# Why can't I browse with my own DNS server?



## vindra9 (Jan 12, 2013)

Hello guys, *I*'m new in FreeBSD, and right now *I* want to try build my own DNS server. *I* already made my setting, but until now I cannot browse any website on the internet when using my own DNS derver. *A*nyway, thank you in advance.

*H*ere's my setting:

/etc/hosts

```
::1                     localhost localhost.epicfail.web.id
127.0.0.1               localhost localhost.epicfail.web.id
192.211.62.47           server1 server1.epicfail.web.id.
192.211.62.47           server1.epicfail.web.id.
```

/etc/resolv.conf

```
domain epicfail.web.id
search epicfail.web.id
nameserver 192.211.62.47
nameserver 8.8.8.8
nameserver 4.2.2.2
```

/etc/rc.conf

```
hostname="server1.epicfail.web.id"
ifconfig_re0=" inet 192.211.62.47 netmask 255.255.255.128"
defaultrouter="192.211.62.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
apache22_enable="YES"
accf_http_load="YES"
sendmail_enable="YES"
named_enable="YES"
```

/etc/namedb/named.conf

```
listen-on       { 192.211.62.47; };

forwarders {
      192.211.62.47;
      192.211.62.1;
      8.8.8.8;
      4.2.2.2;
};

zone "epicfail.web.id" {
        type master;
        file "/etc/namedb/master/epicfail.db";
};

zone "62.211.192.in-addr.arpa" {
        type master;
        file "/etc/namedb/master/47.62.211.192.in-addr.arpa";
};
```

/etc/namedb/master/epicfail.db

```
$TTL 3600       ;1 hour defaut TTL
epicfail.web.id.        IN      SOA     server1.epicfail.web.id. root.epicfail.web.id. (
        2006051501      ;Serial
        10800           ;Refresh
        3600            ;Retry
        604800          ;Expire
        300             ;Negative Response TTL
)
;DNS Servers
@       IN      NS      server1.epicfail.web.id.
;MX Records
        IN      MX 10   mx.epicfail.web.id.
        IN      MX 20   mail.epicfail.web.id.
        IN      A       192.211.62.47

;Machine Names
localhost       IN      A       192.211.62.47
server1 IN      A       192.211.62.47
mx      IN      A       192.211.62.47
mail    IN      A       192.211.62.47

;Aliases
www     IN      CNAME   epicfail.web.id.
```

/etc/namedb/master/47.62.211.192.in-addr.arpa

```
$TTL 3600       ;1 hour default TTL
@       IN      SOA     server1.epicfail.web.id. root.epicfail.web.id (
        2006051501      ;Serial
        10800           ;Refresh
        3600            ;Retry
        604800          ;Expire
        300             ;Negative Response TTL
)
        IN      NS      server1.epicfail.web.id.
47      IN      PTR     server1.epicfail.web.id.
47      IN      PTR     mail.epicfail.web.id.
47      IN      PTR     mx.epicfail.web.id.
```

*T*his the result when I try from VPS itself:

```
server1# host -t ns epicfail.web.id
epicfail.web.id name server server1.epicfail.web.id.

server1# dig epicfail.web.id

; <<>> DiG 9.8.1-P1 <<>> epicfail.web.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11758
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;epicfail.web.id.               IN      A

;; ANSWER SECTION:
epicfail.web.id.        3600    IN      A       192.211.62.47

;; AUTHORITY SECTION:
epicfail.web.id.        3600    IN      NS      server1.epicfail.web.id.

;; ADDITIONAL SECTION:
server1.epicfail.web.id. 3600   IN      A       192.211.62.47

;; Query time: 0 msec
;; SERVER: 192.211.62.47#53(192.211.62.47)
;; WHEN: Sat Jan 12 03:36:46 2013
;; MSG SIZE  rcvd: 87

server1# nslookup epicfail.web.id
Server:         192.211.62.47
Address:        192.211.62.47#53

Name:   epicfail.web.id
Address: 192.211.62.47

server1# nslookup 192.211.62.47
Server:         192.211.62.47
Address:        192.211.62.47#53

47.62.211.192.in-addr.arpa      name = server1.epicfail.web.id.
47.62.211.192.in-addr.arpa      name = mx.epicfail.web.id.
47.62.211.192.in-addr.arpa      name = mail.epicfail.web.id.
```

I think that's all my setting so far. *P*lease kindly tell me where my mistake is and if possible tell me how to correct it.

BTW, how do we see the BIND logfile? *I* try to use /var/log/messages but *I* think it's not BIND's logfile.

*T*hank you for all your attention and sorry for my bad *E*nglish.


----------



## Anonymous (Jan 12, 2013)

Please try the following changes in /etc/namedb/named.conf:


```
listen-on     { 127.0.0.1; 192.211.62.47; };

forwarders    { 8.8.8.8; 4.2.2.2; };
```


----------



## vindra9 (Jan 13, 2013)

rolfheinrich said:
			
		

> Please try the following changes in /etc/namedb/named.conf:
> 
> 
> ```
> ...



It still not working. Is there any possible I'm making mistake when installing BIND?


----------



## shitson (Jan 13, 2013)

vindra9 said:
			
		

> /etc/resolv.conf
> 
> ```
> domain epicfail.web.id
> ...



Is this the settings on the Server? Can see the resolv.conf from the Server too?


----------



## vindra9 (Jan 13, 2013)

shitson said:
			
		

> Is this the settings on the Server? Can see the resolv.conf from the Server too?



That's resolv.conf on server itself.


----------



## Anonymous (Jan 13, 2013)

vindra9 said:
			
		

> That's  resolv.conf on server itself



You are not trying to browse the web from a different machine than that on which your DNS is running, are you?

If you try this from another machine in the LAN, you need to extend the listen statement by the LAN address of your server:


```
listen-on     { 127.0.0.1; 192.168.x.y; 192.211.62.47; };
```

BTW, is it really necessary that your server is listening to the WAN? This makes it into an open DNS to everybody.


----------



## vindra9 (Jan 13, 2013)

rolfheinrich said:
			
		

> You are not trying to browse the web from a different machine than that on which your DNS is running, are you?
> 
> If you try this from another machine in the LAN, you need to extend the listen statement by the LAN address of your server:
> 
> ...



First question: yes, I'm trying to browse the web from different machine.
Second question: yes, *I* try to browse from another machine in LAN Network. So is it really needed to include the LAN Address to the listen-on code?
Third question:  yes, I would like to try make open DNS for everybody. Umm, is it really day dreaming? Because I just learned *F*reeBSD for 1 or 2 weeks.


----------



## Anonymous (Jan 13, 2013)

vindra9 said:
			
		

> First question : yes, I'm trying to browse the web from different machine.
> Second question : yes, i try to browse from another machine in LAN Network. So is it really need to include LAN Address to the listen-on code ?



Yes, include the exact LAN address of your server, i.e. the same, that you put in the DNS field of the clients interface configuration, otherwise named(8)() would refuse connections from the LAN.



			
				vindra9 said:
			
		

> Third question :  yes, I would like to try make open DNS for everybody. Umm, is it really a daydreaming ?



No, it would work, you only didn't tell that you want this. Also, it would have been great for troubleshooting if you had supplied all the other informations as well beforehand.


----------



## vindra9 (Jan 13, 2013)

rolfheinrich said:
			
		

> No, it would work, you only didn't tell that you want this. Also, it would have been great for troubleshooting if you had supplied all the other informations as well beforehand.



I'm sorry, it's my bad not telling you beforehand. Is there any mistake in my DNS Server to become open DNS?


----------



## vindra9 (Jan 13, 2013)

rolfheinrich said:
			
		

> You are not trying to browse the web from a different machine than that on which your DNS is running, are you?
> 
> If you try this from another machine in the LAN, you need to extend the listen statement by the LAN address of your server:
> 
> ...



BTW, can i use listen-on { any; } ??? or I will still get error loading web when my DNS not open DNS server ?


----------



## Anonymous (Jan 13, 2013)

vindra9 said:
			
		

> BTW, can i use listen-on { any; } ??? or I will still get error loading web when my DNS not open DNS server ?



In this case simply omit the listen-on { ... }; statement, since the default behaviour of named is to listen on all interfaces found on your system. However, listen-on { any; }; should work too.


----------



## vindra9 (Jan 14, 2013)

rolfheinrich said:
			
		

> In this case simply omit the listen-on { ... }; statement, since the default behaviour of named is to listen on all interfaces found on your system. However, listen-on { any; }; should work too.



I already omit the listen-on { ... };, but still I can't browse anywhere. It really drive me crazy. Is there any preliminary need or setting to build anopen DNS server beside all setting all I made this far?


----------



## Savagedlight (Jan 14, 2013)

In order to use your dns server as the primary dns server of clients, you need to enable recursive lookups as well.
You should really restrict recursive lookups to (semi-)trusted address ranges, such as your LAN, as recursive lookups are generally not considered safe on a server which is not dedicated for this purpose.

You may read more on how to do that here: http://www.netadmintools.com/art234.html

You'll also have to configure the clients to use your DNS server for lookups. This can be done locally or via DHCP if that's applicable.

You might also want to verify that bind is listening on the expected addresses:
`# sockstat -46 -l | grep named`


----------



## Anonymous (Jan 14, 2013)

vindra9 said:
			
		

> I already omit the listen-on { ... };, but still I can't browse anywhere. It really drive me crazy @__@
> 
> Is there any preliminary needs or setting to build open DNS server beside all setting all I made this far ?



Please send us the output of nslookup(1)() on the command-line of your client (not server). This command exist on Windows (within cmd.exe), on Mac OS X (within Terminal) and on FreeBSD (Console).

It should look more or less like this one:


```
$ nslookup www.freebsd.org
Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
www.freebsd.org	canonical name = wfe0.ysv.freebsd.org.
Name:	wfe0.ysv.freebsd.org
Address: 8.8.178.110
```

I guess you know, that a working DNS is not sufficient for a client browsing the internet from the LAN. I assume, that NAT, routing etc. is working, isn't it?


----------



## Anonymous (Jan 14, 2013)

Savagedlight said:
			
		

> In order to use your dns server as the primary dns server of clients, you need to enable recursive lookups as well...



I was not sure about this, and therefore I checked it at my FreeBSD 9.1 server running as the router in the internet. named was running in recursive mode, but for the test I set it to forward only; and forwarders { 8.8.8.8; };. After restarting the server, the clients were still perfectly happy with this.

My conclusion from this test is, that your claim is wrong.

PS: I send this message, while the DNS of my server was still a forwarder only.


----------



## shitson (Jan 15, 2013)

vindra9 said:
			
		

> That's  resolv.conf on server itself



Please make the following adjustments to your /etc/resolv.conf on the Server:

From:


```
domain epicfail.web.id
search epicfail.web.id
nameserver 192.211.62.47
nameserver 8.8.8.8
nameserver 4.2.2.2
```

To: 


```
domain epicfail.web.id
nameserver 127.0.0.1
```

Also,


```
forwarders {
      192.211.62.47;
      192.211.62.1;
      8.8.8.8;
      4.2.2.2;
};
```

To: 


```
forwarders {
      8.8.8.8;
      4.2.2.2;
};
```

Restart the process & try again.


----------



## J65nko (Jan 15, 2013)

Several years ago I wrote BIND 9 : Caching and forward-only named.conf (Please keep in mind that the installation/location of the configuration file is for OpenBSD)

The configuration file iself is simple:

```
// Caching and forward only configuration

// Access Control List

acl  clients    {
    192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

# After editing this file please use 'named-checkconf' to validate!
```
This is so simple that you even could use it on your laptop or workstation.


----------



## vindra9 (Jan 16, 2013)

rolfheinrich said:
			
		

> Please send us the output of nslookup(1)() on the command-line of your client (not server). This command exist on Windows (within cmd.exe), on Mac OS X (within Terminal) and on FreeBSD (Console).
> 
> It should look more or less like this one:
> 
> ...



*F*irst off all I'm really sorry for the long term off. *H*ere's what I got for nslookup from my laptop (client):

*T*his is what I got if I use default DNS from my LAN:

```
C:\Users\Indra>nslookup epicfail.web.id
Server:  wl.Belkin
Address:  192.168.2.1

Non-authoritative answer:
Name:    epicfail.web.id
Address:  192.211.62.47
```

and this what I got if I use sever IP as my Primary DNS IP in my laptop:

```
C:\Users\Indra>nslookup epicfail.web.id
Server:  server1.epicfail.web.id
Address:  192.211.62.47

Name:    epicfail.web.id
Address:  192.211.62.47

C:\Users\Indra>nslookup google.com
Server:  server1.epicfail.web.id
Address:  192.211.62.47

*** server1.epicfail.web.id can't find google.com: Query refused
```

*I*n fact, I'm doing nslookup after I set my resolv.conf to

```
domain epicfail.web.id
nameserver 127.0.0.1
```

and my forwarders in named.conf to 

```
forwarders {
      8.8.8.8;
      4.2.2.2;
};
```

like shitson suggest.


----------



## usdmatt (Jan 16, 2013)

As far as I remember, you can leave the listen-on option out completely and it'll listen on all interfaces by default.

'Query refused' suggests that recursion is being blocked to anyone but localhost.
Try adding the following to named config (might have to go in the options section):


```
allow-recursion { any; };
        allow-query-cache { any; };
```

Obviously you can lock those down with IP addresses if you want.


----------



## Anonymous (Jan 16, 2013)

Please show us the output of the following command on your server and on your client using the default LAN DNS:

`nslookup [url=http://www.google.com]www.google.com[/url] 8.8.8.8`

This would directly utilize the open DNS of Google for a single name resolution. Perhaps, your service provider is blocking this.


----------



## vindra9 (Jan 19, 2013)

*[solved]*

Hey guys, I don't know how it's work, but now I can browse any website with my own dns server. And this is my setting right now.

/etc/hosts

```
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
```

/etc/resolv.conf

```
domain epicfail.web.id
nameserver 192.211.62.47
nameserver 8.8.8.8
nameserver 4.2.2.2
```

/etc/rc.conf

```
hostname="server1.epicfail.web.id"
ifconfig_re0=" inet 192.211.62.47 netmask 255.255.255.128"
defaultrouter="192.211.62.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
apache22_enable="YES"
accf_http_load="YES"
sendmail_enable="YES"
named_enable="YES"
```

/etc/namedb/named.conf

```
allow-recursion { any; };
allow-query-cache { any; };

//listen-on {...};

forwarders {
    8.8.8.8;
    4.2.2.2;
};

zone "epicfail.web.id" {
        type master;
        file "/etc/namedb/master/epicfail.db";
};

zone "62.211.192.in-addr.arpa" {
        type master;
        file "/etc/namedb/master/47.62.211.192.in-addr.arpa";
};
```

/etc/namedb/master/epicfail.db

```
$TTL 3600        ; 1 hour default TTL
epicfail.web.id.    IN      SOA      server1.epicfail.web.id. root.epicfail.web.
             2006051501      ; Serial
             10800           ; Refresh
             3600            ; Retry
             604800          ; Expire
             300             ; Negative Response TTL
                        )
; DNS Servers
                IN      NS      server1.epicfail.web.id.
; MX Records
                IN      MX 10   mx.epicfail.web.id.
                IN      A       192.211.62.47
; Machine Names
localhost       IN      A       127.0.0.1
server1         IN      A       192.211.62.47
; Aliases
www             IN      CNAME   epicfail.web.id.
```

/etc/namedb/master/47.62.211.192.in-addr.arpa

```
$TTL 3600        ; 1 hour default TTL
62.211.192.in-addr.arpa.    IN      SOA      server1.epicfail.web.id. root.epicf
           2006051501      ; Serial
           10800           ; Refresh
           3600            ; Retry
           604800          ; Expire
           300             ; Negative Response TTL
                        )
               IN      NS      server1.epicfail.web.id.
47             IN      PTR     epicfail.web.id.
```

and this what I got when doing nslookup(1)

```
server1# nslookup www.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   www.google.com
Address: 173.194.64.147
Name:   www.google.com
Address: 173.194.64.104
Name:   www.google.com
Address: 173.194.64.106
Name:   www.google.com
Address: 173.194.64.105
Name:   www.google.com
Address: 173.194.64.103
Name:   www.google.com
Address: 173.194.64.99

C:\Users\Indra>nslookup www.google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.google.com
Addresses:  2404:6800:4003:802::1010
          111.94.248.39
          111.94.248.38
          111.94.248.18
          111.94.248.59
          111.94.248.45
          111.94.248.25
          111.94.248.32
          111.94.248.31
          111.94.248.24
          111.94.248.53
          111.94.248.52
          111.94.248.46
```

Thank you very much for all your help and attention. I really appreciate it, it's really made me learn a lot from this case. My special thank to rolfhenrich for all your guidance.


----------

