Troubleshooting bind9

This is a wiki page. Be bold and improve it!

If you have any questions about the content on this page, don't hesitate to open a new ticket and we'll do our best to assist you.

Logs

Unless set up otherwise with the command logging (see official documentation), bind9's error messages are directed to the default error logs (/var/logs/syslog).

The server does not respond

$ dig @mynameserver.example.com mywebsite.example.com

; <<>> DiG 9.7.3 <<>> @mynameserver.example.com mywebsite.example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

It could be one of three things:

1) The nameserver (bind9) is not started. Check:
sudo service bind9 status
and start it if necessary.

2) The firewall does not let the connections pass through.
If you use iptables, check that UDP port 53 is not blocked:
sudo iptables -v -nL
If there are no rules, it means that all the traffic is allowed through.

3) The nameserver is not listening to requests coming from the internet.
Check /etc/bind/named.conf.options
and remove the listen-on block which probably is set to only listen to local requests:

listen-on { 127.0.0.1; };

Removing the whole listen-on directive out will cause bind9 to listen to every IP. Alternatively, add each IP address you want it to listen to.

Then reload bind.

The slave server is not updating

You add a new domain / sub-domain on your master DNS, but the slave DNS is apparently not getting notified.

Possible cause:
- make sure to update the 'serial' value of your zone file. The slave DNS will only update the zone file is its serial id is lower than that of the master's serial id.

Confusing syntax

The syntax of a Resource Record (RR), especially that of the SOA, can be confusing because of the unusual use of the parenthesis (...). A RR is typically written on one single line. However SOA entries can be fairly long and it is often more convenient to break them into several lines. For this, we use the parenthesis. This can be quite confusing for a programmer who is used to function calls with a specific number of arguments passed within parenthesis (C, PHP, etc.) In a zonefile, it only matters that the opening parenthesis is placed on the first line. Although there is no rule for this, it is often placed either before the RNAME field (the email address that does not look like an email address because the @ is replaced by a dot) or after it. Thus, the number of "arguments" both before and within the parenthesis can vary. So, when looking at various examples of zonefiles, mentally put everything onto one line, and remove the parenthesis (that's how DNS tools would read it), and everything will become clearer.

diagnostic tools

- dig: command line tool.
- dnsqr: command line tool. See: http://cr.yp.to/djbdns/debugging.html
- nslookup: command line tool. See: http://www.techrepublic.com/article/get-it-done-troubleshooting-dns-prob...

DNS – Understanding it helps to debug it:
http://phil.lavin.me.uk/2012/02/dns-understanding-it-helps-to-debug-it/

Online tools:
http://www.dnssy.com/
http://dns.squish.net/
http://network-tools.com/
http://www.logicalpackets.com/
http://checkdns.net/

Issues related to this page:

ProjectSummaryStatusPriorityCategoryLast updatedAssigned to
Linux softwarebind9: recursion vs. allow-recursionactivenormalsupport request5 years 35 weeks