Configure bind to be a caching resolver

petersconsult

petersconsult

Verified User
Joined
Sep 10, 2021
Messages
94
Hello all,

Following up on an old post i made here in 2022, i'm having trouble setting up bind to be a caching resolver..

Here's what i did:

in the file etc/named.conf i changed:
Code: 
recursion yes

and added
Code: 
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

then restarted named but when i do
dig google.com @127.0.0.1
Click to expand...

i get a SERVFAIL error and the log shows a bunch of these errors:
validating com/DS: no valid signature found
no valid RRSIG resolving 'com/DS/IN'
Click to expand...

i then tried adding:
Code: 
forwarders {
        10.254.254.251;
        8.8.8.8;
        };
    forward first;

and changed
dnssec-validation auto;
Click to expand...

But nothing's working..
the interwebs points to a DNSSEC issue, but i just can't figure it out..

This is under AlmaLinux 9, by the way..

i would greatly appreciate any help!
Thank You!
 
This is what I found at RedHat itself:
Code: 
dnssec-enable no;
dnssec-validation no;
and restart named.

It might depend on how the rest of bind is set up.

For example, check your /etc/hosts file how localhost is configured, it should point to 127.0.0.1 and no to an external ip address.
So like this:
127.0.0.1 localhost.localdomain localhost

Maybe also check your /etc/resolv.conf which named also uses, you could put this first:
nameserver 127.0.0.1
although that should not matter if you call 127.0.0.1 directly like you did.
 
Thank You so much for your reply!!

i also noticed that there was an ipv6 line in my hosts file, which i disabled, since i don't have an ipv6 IP on this server:
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Click to expand...

it looks like maybe it's working?
it's very strange because running that same dig command seems to turn up SERVFAIL errors as often as not..

also, yes, that was a typo, sorry! There was, indeed, a semi-colon in the conf file.. sorry about that!

Thank You so much for the help!
i'll update tomorrow when i have more data..

Thank You again!
 
You must log in or register to reply here.
Back
Top