Troubleshooting

This section covers ways to help determine the cause when problems happen with DNS and BIND9.

Testing

resolv.conf

The first step in testing BIND9 is to add the nameserver's IP Address to a hosts resolver. The Primary nameserver should be configured as well as another host to double check things. Simply edit /etc/resolv.conf and add the following:

nameserver	192.168.1.10
nameserver	192.168.1.11
[Nota]

You should also add the IP Address of the Secondary nameserver in case the Primary becomes unavailable.

dig

If you installed the dnsutils package you can test your setup using the DNS lookup utility dig:

  • After installing BIND9 use dig against the loopback interface to make sure it is listening on port 53. From a terminal prompt:

    dig -x 127.0.0.1
    

    You should see lines similar to the following in the command output:

    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.10#53(192.168.1.10)
    
  • If you have configured BIND9 as a Caching nameserver "dig" an outside domain to check the query time:

    dig ubuntu.com
    

    Note the query time toward the end of the command output:

    ;; Query time: 49 msec
    

    After a second dig there should be improvement:

    ;; Query time: 1 msec
    

ping

Now to demonstrate how applications make use of DNS to resolve a host name use the ping utility to send an ICMP echo request. From a terminal prompt enter:

ping example.com

This tests if the nameserver can resolve the name ns.example.com to an IP Address. The command output should resemble:

PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms

named-checkzone

A great way to test your zone files is by using the named-checkzone utility installed with the bind9 package. This utility allows you to make sure the configuration is correct before restarting BIND9 and making the changes live.

  • To test our example Forward zone file enter the following from a command prompt:

    named-checkzone example.com /etc/bind/db.example.com
    

    If everything is configured correctly you should see output similar to:

    zone example.com/IN: loaded serial 6
    OK
    
  • Similarly, to test the Reverse zone file enter the following:

    named-checkzone example.com /etc/bind/db.192
    

    The output should be similar to:

    zone example.com/IN: loaded serial 3
    OK
    
[Nota]

The Serial Number of your zone file will probably be different.

Logging

BIND9 has a wide variety of logging configuration options available. There are two main options. The channel option configures where logs go, and the the category option determines what information to log.

If no logging option is configured the default option is:

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };
};

This section covers configuring BIND9 to send debug messages related to DNS queries to a separate file.

  • First, we need to configure a channel to specify which file to send the messages to. Edit /etc/bind/named.conf.local and add the following:

    logging {
        channel query.log {      
            file "/var/log/query.log";
            severity debug 3; 
        }; 
    };
    
  • Next, configure a category to send all DNS queries to the query file:

    logging {
        channel query.log {      
            file "/var/log/query.log"; 
            severity debug 3; 
        }; 
        category queries { query.log; }; 
    };
    
[Nota]

Note: the debug option can be set from 1 to 3. If a level isn't specified level 1 is the default.

  • Since the named daemon runs as the bind user the /var/log/query.log file must be created and the ownership changed:

    sudo touch /var/log/query.log
    sudo chown bind /var/log/query.log
    
  • Before named daemon can write to the new log file the AppArmor profile must be updated. First, edit /etc/apparmor.d/usr.sbin.named and add:

    /var/log/query.log w,
    

    Next, reload the profile:

    cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r
    

    For more information on AppArmor see “AppArmor”

  • Now restart BIND9 for the changes to take effect:

    sudo /etc/init.d/bind9 restart
    

You should see the file /var/log/query.log fill with query information. This is a simple example of the BIND9 logging options. For coverage of advanced options see “More Information”.