Jump to content

Espressobin Router: DNS Forwarding with Bind9 Issues


LostZimbo

Recommended Posts

Hi all, I have an espressobin v5, running the newest Armbian 20.02.01 Buster that is available online (installed just recently). I am using this device as a home gateway/router so there is hostapd,  dnsmasq, iptables that kind which is all working perfectly.

 

But I cannot enable name resolution for the subnet!! Packet forwarding works fine, if I set the DNS manually on any of the devices connected to the subnet then the connection works perfectly but I would prefer to have it performed dynamically for any guest that connects.

 

I installed bind9, this is the named.conf.options file:


acl allowed_clients {
        localhost;
        172.24.0.0/16;
};

options {
        directory "/var/cache/bind";
        // managed-keys-directory "/etc/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        recursion yes;
        allow-query { allowed_clients; };
        forward only;
        listen-on {
                //172.24.0.0/16;
                any;};

        forwarders {
                208.67.222.222;
                208.67.220.220;
        };


        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { none; };
};

 

The status of the bind9 service shows the following:
 

Mar 18 15:35:25 espressobin named[671]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 18 15:35:25 espressobin named[671]: zone localhost/IN: loaded serial 2
Mar 18 15:35:25 espressobin named[671]: all zones loaded
Mar 18 15:35:25 espressobin named[671]: running
Mar 18 15:35:25 espressobin named[671]: network unreachable resolving './DNSKEY/IN': 208.67.222.222#53
Mar 18 15:35:25 espressobin named[671]: network unreachable resolving './DNSKEY/IN': 208.67.220.220#53
Mar 18 15:35:25 espressobin named[671]: managed-keys-zone: Unable to fetch DNSKEY set '.': SERVFAIL
Mar 18 15:35:26 espressobin systemd[1]: Started BIND Domain Name Server.
Mar 18 15:37:18 espressobin named[671]: listening on IPv4 interface br1, 172.24.1.1#53
Mar 18 15:37:21 espressobin named[671]: listening on IPv4 interface wan, 192.168.0.10#53

 

If anyone can point out what I am doing wrong I would be grateful. The bridge br1 bridges between lan0, lan1 and wlx24050fae5224 (wireless transceiver).

 

 

Link to comment
Share on other sites

9 hours ago, LostZimbo said:

forward only;

Could this mean as it says that it will ONLY forward?

 

9 hours ago, LostZimbo said:

dnssec-validation auto;

Have you tried 'no' just to eliminate validation?

 

9 hours ago, LostZimbo said:

Mar 18 15:35:25 espressobin named[671]: network unreachable resolving './DNSKEY/IN': 208.67.222.222#53

So is this not resolving the IP or the KEY?

 

These fellows were trying to get a forwarder working and had to turn their dnssec-validation 'off' to forward, indicating that if  dnssec-validation is set to anything other than off it may look for some kind of key, which the error above appears to be.

https://serverfault.com/questions/538397/why-is-my-dns-server-not-forwarding

 

If it turns out that changing dnssec-validation to 'no' works, you might want to look at that message about keys -
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys

 

I have only recently decided to study DNS please excuse me if I'm stating the obvious or being stupid ;]

Edited by Technicavolous
Added comment on keys
Link to comment
Share on other sites

Thank you for the response I will be trying this asap! Sounds like it could be the problem.

 

In the mean time I have bigger problems the wan, lan0 and lan1 have all just disapeared! No idea what happened but now when I type "ip link show", there is eth0, lo, br1 and wlx24050fae5224 but none of the lan ports. Weird.

Link to comment
Share on other sites

On 3/18/2020 at 8:43 AM, LostZimbo said:

Hi all, I have an espressobin v5, running the newest Armbian 20.02.01 Buster that is available online (installed just recently). I am using this device as a home gateway/router so there is hostapd,  dnsmasq, iptables that kind which is all working perfectly.

 

But I cannot enable name resolution for the subnet!! Packet forwarding works fine, if I set the DNS manually on any of the devices connected to the subnet then the connection works perfectly but I would prefer to have it performed dynamically for any guest that connects.

 

I installed bind9

 

Local subnet resolution can be done outside of named (bind) or dnsmasq.

 

Have you consider avahi and using the .local?

 

clients also have to have avahi as well, and the GW should not be .local

Link to comment
Share on other sites

So I flashed a recent backup image to the SD card but still no wan, lan0 or lan1 which forced me to fall back to the default Armbian Buster image and start over from scratch. I am back to where I was two days ago now: everything working except for name resolution outside the network.

 

On 3/19/2020 at 2:22 AM, Technicavolous said:

Have you tried 'no' just to eliminate validation?

I have removed validation and the specific error regarding unreachable network is gone however still no DNS forwarding. In fact there is now no clear error at all. I will look at replacing the key as suggested but I do not think this is the problem.

 

3 hours ago, sfx2000 said:

Local subnet resolution can be done outside of named (bind) or dnsmasq.

Name forwarding outside of my subnet to the internet is my current problem, not local issues apologies of not being clear. However I did try to map my local network with nmap and all systems are called "localhost". I will take a look at avahi as well to clean this up a little thanks.

Link to comment
Share on other sites

I tried following where the packets go using tshark: set it up on the espressobin and connected to the wifi with my phone (with which I have not set up a DNS. On my laptop I have configured 8.8.8.8 for use as DNS so internet through the espressobin works just fine.  Makes sense.)

 

Following on the wan interface when I went to google.com on my phone the following packets were picked up:

 

Capturing on 'wan'
    1 0.000000000 192.168.0.10 → 8.8.8.8      DNS 70 Standard query 0x6d4a A google.com
    2 0.001193480      8.8.8.8 → 192.168.0.10 DNS 86 Standard query response 0x6d4a A google.com A 172.217.22.78

 

Following on the br0 interface, which bridges lan0, lan1 and the wifi the following packets were picked up:

 

Capturing on 'br0'
    1 0.000000000 172.24.1.172 → 8.8.8.8      DNS 70 Standard query 0x3de5 A google.com
    2 0.001419808      8.8.8.8 → 172.24.1.172 DNS 86 Standard query response 0x3de5 A google.com A 172.217.22.78

 

Just for some strange reason nothing makes it back to my phone (which has the local ip address 172.24.1.172). This was never an issue before when I set my espressobin up as a server, name forwarding just *happened* so I never really asked how and never tried to use anything such as bind9. The DNS servers set up for bind9 are those associated with opendns (208.67.222.222; 208.67.220.220) while in the network file for the wan interface the DNS set is the google 8.8.8.8 which can be seen in the packets above. So queries are occurring but NOT through bind9. I feel there is some small detail I am missing but do not know what.

Link to comment
Share on other sites

On 3/20/2020 at 11:55 AM, LostZimbo said:

name forwarding just *happened*

any chance you had samba installed?

 

This is old - but maybe it give you an idea?

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04

 

This guy had an interesting comment -

https://serverfault.com/a/396720

 

as this was an interesting read -

https://serverfault.com/questions/352305/why-can-windows-machines-resolve-local-names-when-linux-cant

 

again all old.  Your issue is making me realize I have a lot to learn about dns. With the exception of dns over https it seems to have all been covered a while ago.

 

I'll be a few days to have my espressobin 5 running. Not sure I'll be any help but I'll be watching...

 

 

Link to comment
Share on other sites

Have you found a solution yet? I think that dnsmasq should perform the DNS forwarding, bind9 should not be necessary. I would rather look for any setup problems with /etc/dnsmasq.conf. Two services for the same task might interfere with each other?

Link to comment
Share on other sites

Hi Barish, yes you are completely right the issue was that dnsmasq was set to a non standard port (5353 if I recall) because bind9 was using port 53 and dnsmasq did not like handling name forward requests on that port for some reason it will only do it when it is on port 53

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines