 10. 5. 2025, at 9:03, Greg Choules via bind-users 
>> <bind-users at lists.isc.org> wrote:
> 
> @Danilo you are correct, the contents of /etc/resolv.conf are not set 
> by BIND and BIND itself does not use them. But all applications running 
> on that machine (including dig, unless you specify @<address>) that 
> want some kind of name resolution will make OS system calls and then 
> the OS *will* use what's in resolv.conf to determine where to send DNS 
> queries on behalf of the application.
> 
> In the very first mail, bind9 said that the BIND config contains this:
> 
> listen-on port 53 { 123.123.123.10; 127.0.0.1; };
> At startup, the named process will tell the OS to send it packets that 
> have those destination addresses AND destination port 53. All fine so 
> far.
> 
> However, bind9 also said this:
> 
> The resolv.conf file contains:
> 
> nameserver 127.0.0.53 Confining things to the Ubuntu box for now, this 
> tells the OS to make DNS queries to 127.0.0.53 - the 53 is *not* the 
> port number, it is the 4th octet of the IPV4 address.
> So the OS sends queries to 127.0.0.53 and named is listening on 
> 127.0.0.1. I think you can see that this isn't going to work.
> I don't know why resolv.conf contains that nameserver address (and it 
> is an address, not a name - read the man page for resolv.conf), but the 
> easiest solution would be to add that address to the set that named is 
> listening on. i.e.
> 
> listen-on port 53 { 123.123.123.10; 127.0.0.1; 127.0.0.53;};
> You will need to stop/edit/start named for this change to take 
> effect.This should fix your issues with apt and other applications 
> running on the Ubuntu server.
> I agree that you should not be using 123.123.123.0/24 [1]. Please read 
> RFC1918 for guidance on private addressing.
> 
> tcpdump has a lot of options. For capturing DNS traffic to disk I would 
> suggest this as a first pass:
> 
> sudo tcpdump -c 1000 -n -i all -w <filename> port 53
> 
> This captures all port 53 traffic on any interface (including the 
> loopback), stops after 1000 packets (if you don't stop it yourself with 
> ctrl-C), writes binary capture data to the file <filename> (you choose 
> whatever name you like) and tells tcpdump to *not* attempt to resolve 
> addresses to names. This may be irrelevant since it is capturing to 
> disk but doesn't hurt.
> 
> Over to the Windows machine now. You will not have dig by default. BIND 
> for Windows (including utilities like dig) hasn't existed for several 
> years. It is still available to download but I *don't* recommend you 
> install it.
> Windows nslookup is actually not bad for making test queries, 
> especially if used in interactive mode. Again, read the help to see 
> what options it has.
> Wireshark can be downloaded and installed for free and I recommend that 
> you do that on the Windows machine, so that when you have captured 
> traffic on the Ubuntu server, once you have copied the capture file to 
> Windows you can open it in Wireshark there. Wireshark can also capture 
> packets, like tcpdump, so you can use it to see exactly what your 
> Windows machine is doing with DNS.
> 
> Hopefully this lot gives you some things to try and also to read, to 
> understand the behaviour you are seeing.
> Cheers, Greg
> 
> On Sat, 10 May 2025 at 06:01, Danilo Godec via bind-users 
> <bind-users at lists.isc.org> wrote:
> 
> On 10.05.2025 05:29, bind9 at clearviz.biz wrote:
> 
>> Also check /etc/resolv.conf and see what address(es) is/are listed as 
>> nameservers.
> 
> The resolv.conf file contains:
> 
> nameserver 127.0.0.53
> 
> search mydomain.net [2]   (where mydomain is my actual domain name and 
> not the FQDN of the machine (i.e. "machine01.mydomain.net [3]")).
> 
> This was entered by default as BIND was installed.   I am wondering if 
> the "namesever" should be the machine name on which the server is 
> running and not 127.0.0.53 And I gather the 53 on the end has to do 
> with the port on which it's listening. I'm not sure if it's correct 
> that the 4th octet is substituted like that.
> 
> /etc/resolv.conf is not changed or set by BIND, as far as I know it's 
> got nothing to do with BIND at all.
> 
> IIRC Ubuntu is using 'systemd-resolved' (a local resolver with cache) 
> and 127.0.0.53 is the address it listens on, so you might need to check 
> that with 'resolvectl dns'.
> 
> Then check what is listening on port 53 (netstat -anp | egrep 
> ":53.*LISTEN") on the server.
> 
> And also check what DNS servers your DHCP sets.
> 
> Danilo
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
  --
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Links:
------
[1] http://123.123.123.0/24
[2] http://mydomain.net
[3] http://machine01.mydomain.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250510/42a04181/attachment.htm>

More information about the bind-users mailing list