Resolve error "server can't find example.com: NXDOMAIN" with BIND on Linux

Home > Search
  by

If you are in a lab environment and the DNS server is not exposed to the Internet, stop firewalld and iptables to eliminate firewall as the cause of the problem.

~]# systemctl stop iptables
~]# systemctl stop firewalld

 

If you are in a lab environment and the DNS server is not exposed to the Internet, configure SELinux to permissive mode.

In the BIND /etc/named.conf file, ensure IPv4 and IPv6 are listening on port 53. Also ensure any computer is allowed to query the DNS server. It is also usually a good idea to enable recurision, which will allow your local DNS server to query other DNS servers. This is necessary if you will be configuring a forwarder zone.

options {
  listen-on port 53 {127.0.0.1; 192.168.0.10; };
  listen-on-v6 port 53 { ::1; };
  allow-query { any; };
  recursion yes;
  . . .
};

 

Use the netstat command to verify if DNS port 53 is listening.

Note: If netstat is not installed, you will need to change the network interface on the Linux OS to use a functioning DNS server, such as Google's 8.8.8.8 DNS server. Then use the net-tools command to install the netstat utility.

netstat -an | less
Proto   Recv-Q  Send-Q  Local Address        Foreign Address      State
tcp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
tcp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN
udp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
udp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN

 

If the zone is a domain name, such as example.com, and the type is master, ensure the zone uses a certain file, such as /etc/forward.example.com, to resolve domain names to an IP address.

zone "example.com" IN {
  type master;
  file "/etc/forward.example.com";
  allow-update { none; };
};

 

If the zone is a domain name, such as sample.com, and the type is forward, ensure the forwarders IP addresses point to a PC that is running DNS server software. Recursion must be set to yet in the /etc/named.conf file for forwarding to another DNS server to be allowed.

zone "sample.com" IN {
  type forward;
  forwarders { 192.168.0.20; 192.168.0.21; };
};

 

If the zone is an IP address in reverse order, such as 0.168.192.in-addr.arpa, and the type is master, ensure the zone uses a certain file, such as /etc/reverse.example.com, to resolve an IP address to a domain name. 0.168.192 is 192.168.0 in reverse

zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "/etc/reverse.example.com";
  allow-update { none; };
};

 

Ensure the network interface /etc/sysconfig/network-scripts/ifcfg-e* is configured with the IP address of the computer that has BIND DNS server.

DNS1="192.168.0.10"
PEERDNS="yes"

 

Use the named-checkzone command to ensure the result is OK.

[root@server1 ~]# named-checkzone example.com /var/named/forward.example.com.zone
zone example.com/IN: loaded serial yyyymmddnn
OK

 

Ensure the /etc/named.conf file includes logging.

logging {
  channel default_debug {
    file "data/named.run";
    server dynamic;  }
};

 

If you are still getting the NXDOMAIN message, ensure the /etc/named.conf file includes logging.

logging {
  channel default_debug {
    file "data/named.run";
    server dynamic;
  }
};

 

View the log file. In this example, the log file contains 'ns1.example.com/A/IN' denied.

[root@server1 ~]# tail -15 /var/named/data/named.run
all zones loaded
running
client 192.168.0.15#39240 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied

 

Make note of the zones. It is OK for a forwarders zone to not be listed.

zone 0.in-addr.arpa/IN:          loaded serial yyyymmddnn
zone localhost/IN:               loaded serial yyyymmddnn
zone 1.0.0.127.in-addr.arpa/IN:  loaded serial yyyymmddnn
zone 0.168.192.in-addr.arpa/IN:  loaded serial yyyymmddnn
zone 1.xxxxxxxxxxx.ip6.arpa/IN:  loaded serial yyyymmddnn
zone example.com/IN:             loaded serial yyyymmddnn
zone localhost.localdomain/IN:   loaded serial yyyymmddnn
all zones loaded
running

 

In this example, insecurity proof failed is listed in the log file. This usually implies some issue with DNSSEC. The /etc/named.conf file has some DNSSEC options, such as dnssec-enabled and dnssec-validation.

error (insecurity proof failed) resolving 'sample.com/A/IN': 192.168.0.20#53

 

To determine if DNSSEC is indeed causing issues, the DNSSEC options can be set to no. If the problem does not occur when DNSSEC is disabled, this confirms the issue is a DNSSEC issue.

dnssec-enabled no;
dnssec-validation no;

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments