Getting out of a sticky BIND

Setting up DNS on Linux isn’t supposed to be the easiest thing in the world. But it wasn’t supposed to be this hard either.
I installed Debian (since it’s nice and lean and mean) and BIND 9.2.1 and dutifully entered the named.conf file and the zones files. I checked out their syntax with the included tools (named-checkconf and named-checkzone). It checked out fine. But my Windows PCs wouldn’t resolve against it.

My computers running Linux, or anything else for that matter, worked just fine. The new DNS was lightning fast and worked every time–a big improvement over the DNSs it would replace. Unless, of course, you were running Windows. My PC didn’t work and neither did my boss’. External addresses would resolve, but our own internal addresses (A records in the trade) wouldn’t.

We struggled with this for days. I read a couple of books on DNS. I probably set a record for the most visits to Google in 24 hours. No one seemed to have this problem but us. We used low-level network tools to watch what was going on. Our boxes seemed to be querying the wrong machine, regardless of network configuration.

We brought in a third mind. His Linux system worked fine. So did a VMS system. Even his NT system worked. Then we found another Windows 2000 system that worked. So we put our heads together to figure out what the difference between the Windows systems was.

Finally we got it: My boss and I had VPN clients loaded on our machines. They intercepted local addresses, hijacking the DNS query and (partially) querying the old DNS, and causing timeouts. After we disabled the VPN clients, we were able to resolve against our new DNS.

No wonder it seemed like no one else had ever had the problem before.

So if you ever have to change the IP address of one or more DNSs on your LAN and things start breaking mysteriously, check to see if you have VPN clients enabled.

2 thoughts on “Getting out of a sticky BIND

  • June 5, 2002 at 9:47 pm
    Permalink

    Hope it’s the latest version. I was readng today about some issue with the version 9 BINDs.

  • June 5, 2002 at 10:47 pm
    Permalink

    It’s either 9.2 or 9.2.1. It’s behind a firewall and only answering behind the firewall, and it’ll be a week or so before more than about 20 people are using it. If a patch is required, I’m sure by then that the Debian folks will have one.

    Here’s the CERT advisory. Fortunately it’s just a denial of service attack and not a root exploit.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux