My basic Setup and current issues with Bind9

clearviz · May 7, 2025, 12:07pm

Hello again! First, a little bit of background and then my current issues, most of which are Bind9 related.

As stated earlier, For the past 23 years I ran a home network as a full domain using Windows Server 2003 as a Primary Domain Controller, with DCHP, DNS and AD active. But I had begun to transition to Linux/Ubuntu 2 years ago, building two new mid-towers from scratch (empty cases). The first was Ubuntu Server 22.04 (Jammy Jellyfish). The other was an Ubuntu client machine (22.04 as well). I completed the client build, soon after starting it, and it is up and running. It would, however, use the Windows 2003 server for DHCP and DNS. And that worked… until three weeks ago.

On Easter Sunday (of all days), my Win2003 server, after almost 23 years of use, died a nasty hardware death. I deemed it not worthy of repair, and decided to resume the build of my Ubuntu Server (22.04). I chose ISC-DHCP-Server for DHCP (I know Kea is our there but I believe you need Ubuntu 24.xx or later for that). I also chose Bind9.18 for DNS. At some point I will look at some AD replacements (perhaps Kerberos or Samba), but not necessary right now.

Current Condition: The Ubuntu Server is up and running, and ISC-DHCP-Server is fully functional and providing leases as needed. For Bind9.18, after tweaking some of the configs for it, I got it up and running. It does resolve names, etc. But I don’t think it is properly configured as I’m getting a lot of problems with it. A lot of “connection Refused” hits in /var/log/syslog as well as SERVFAILS due to timeouts. Very slow response time on average.

The problems manifest in the following behaviors (Note: most of this is using my Win10 and Win7 Desktop clients).

Browser URLs will fail due to “No Internet Access, Can’t find the server, etc. etc.” and will fail several times before (after repeat attempts) they “succeed” with a full site rendering. It will stay fully rendered for as long as I’m active on the site/URL (subsequent links will work), but after various periods of inactivity (as little as 1/2 hour), it fails again, requiring a new cycle of attempts.
Because my Win10 desktops don’t seem to find the Internet, they go into “AutoConfigure” mode (APIPA). This makes it impossible to connect via wired modem and even Wifi. Specifiying a DNS server doesn’t help, apparently. The only thing that does seem to work on the laptops is having it “tethered” to my smartphone in “5G” mode (expensive)!
Any device that previously connected to my WAP (Wifi Access Point) still connects, but reports “No Internet Access.” This would include my smartphone when in “Wifi” mode. The phone does work correctly when in “5G” mode. The WAP has a hard IP assigned and hard entries for DNS (to my Ubuntu Server) and default gateway (my “wired” router). But not working. (ETA: I have confirmed that one of the few devices on the WAP that is not DNS dependent (i.e. just uses Hard IPs) does actually work and still works).
My “Ubuntu” client desktop machine does exhibit similar behaviors as the Windows machines when it comes to “Can’t find the site/No Internet access” errors in the browser.

Anyway, that’s where I am, at present. I need help primarily in Configuring Bind9 to work properly or determine whether or not it’s a problem interacting with the forwarding servers (Google DNS (8.8.8.8) and Cloudfare (1.1.1.1)). I have enabled recursion and allow recursion on my ACL list (which includes localhost, localnets and the entire subnet). DNSSEC is disabled. “Forward Only” is enabled. Root Servers (named.ca file) are also activated. Logging options are also set (named.log, query.log, transfer.log) etc. Of course, it listens on Port 53.

If it helps I’m willing to consider a “paid” DNS service if it will improve performance, but I have my doubts.

dsmythies · May 7, 2025, 2:12pm

Could you show us your configuration files? /etc/bind/named.conf.default-zones and /etc/bind/named.conf.local and /etc/bind/named.conf.options and anything else.
What do you get using named-checkzone?

See also the Ubuntu server guide, here and here and here.

clearviz · May 7, 2025, 2:58pm

I’m replying to this on my Windows 7 desktop. I’ll have to get ftpd installed on the Ubuntu server so I can get the files transferred. I’ll get back to you shortly on that.

I can tell you that named.conf only contains the “includes” for conf.local and conf.options.

The .local file has only two zone entries - one “fwd” for the domain name (“abc.net”) and one “rev” for the IP (123.123.123.in-addr.arpa) etc.

The “.defaut-zones” file is commented out in named.conf. There is one zone “.” entry in the options file
zone “.” IN {
type hint;
fil “named.ca”;
};

Where named.ca is the standard root server list.

I’ll get back to you shortly with the full named.conf.options file.
And I’ll read the links you provided.

Thx!

clearviz · May 7, 2025, 8:10pm

My named.conf.options file:

//
//
// Named Config Options
//
//

acl allow_list {
123.123.123.0/24;
localhost;
localnets;
};

options {

listen-on port 53 { 123.123.123.10; 127.0.0.1; };
listen-on-v6 { ::1; };
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
Statistics-file "/var/cache/bind/data/named_stats.txt";
memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
secroots-file "/var/cache/bind/data/named.secroots";
recursing-file "/var/cache/bind/data/named.recursing";
allow-query { allow_list; };
allow-query-cache { allow_list; };

recursion yes;
allow-recursion { allow_list; };

#dnssec-enable yes; <---- commented out

#dnssec-validation yes; <---- commented out

#managed-keys-directory “/var/named/dynamic”; <---- commented out

pid-file "/run/named/named.pid

#session-keyfile “run/named/session-key”; <— commented out

#include “/etc/crypto/-policies/back-ends/bind.config”; <— commented out

forwarders  {

	8.8.8.8;
	1.1.1.1;
};
forward only;
dnssec-validation no;

};

// End of Options

logging {

channel named {file "named.log" versions 10 side 40m; severity info; };

channel security {file "security.log" versions 10 side 40m; severity info; };

channel ratelimit {file "ratelimit.log" versions 10 side 40m; severity info; };

channel query_log {file "query.log" versions 10 side 40m; severity info; };

channel xfer {file "transfer.log" versions 10 side 40m; severity info; };

channel update {file "update.log" versions 10 side 40m; severity info; };

channel resolver {file "resolver.log" versions 10 side 40m; severity info; };


category default { default_syslog; named; };
category general { default_syslog; named; };
category security { security; };
category queries { query_log; };
category config { default_syslog; named; };
category network { default_syslog; named; };
category rate-limit { ratelimit; };
category zoneload { default_syslog; named; };
category xfer-in { default_syslog; xfer; };
category xfer-out { default_syslog; xfer; };
category notify { default_syslog; xfer; };
category update-security { default_syslog; update; };
category update { default_syslog; update; };

};

// End of Logging

zone “.” {

type hint;
file "named.ca";

};

// end of zone “.”

#include “etc/named.rfc1912.zones”; <----- commented out
#include “etc/named.root.key”; <----- Commented out

// End of File

clearviz · May 7, 2025, 8:32pm

I have also read the links you specified above. The base configuration link (the first one) appears to match my setup for the most part. Nothing out of the ordinary. The other two are not yet relevant to my situation, as I’m not yet implementing DNSSEC. I will, eventually but not now.

“resolv.conf” is not in use at present. I’ll try to implement it and see if it makes a difference.