Bind plugin reverse zone

[scuffe82]

I've been working on migrating my bind server over to opnsense and keep running into issues with the reverse zone. The conf and zones all check out with named-check* but it never seem to return a result for the reverse lookup. I wiped the config and setup a basic test, Heres with the files look like. Any suggestions would be appreciated! All of the files are generated via the UI plugin using the standard templates.



Config Check::

root@firewall:/usr/local/etc/namedb # named-checkconf named.conf
root@firewall:/usr/local/etc/namedb #

Zone Check:
root@firewall:/usr/local/etc/namedb # named-checkzone myzone.com master/myzone.com.db
zone myzone.com/IN: loaded serial 2204051618
OK

root@firewall:/usr/local/etc/namedb # named-checkzone 0.0.10-in-addr-arpa master/0.0.10-in-addr-arpa.db
zone 0.0.10-in-addr-arpa/IN: loaded serial 2204051619
OK

Zone Files:

root@firewall:/usr/local/etc/namedb # cat master/myzone.com.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051618 21600 3600 3542400 3600 )
NS ns
ns A 10.0.0.2
test A 10.0.0.50
test2 CNAME test

root@firewall:/usr/local/etc/namedb # cat master/0.0.10-in-addr-arpa.db

$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns
2 PTR ns.myzone.com
50 PTR test.myzone.com
ns A 10.0.0.2

Nslookup results:

> server 10.0.0.2
Default server: 10.0.0.2
Address: 10.0.0.2#53

> ns
Server: 10.0.0.2
Address: 10.0.0.2#53
Name: ns.myzone.com
Address: 10.0.0.2

> test
Server: 10.0.0.2
Address: 10.0.0.2#53
Name: test.myzone.com
Address: 10.0.0.50

> test2
Server: 10.0.0.2
Address: 10.0.0.2#53
test2.myzone.com canonical name = test.myzone.com.
Name: test.myzone.com
Address: 10.0.0.50

> 10.0.0.50
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find 50.0.0.10.in-addr.arpa: NXDOMAIN

> 10.0.0.2
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find 2.0.0.10.in-addr.arpa: NXDOMAIN

Named.conf file:

root@firewall:/usr/local/etc/namedb # cat named.conf
acl "Internal-Default" { 10.0.0.0/24; };
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on port 53 { 10.0.0.2; };
listen-on-v6 port 53 { ::1; };
forwarders { 10.0.0.3; };
recursion yes;
allow-recursion { Internal-Default; };
allow-transfer { Internal-Default; };
max-cache-size 80%;
dnssec-validation no;
};

key "rndc-key" {
algorithm hmac-sha256;
secret “mykey”;
};

controls {
inet 127.0.0.1 port 9530
allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };

zone “myzone.com" {
type master;
file "/usr/local/etc/namedb/master/myzone.com.db";
allow-transfer { Internal-Default; };
allow-query { Internal-Default; };
};

zone "0.0.10-in-addr-arpa" {
type master;
file "/usr/local/etc/namedb/master/0.0.10-in-addr-arpa.db";
allow-transfer { Internal-Default; };
allow-query { Internal-Default; };
};

logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size 20m;
print-time yes;
print-severity yes;
print-category yes;
};

channel query_log {
file "/var/log/named/query.log" versions 3 size 20m;
print-time yes;
};

channel rpz_log {
file "/var/log/named/rpz.log" versions 3 size 20m;
print-time yes;
};

category default { default_log; };
category general { default_log; };
category queries { query_log; };
category rpz { rpz_log; };
category lame-servers { null; };
};

[scuffe82]

Also if it matters bind is listening on an alias of the lan address and unbound is disabled.

Lan is 10.0.0.1
Bind listen address 10.0.0.2

[Patrick M. Hausen]

What exactly is your issue? You need to create all PTR records in the reverse zone yourself. If you don't put a record named "50" into the zone "0.0.10.in-addr.arpa" there will be no reverse lookup for 10.0.0.50 ...

[scuffe82]

I have the PTR records created in the reverse zone but they don't resolve. I have almost the identical zone config in a standalone bind server that works but i can't seem to get it to work via the plugin.

Zone Files:
root@firewall:/usr/local/etc/namedb # cat master/myzone.com.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051618 21600 3600 3542400 3600 )
NS ns
ns A 10.0.0.2
test A 10.0.0.50
test2 CNAME test



root@firewall:/usr/local/etc/namedb # cat master/0.0.10-in-addr-arpa.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns
2 PTR ns.myzone.com
50 PTR test.myzone.com
ns A 10.0.0.2

When i do forward lookups they resolve as expected but reverse always comes back NXDOMAIN

Nslookup results:

> test
Server: 10.0.0.2
Address: 10.0.0.2#53
Name: test.myzone.com
Address: 10.0.0.50

> 10.0.0.50
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find 50.0.0.10.in-addr.arpa: NXDOMAIN

[netnut]

root@firewall:/usr/local/etc/namedb # cat master/0.0.10-in-addr-arpa.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns
2 PTR ns.myzone.com
50 PTR test.myzone.com
ns A 10.0.0.2

$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns.myzone.com.
2 PTR ns.myzone.com.
50 PTR test.myzone.com.
ns A 10.0.0.2

Needs a trailing dot and there's no need for A records in a reverse lookup zone.

[scuffe82]

I'll try adding the trailing dots, The UI check and the named-checkzone both mark them as valid without them. In my standalone bind server i have them but i'm trying to stick to just what the UI plugin provides and not manually edit the files.

As for the A record in the reverse zone, if i don't have it in there it will fail the named-checkzone verification if its not there. I removed the record and ran the checkzone and get this.

root@firewall:/usr/local/etc/namedb # named-checkzone 0.0.10-in-addr-arpa master/0.0.10-in-addr-arpa.db
zone 0.0.10-in-addr-arpa/IN: NS 'ns.0.0.10-in-addr-arpa' has no address records (A or AAAA)
zone 0.0.10-in-addr-arpa/IN: not loaded due to errors.

EDIT:
Adding the dots didn't seem to make any difference:

> ns
Server:      10.0.0.2
Address:   10.0.0.2#53
Name:   ns.myzone.com
Address: 10.0.0.2

> 10.0.0.2
** server can't find 2.0.0.10.in-addr.arpa: NXDOMAIN
>

I changed the record to this:
2                PTR ns.myzone.com.

[Patrick M. Hausen]

That's because you have this:

Code: [Select]

NS nsin your zone. That should read

Code: [Select]

NS ns.my.forward.zone.com.
Otherwise it's looking for ns.0.0.10.in-addr.arpa, which does not exist.

Honestly I do not even remember the syntax of nslookup, can you really just throw an IP address at the tool and get a reverse lookup? Otherwise you might want to try:

Code: [Select]

dig -x 10.0.0.50

[scuffe82]

root@firewall:/usr/local/etc/namedb # cat master/0.0.10-in-addr-arpa.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns
2 PTR ns.myzone.com
50 PTR test.myzone.com
ns A 10.0.0.2

$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns.myzone.com.
2 PTR ns.myzone.com.
50 PTR test.myzone.com.
ns A 10.0.0.2

Needs a trailing dot and there's no need for A records in a reverse lookup zone.

I played with it a little more and having the FQDN for the NS line fixed it from failing the check so that line is removed, but with or without the dots it's still not returning reverse records.

[Patrick M. Hausen]

Possible typo: it's not in-addr-arpa, but in-addr.arpa ...

[scuffe82]

That's because you have this:

Code: [Select]

NS nsin your zone. That should read

Code: [Select]

NS ns.my.forward.zone.com.
Otherwise it's looking for ns.0.0.10.in-addr.arpa, which does not exist.

Honestly I do not even remember the syntax of nslookup, can you really just throw an IP address at the tool and get a reverse lookup? Otherwise you might want to try:

Code: [Select]

dig -x 10.0.0.50

You 1000% nailed it...I know i've used nslookup before to look up reverse zones but i didn't even think to test with a different tool. Thank you for the help!

[scuffe82]

root@firewall:/usr/local/etc/namedb # cat master/0.0.10-in-addr-arpa.db
$TTL 86400
@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns
2 PTR ns.myzone.com
50 PTR test.myzone.com
ns A 10.0.0.2

$TTL 86400

@ IN SOA ns.myzone.com. mail.opnsense.localdomain. ( 2204051619 21600 3600 3542400 3600 )
NS ns.myzone.com.
2 PTR ns.myzone.com.
50 PTR test.myzone.com.
ns A 10.0.0.2

Needs a trailing dot and there's no need for A records in a reverse lookup zone.

Thank you for the help too!