Follow these steps to troubleshoot nslookup error message server can't find example.com: REFUSED. If you are in a lab environment and the DNS server is not exposed to the Internet, stop firewall to eliminate firewall as the cause of the problem.

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to stop iptables / firewalld.

systemctl stop iptables
systemctl stop firewalld

If your system is using init, use the chkconfig and service commands to stop iptables / firewalld.

service firewalld stop
service iptables stop

If you are in a lab environment and the DNS server is not exposed to the Internet, configure SELinux to permissive mode.

In the BIND /etc/named.conf file, ensure IPv4 and IPv6 are listening on port 53. Also ensure any computer is allowed to query the DNS server. It is also usually a good idea to enable recurision, which will allow your local DNS server to query other DNS servers. This is necessary if you will be configuring a forwarder zone.

options {
  listen-on port 53 {127.0.0.1; 192.168.0.10; };
  listen-on-v6 port 53 { ::1; };
  allow-query { any; };
  recursion yes;
  . . .
};

Use the netstat command to verify if DNS port 53 is listening.

Note: If netstat is not installed, you will need to change the network interface on the Linux OS to use a functioning DNS server, such as Google's 8.8.8.8 DNS server. Then use the net-tools command to install the netstat utility.

[root@server1 ~]# netstat -an | less
Proto   Recv-Q  Send-Q  Local Address        Foreign Address      State
tcp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
tcp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN
udp     0       0       192.168.0.10:53      0.0.0.0:*            LISTEN
udp     0       0       127.0.0.1:53         0.0.0.0:*            LISTEN

If the zone is a domain name, such as example.com, and the type is master, ensure the zone uses a certain file, such as /etc/forward.example.com, to resolve domain names to an IP address.

zone "example.com" IN {
  type master;
  file "/etc/forward.example.com";
  allow-update { none; };
};

If the zone is a domain name, such as sample.com, and the type is forward, ensure the forwarders IP addresses point to a PC that is running DNS server software. Recursion must be set to yet in the /etc/named.conf file for forwarding to another DNS server to be allowed.

zone "sample.com" IN {
  type forward;
  forwarders { 192.168.0.20; 192.168.0.21; };
};

If the zone is an IP address in reverse order, such as 0.168.192.in-addr.arpa, and the type is master, ensure the zone uses a certain file, such as /etc/reverse.example.com, to resolve an IP address to a domain name. 0.168.192 is 192.168.0 in reverse

zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "/etc/reverse.example.com";
  allow-update { none; };
};

Ensure the network interface /etc/sysconfig/network-scripts/ifcfg-e* is configured with the IP address of the computer that has BIND DNS server.

DNS1="192.168.0.10"
PEERDNS="yes"

If you are still getting the REFUSED message, ensure the /etc/named.conf file includes logging.

logging {
  channel default_debug {
    file "data/named.run";
    server dynamic;
  }
};

View the log file. In this example, the log file contains 'ns1.example.com/A/IN' denied.

[root@server1 ~]# tail -15 /var/named/data/named.run
all zones loaded
running
client 192.168.0.15#39240 (ns1.example.com): query (cache) 'ns1.example.com/A/IN' denied