How to: Troubleshoot UNIX / Linux BIND DNS server problems

by on November 19, 2004 · 14 comments· LAST UPDATED October 12, 2007

in , ,

BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.

Task: Port 53 open and listing requests

By default BIND listen DNS queries on port 53. So make sure port 53 is open and listing user requests. by running any one of the following tests. See if you can telnet to port 53 from remote computer:
$ telnet remote-server-ip 53
OR
telnet ns1.nixcraft.org domain
Output:

Trying 192.168.0.5...
Connected to ns1.nixcraft.org.
Escape character is '^]'.

If you cannot connect make sure firewall is not blocking your requests. Next use netstat command to list open and listing port 53 on server itself:
$ netstat -tulpn | grep :53
OR
# netstat -atve
Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode
tcp        0      0 ns1.nixcraft.org:domain *:*                     LISTEN      named      10386
tcp        0      0 rhx.test.com:domain     *:*                     LISTEN      named      10384
tcp        0      0 *:ssh                   *:*                     LISTEN      root       1785
tcp        0      0 rhx.test.com:rndc       *:*                     LISTEN      named      10388
tcp        0      0 rhx.test.com:smtp       *:*                     LISTEN      root       1873
tcp        0      0 ns1.nixcraft.org:ssh    w2k.nixcraft.org:1057   ESTABLISHED root       10501
tcp        0      0 rhx.test.com:32773      rhx.test.com:domain     TIME_WAIT   root       0
tcp        0      0 ns1.nixcraft.org:32775  ns1.nixcraft.org:domain TIME_WAIT   root       0
tcp        0      0 rhx.test.com:32774      rhx.test.com:domain     TIME_WAIT   root       0

Make sure iptables firewall is not blocking request on server:
# iptables -L -n
OR
# iptables -L -n | less
Make sure named is running:
# /etc/init.d/named status
If not start named:
# chkconfig named on
# service named start

Task: Use log files

You can use log files after starting/restarting bind to see error messages:
# tail –f /var/log/message
Output:

Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface eth0, 192.168.0.5#53
Nov 17 16:50:25 rhx named[3539]: command channel listening on 127.0.0.1#953
Nov 17 16:50:25 rhx named[3539]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Nov 17 16:50:25 rhx named[3539]: nixcraft.org.rev:1: no TTL specified; using SOA MINTTL instead
Nov 17 16:50:25 rhx named[3539]: zone 0.168.192.in-addr.arpa/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: zone localhost/IN: loaded serial 42
Nov 17 16:50:25 rhx named[3539]: zone nixcraft.org/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: running

Task: Check zone file for errors

You can check zone file syntax and /etc/named.conf file using following utilities. named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf
Output:

/etc/named.conf:32: missing ';' before 'zone'

Plesse note that if named-checkconf did not find any errors it will not display in output on screen.

Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/localhost.zone
OR
#named-checkzone nixcraft.org /var/named/nixcraft.org.zone
Output:

zone nixcraft.org/IN: loaded serial 12
OK

Task: Testing BIND/DNS with utilities

You can use host and dig utilties to test your bind configuration.

  • host: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
  • dig: dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

List IP address associated with host names:
# host nixcraft.org
OR
# host www
Output:

www.nixcraft.org has address 192.168.0.6

Perform a zone transfer for zone name using -l option:
# host -l nixcraft.org

nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400
nixcraft.org name server ns1.nixcraft.org.
nixcraft.org mail is handled by 10 mail.nixcraft.org.
nixcraft.org has address 192.168.0.5
gw.nixcraft.org has address 192.168.0.254
mail.nixcraft.org has address 192.168.0.7
ns1.nixcraft.org has address 192.168.0.5
w2k.nixcraft.org has address 192.168.0.1
www.nixcraft.org has address 192.168.0.6
nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400

Other examples
# dig mail.nixcraft.org
# dig 192.168.0.5

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 14 comments… read them below or add one }

1 Anonymous December 24, 2004 at 3:06 am

Nice blog Vivek, Keep it up – JaY
Need more technical oriented entries just like this one.

Reply

2 Eric April 28, 2005 at 9:25 pm

IT’s helped a newbie out a lot!!!

Reply

3 uwasemar May 21, 2008 at 11:17 pm

Thank’s this more enough help me to troubleshoot named

Reply

4 ami December 2, 2008 at 9:17 am

how to create zone entries in bulk in dns server.

Is there any method to do so????
plz help

Reply

5 Susi Ledermüller February 13, 2009 at 8:09 pm

Very great description to locate bugs in local bind configuration. Thank you. (for creating bulk zones ami I think you should use webmin. It allows to import and create bulk files)

Reply

6 DLBDS June 17, 2009 at 6:29 am

This is a great aritcal for administrators. this help me a lot to troubleshoot my DNS server. thanks.

Reply

7 neurosys October 11, 2009 at 12:31 am

very helpful…. i wasnt looking for this when I found it but I was delighted by the way it was presented and it is in fact some very good advice.

Reply

8 devesh soni November 7, 2010 at 4:55 pm

actually dns is working on my pc but from others i m trying but its not working on them,,,,,,edit /etc/resolv.conf on client,,,firewall off,,selinux off but then also not working…please help

Reply

9 Shkodenko V. Taras May 25, 2011 at 6:01 pm

devesh soni, I had the same problem.
I have used bind-chroted.
Chroot path was /var/named/chroot
And config file has been located in /var/named/chroot/etc/named.conf
All zone files was in /var/named/chroot/var/named/ folder
Can you try this solution?

Reply

10 Hanif May 26, 2011 at 1:56 pm

Shkodenko V. Taras – it’s nothing to do with the chroot.. chroot is 1 way to secure the dns service..

some troubleshooting step need to be done first..

maybe dig result on the localhost, is there any reply ?

and some more basic troubleshooting steps..

regards

Hanif

Reply

11 killer3d November 11, 2011 at 7:42 am

oooh thanks, you have helped me. thanks thanks thanks

Reply

12 Webster May 16, 2012 at 11:47 am

“BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.”

I guess we need to tame it as well? ;-)

Reply

13 laxman January 30, 2014 at 10:56 am

Hi All,

This is laxman veeramalla.Can you please some one guide how to create multiple instances in one web server.

Thanks,
Laxman

Reply

14 Anuja March 4, 2014 at 2:19 pm

Hi All,

Could you please someone give a solution for the below queries

what type of processes from a Unix server will send queries to the DNS server?
and why same queries are being sent from Unix server to the DNS server at many times?

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous post:

Next post: