I'm trying to set up a small, private DNS server. I'm using Bind9 and systemd resolved, netplan for managing the network. I've specified the DNS server in both the netplan configuration and /etc/systemd/resolved.conf, I've also specified the domain name in /etc/systemd/resolved.conf. Reverse DNS queries work just fine but for some reason, forward queries only work if I specify the DNS server, i.e. nslookup vm.example.com 192.168.1.1
works but nslookup vm.example.com
leads to
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find vm.example.com: NXDOMAIN
I've tried to change the options and configuration files etc. a million times, I don't know what to do anymore.
This is resolvectl status output:
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 192.168.1.1
DNS Servers 192.168.1.1
DNS Domain example.com
Link 2 (enp0s3)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.2.3
DNS Servers: 10.0.2.3
DNS Domain: other.com
Link 3 (enp0s8)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
My zone definition in named.conf.local looks like this:
zone "example.com" {
type primary;
file "/etc/bind/db.example.com";
};
The zone file:
;
; BIND data file for example.com
;
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
24 ; Serial
21600 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns1
ns1 IN A 192.168.1.1
vm IN A 192.168.8.5
File permissions are 644, owner root:bind.
This is /etc/hosts on the DNS server:
127.0.0.1 localhost
192.168.1.1 ns1.example.com ns1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
This is named.conf.options:
acl "trusted" {
127.0.0.1;
192.168.0.0/16;
};
options {
directory "/var/cache/bind";
allow-query { "trusted"; };
dnssec-validation no;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders { <there's an ip address here>; };
forward only;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
listen-on { any; };
listen-on-v6 {};
};
There are no currently active firewalls.