Fedora 38 Bind new install not starting

Ask Fedora
,
1

Trying to install a dns-resolver.

Followed these instructions: Fedora 38 : BIND : Verify Resolution : Server World

NOTE: to get around limitation of 10 links, all domain names end in .c, it is .com.

Got this error:

 systemctl enable --now named
Job for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xeu named.service" for details.
[root@mcq etc]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Fri 2023-04-28 11:10:58 EDT; 7s ago
    Process: 324277 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
        CPU: 29ms

Apr 28 11:10:58 mcq.sbanetweb.c systemd[1]: Starting named.service - Berkeley Internet Name Domain (DNS)...
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.rfc1912.zones:17: unknown option 'zone'
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.rfc1912.zones:23: unknown option 'zone'
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.rfc1912.zones:29: unknown option 'zone'
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.rfc1912.zones:35: unknown option 'zone'
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.rfc1912.zones:41: unknown option 'zone'
Apr 28 11:10:58 mcq.sbanetweb.c bash[324279]: /etc/named.root.key:1: unknown option 'trust-anchors'
Apr 28 11:10:58 mcq.sbanetweb.c systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Apr 28 11:10:58 mcq.sbanetweb.c systemd[1]: named.service: Failed with result 'exit-code'.
Apr 28 11:10:58 mcq.sbanetweb.c systemd[1]: Failed to start named.service - Berkeley Internet Name Domain (DNS).

Note: Named files above, ie, /etc/named.rfc1912.zones /etc/named.root.key are untouched from the dnf install.

Files:

named.conf

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";
        geoip-directory "/usr/share/GeoIP";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "sbanetweb.com" IN {
        type master;
        file "sbanetweb.com.lan";
        allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "1.168.192.db";
        allow-update { none; };

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 cat sbanetweb.com.lan
$TTL 86400
@   IN  SOA     dlp.sbanetweb.c. root.sbanetweb.c. (
        # any numerical values are OK for serial number but
        # recommendation is [YYYYMMDDnn] (update date + number)
        2023042401  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
        # define Name Server
        IN  NS      mcq.sbanetweb.c.
        # define Name Server's IP address
        IN  A       10.0.0.30
        # define Mail Exchanger Server
        IN  MX 10   mcq.sbanetweb.c.

mcq     IN  A  192.1681.120
www     IN  A  192.168.120


[root@mcq named]# cat 1.168.192.db
$TTL 86400
@   IN  SOA     mcq.sbanetweb.c. root.sbanetweb.c. (
        2023042401  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
        # define Name Server
        IN  NS      mcq.sbanetweb.com.

# define each hostname of an IP address
30      IN  PTR     mcq.sbanetweb.c.
31      IN  PTR     www.sbanetweb.c.

Ideas, suggestions gratefully accepted.

Wayne

2

Please fix the code quoting so that all the code inside the triple backquotes.

Where did you get the zone file that is failing checks?

Is this a first time setup under f38 or is this a working setup that broke on upgrade?

3

Hi Barry.

Not sure about what you mean by fixing the code quoting, sorry.

As I said, the zones failing came from the install, using dnf.

This is a first time on this server (installed today), which has been upgraded consistently since F34.

4

The zone files is not preformatted text.

Like this

You can edit your original message to fix this to make the text easier to read.

5

Think I did it correctly :slight_smile:

6

The ip addr is wrong.

Can you post /etc/named.rfc1912.zone and

You ate missing the closing } for zone.
That is why the included code us flagged as bad.

After these fixes do you have errors?

Are you i tending to a .c TLD?
I think that is what the config is setting up.
Elsewhere you have use .com

7

This is clearly wrong

I suggest you peruse those files carefully and fix any syntax errors then try again.

8

Gentleman:

After fixing all my typos and removing all the comments, named loaded.

However, I think I goofed on 2 accounts (Its been years since I ran a bind install).

  1. The reason for the setup is I installed prescreen on Postfix since I’m getting more and more crap coming. So, all I think I need is a caching revolver (I could be wrong).

  2. I used the internal ip address, not the public.

  3. Barry, here is the zone file:

cat named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//

zone "localhost.localdomain" IN {
        type primary;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type primary;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type primary;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type primary;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type primary;
        file "named.empty";
        allow-update { none; };
};
[root@mcq etc]#

Thanks

9

That is only 3 or the 4 parts of an ipv4 addr.

1681 is not valid in an ipv4 addr.

10

Barry,

I fixed those errors… and the 192 is the internal address…

11

Are you getting errors still?
Is there something else we can help with?

12

Errors, yes.

But before I categorize them, what type of BIND server I should be running. My NS are Network Solutions, and I don’t wish to change that.

I really don’t want incoming DNS queries.

I just want less delay and no quotas for outgoing dns from Postfix.

So did I configure it correctly (using internal IP) or do I need to put external IP?

Do I add it as the 3rd DNS server locally or first or only?

Then I can see if it works properly…

Thanks again!!!

ADDENDEUM

After doing some added research, a Caching DNS Server fulfills my requirements.

I backed up named.conf and copied the default from …docs/named/named.conf.default

I guess the question is do I run the next cmd (which one)
a) nmcli connection modify eno1 ipv4.dns 127.0.0.1
b) nmcli connection modify eno1 ipv4.dns 192.168.1.120
c) nmcli connection modify eno1 ipv4.dns ???

Thanks

13

If you are running a caching nameserver then your type is incorrect.
You can do local name service as primary for the local network and caching for internet addresses on the same server if set up properly. Then the clients would normally only query the local name server which would query and cache the results for internet addresses.

Normally the loopback addresses would not be in a name server config since they are local to the host only and never reach beyond the local host confines.

14

Thank you Jeff V and Barry Scott, I have a working Bind install as a caching server.

Note, my Fedora server is essentially standalone, I use my routers as the caching server for devices on my localnet.

Enjoy your weekends.

Your help is most appreciated.