<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 19-02-2025 12:04, Greg Choules
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANsEUy2xXY4KDeqt5b5xUXQ==haqgsCfObTpgscqmXWJpfvCcA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Danjel.
<div>To obtain a packet capture use tcpdump, which is probably
installed already. If not, add it using your preferred package
manager.</div>
<div>You can dump to the screen, but I find it more useful to
dump to a file, which can then be analysed offline in
Wireshark.</div>
<div><br>
</div>
<div>A typical capture command might be:<br>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>sudo tcpdump -nvc 1000 -w <dump_file_name> host
"(</div>
</blockquote>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">192.168.20.10
or 192.168.20.11)" and port 53</blockquote>
</div>
<div><br>
</div>
</div>
</blockquote>
<p>OK, I tried that.</p>
<p>I also studied the output in wireshark.<br>
But since this is my first try, I don't know what to look for, and
cannot find out what's wrong.</p>
<p>I get:<br>
root@mail:~# dig A mail.jungersen.dk @127.0.0.1<br>
<br>
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A
mail.jungersen.dk @127.0.0.1<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
47697<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: 41461c3ea02342e40100000067dfdba11eea65ad9061831f (good)<br>
;; QUESTION SECTION:<br>
;mail.jungersen.dk. IN A<br>
<br>
;; Query time: 4 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)<br>
;; WHEN: Sun Mar 23 11:00:01 CET 2025<br>
;; MSG SIZE rcvd: 74<br>
</p>
<p>The mentioned tcpdump command gave the attached result.</p>
<p>Just to sum it up:<br>
My setup:<br>
I have a mailserver (192.168.20.9), on the same box I have bind as
resolver.</p>
<p>I have 2 bind boxes running as "local authoritative" for the
jungersen.dk zone (192.168.20.10 and 192.168.20.11) <br>
</p>
<p>This was meant to give me the result of 192.168.20.9 when looking
up my local mailserver on my local network, while giving the
212.27.12.12 result when asked from the public.<br>
The public DNS is hosted at one.com</p>
<p>I tried setting up dnssec to satisfy the suggested solution:<br>
</p>
<pre wrap="" class="moz-quote-pre">1) create a working chain of trust that links to your private zone content</pre>
<p>But you may have guessed it, it does not work.</p>
<p>Does the above give enough info to give me more guidance?</p>
<p>TIA<br>
Danjel<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CANsEUy2xXY4KDeqt5b5xUXQ==haqgsCfObTpgscqmXWJpfvCcA@mail.gmail.com">
<div dir="ltr">
<div>That will capture to disk all DNS traffic to and from your
forwarders, up to a limit of 1000 packets, just as a safety
net. Once that is running, make your tests to the local
machine, stop the capture, upload it here if you wish or just
open it in Wireshark and follow the conversations and
their timeline.</div>
<div>It is almost certainly a DNSSEC problem though, as Mark
says.</div>
<div><br>
</div>
<div>Hope that helps.</div>
<div>Cheers, Greg</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 19 Feb 2025 at 10:22,
Danjel Jungersen via bind-users <<a
href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On
19-02-2025 11:11, Marco Moock wrote:<br>
> Am Wed, 19 Feb 2025 10:58:14 +0100<br>
> schrieb Danjel Jungersen via bind-users <<a
href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>:<br>
><br>
>> But if I change /etc/resolv.conf to 127.0.0.1
something happens<br>
>> If I do a dig or ping from my postfixbox to something
that the 2 main<br>
>> bind-boxes are authoratative for, it doesn't work.<br>
> Please sniff the DNS traffic between the 2 machines and
check if the<br>
> request goes out to the authoritative server and check
what it replied.<br>
><br>
> You can trigger the request by<br>
><br>
> dig A/AAAA non-working domain @IP.<br>
><br>
> Try +recurse/+norecurse to check if the issue is related
to those flags.<br>
root@mail:~# dig A <a href="http://mail.jungersen.dk"
rel="noreferrer" target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
<br>
; <<>> DiG 9.18.33-1~deb12u2-Debian
<<>> A <a href="http://mail.jungersen.dk"
rel="noreferrer" target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 9792<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: d55e55f5d6573eaf0100000067b5af13a2e4bdccbb3ce36b
(good)<br>
;; QUESTION SECTION:<br>
;<a href="http://mail.jungersen.dk" rel="noreferrer"
target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>.
IN A<br>
<br>
;; Query time: 4 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)<br>
;; WHEN: Wed Feb 19 11:14:43 CET 2025<br>
;; MSG SIZE rcvd: 74<br>
<br>
<br>
dig +recurse A <a href="http://mail.jungersen.dk"
rel="noreferrer" target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
<br>
; <<>> DiG 9.18.33-1~deb12u2-Debian
<<>> +recurse A <a
href="http://mail.jungersen.dk" rel="noreferrer"
target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
<br>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 19526<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: 1579e49c3774139b0100000067b5af24e95ccd20f610d99d
(good)<br>
;; QUESTION SECTION:<br>
;<a href="http://mail.jungersen.dk" rel="noreferrer"
target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>.
IN A<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)<br>
;; WHEN: Wed Feb 19 11:15:00 CET 2025<br>
;; MSG SIZE rcvd: 74<br>
<br>
<br>
dig +norecurse A <a href="http://mail.jungersen.dk"
rel="noreferrer" target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
<br>
; <<>> DiG 9.18.33-1~deb12u2-Debian
<<>> +norecurse A <a
href="http://mail.jungersen.dk" rel="noreferrer"
target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>
<br>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 10118<br>
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13,
ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: 689869318da8e64c0100000067b5af33f48840b2e116d76e
(good)<br>
;; QUESTION SECTION:<br>
;<a href="http://mail.jungersen.dk" rel="noreferrer"
target="_blank" moz-do-not-send="true">mail.jungersen.dk</a>.
IN A<br>
<br>
;; AUTHORITY SECTION:<br>
. 3600000 IN NS <a
href="http://E.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">E.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://F.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">F.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://L.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">L.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://C.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">C.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://B.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">B.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://A.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">A.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://J.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">J.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://D.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">D.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://H.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">H.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://G.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">G.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://I.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">I.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://K.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">K.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a
href="http://M.ROOT-SERVERS.NET" rel="noreferrer"
target="_blank" moz-do-not-send="true">M.ROOT-SERVERS.NET</a>.<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)<br>
;; WHEN: Wed Feb 19 11:15:15 CET 2025<br>
;; MSG SIZE rcvd: 297<br>
<br>
<br>
Not sure how to do the sniff part(?)<br>
<br>
But I must get some sort of answer...<br>
dig A <a href="http://postfix.org" rel="noreferrer"
target="_blank" moz-do-not-send="true">postfix.org</a> @<a
href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
<br>
; <<>> DiG 9.18.33-1~deb12u2-Debian
<<>> A <a href="http://postfix.org"
rel="noreferrer" target="_blank" moz-do-not-send="true">postfix.org</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 2255<br>
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: 6c3f5cf7e1e34e450100000067b5b035b878201ed4e8d3fd
(good)<br>
;; QUESTION SECTION:<br>
;<a href="http://postfix.org" rel="noreferrer" target="_blank"
moz-do-not-send="true">postfix.org</a>.
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://postfix.org" rel="noreferrer" target="_blank"
moz-do-not-send="true">postfix.org</a>. 3600
IN A 65.108.3.114<br>
<br>
;; Query time: 852 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)<br>
;; WHEN: Wed Feb 19 11:19:33 CET 2025<br>
;; MSG SIZE rcvd: 84<br>
<br>
Best regards<br>
Danjel<br>
<br>
<br>
-- <br>
Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a
href="https://www.isc.org/contact/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
Med venlig hilsen/Kind regards<br>
Danjel Jungersen<br>
Mail: <a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:danjel@jungersen.dk">danjel@jungersen.dk</a><br>
Mobile: +45 20 42 20 11<br>
<br>
Jungersen Grafisk ApS,<br>
Holsbjergvej 39, DK-2620 Albertslund,<br>
Denmark.<br>
Tel: +45 43 64 10 00<br>
<br>
<a href="https://www.printlight.dk" moz-do-not-send="true">WEBSHOP:
PRINTLIGHT.DK</a> | <a href="https://www.jungersen.dk"
moz-do-not-send="true">WWW.JUNGERSEN.DK</a> <br>
<br>
<a href="https://www.jungersen.dk" moz-do-not-send="true"> <img
moz-do-not-send="false"
src="cid:part1.dwuz8690.TXpto54D@jungersen.dk" alt="Logo"
width="125" height="152" border="0"></a> </div>
</body>
</html>