Bootstrap FreeKB - DNS - Resolve "server can't find example.com: NXDOMAIN"
DNS - Resolve "server can't find example.com: NXDOMAIN"
Updated:   |  DNS articles

If you are in a lab environment and the DNS server is not exposed to the Internet, stop firewalld and iptables to eliminate firewall as the cause of the problem.

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to stop the firewall.

systemctl stop iptables
systemctl stop firewalld

 

If your system is using init, use the service command to stop the firewall.

service iptables stop
service firewalld stop

 

If you are in a lab environment and the DNS server is not exposed to the Internet, configure SELinux to permissive mode.

In the BIND /etc/named.conf file, ensure IPv4 and IPv6 are listening on port 53. Also ensure any computer is allowed to query the DNS server. It is also usually a good idea to enable recurision, which will allow your local DNS server to query other DNS servers. This is necessary if you will be configuring a forwarder zone.

options {
  listen-on port 53 {127.0.0.1; 192.168.0.10; };
  listen-on-v6 port 53 { ::1; };
  allow-query { any; };
  recursion yes;
  . . .
};

 

Use the netstat command to verify if DNS port 53 is listening.

Note: If netstat is not installed, you will need to change the network interface on the Linux OS to use a functioning DNS server, such as Google's 8.8.8.8 DNS server. Then use the net-tools command to install the netstat utility.

netstat -an | less
Proto   Recv-Q  Send-Q  Local Address        Foreign Address      State
tcp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
tcp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN
udp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
udp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN

 

If the zone is a domain name, such as example.com, and the type is master, ensure the zone uses a certain file, such as /etc/forward.example.com, to resolve domain names to an IP address.

zone "example.com" IN {
  type master;
  file "/etc/forward.example.com";
  allow-update { none; };
};

 

If the zone is a domain name, such as sample.com, and the type is forward, ensure the forwarders IP addresses point to a PC that is running DNS server software. Recursion must be set to yet in the /etc/named.conf file for forwarding to another DNS server to be allowed.

zone "sample.com" IN {
  type forward;
  forwarders { 192.168.0.20; 192.168.0.21; };
};

 

If the zone is an IP address in reverse order, such as 0.168.192.in-addr.arpa, and the type is master, ensure the zone uses a certain file, such as /etc/reverse.example.com, to resolve an IP address to a domain name. 0.168.192 is 192.168.0 in reverse

zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "/etc/reverse.example.com";
  allow-update { none; };
};

 

Ensure the network interface /etc/sysconfig/network-scripts/ifcfg-e* is configured with the IP address of the computer that has BIND DNS server.

DNS1="192.168.0.10"
PEERDNS="yes"

 

Use the named-checkzone command to ensure the result is OK.

[root@server1 ~]# named-checkzone example.com /var/named/forward.example.com.zone
zone example.com/IN: loaded serial yyyymmddnn
OK

 

Ensure the /etc/named.conf file includes logging.

logging {
  channel default_debug {
    file "data/named.run";
    server dynamic;  }
};

 

If you are still getting the NXDOMAIN message, ensure the /etc/named.conf file includes logging.

logging {
  channel default_debug {
    file "data/named.run";
    server dynamic;
  }
};

 

View the log file. In this example, the log file contains 'ns1.example.com/A/IN' denied.

[root@server1 ~]# tail -15 /var/named/data/named.run
all zones loaded
running
client 192.168.0.15#39240 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied

 

Make note of the zones. It is OK for a forwarders zone to not be listed.

zone 0.in-addr.arpa/IN:          loaded serial yyyymmddnn
zone localhost/IN:               loaded serial yyyymmddnn
zone 1.0.0.127.in-addr.arpa/IN:  loaded serial yyyymmddnn
zone 0.168.192.in-addr.arpa/IN:  loaded serial yyyymmddnn
zone 1.xxxxxxxxxxx.ip6.arpa/IN:  loaded serial yyyymmddnn
zone example.com/IN:             loaded serial yyyymmddnn
zone localhost.localdomain/IN:   loaded serial yyyymmddnn
all zones loaded
running

 

In this example, insecurity proof failed is listed in the log file. This usually implies some issue with DNSSEC. The /etc/named.conf file has some DNSSEC options, such as dnssec-enabled and dnssec-validation.

error (insecurity proof failed) resolving 'sample.com/A/IN': 192.168.0.20#53

 

To determine if DNSSEC is indeed causing issues, the DNSSEC options can be set to no. If the problem does not occur when DNSSEC is disabled, this confirms the issue is a DNSSEC issue.

dnssec-enabled no;
dnssec-validation no;

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


October 13 2020 by Guillermina Gonjon
I haven't dealt with DNS for a while. Is example com now a replacement for localhost.localdomain?

October 14 2020 by Jeremy (moderator)
Yep, in this situation, example.com and localhost.localdonain are synonymous.

Add a Comment


Please enter 953504 in the box below so that we can be sure you are a human.