DNS resolution not working when localhost specified in resolv.conf on Centos 7

Question

I have such an /etc/resolv.conf :

# Generated by NetworkManager
search mydom.com-local site
nameserver 127.0.0.1
nameserver 10.11.12.13
nameserver 8.8.8.8

If I search a host with a domain which is only known by company's DNS server (here 10.11.12.13), it does not work, if I use the command 'host' :

# host myhost.mycompany.grp    
Host myhost.mycompany.grp not found: 3(NXDOMAIN)

But If I comment out the nameserver 127.0.0.1 in resolv.conf

# Generated by NetworkManager
search mydom.com-local site
#nameserver 127.0.0.1
nameserver 10.11.12.13
nameserver 8.8.8.8

It works at once :

# host myhost.mycompany.grp
myhost.mycompany.grp has address 10.55.66.77

It looks like the "nameserver 127.0.0.1" is not forwarding requests for outer zones to other DNS servers.

I do not use dnsmasq (and I do not want to). I tried many options in named.conf but without any success.

My named.conf :

options {
    check-names master warn;
    directory "/var/named";
    dump-file "/var/log/named_dump.db";
    include "/etc/named/forwarders.conf";
    listen-on-v6 { any; };
    notify no;
    statistics-file "/var/log/named.stats";
    empty-zones-enable no;

    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "appdom.com-local" in {
    type master;
    file "master/appdom.com-local.zone";
    allow-transfer { any; };
};
zone "in-addr.arpa" in {
    type master;
    file "master/appdom.com-local_reverse.zone";
    allow-transfer { any; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

My /etc/named/forwarders.conf :

forwarders { 10.11.12.13; 8.8.8.8; };

I have put in debug mode named (rndc trace 1000) : I do not see in traces that named is trying to forward the request to 10.11.12.13.

What's wrong with my forwarding on my local name server ?

Answer 1

Although it's hard for me to tell because you're using one of those BIND installs that scatters the config across many small files (and because you've not told us what you're trying to do, only how you're trying to do it), I suspect what you want to do is forwarding on a per-zone basis (as I do exactly the same thing).

This comes in two flavours: local BIND should resolve everything except queries for certain zones which should be sent onwards, and local BIND should resolve only queries for certain zones with all others to be sent onwards. For the former, try

zone "example.org" {
        type forward;
        forward first;
        forwarders {
                10.11.12.13 ;
        } ;
} ;

If you're doing the latter, remove the hints for zone . - if your local server can resolve everything, why would it ever need to forward a query?

Answer 2

I finally found a solution,

After activating query logging (rndc querylog), I was able to see in messages :

error (insecurity proof failed) resolving 'myhost.mycompany.grp/A/IN': 10.11.12.13#53

I deactivated DNSSEC validation:

dnssec-validation no;

Then I had a very strange behavior, like forwarders IPs are used in a round robin manner : sometime the host is resolved sometime not (the host is known only from the first IP)

By putting only the first IP in forwarders it now works.

I will try soon, if it is possible, to add some priority on forwarders IPs.

So, now it is more a DNSSEC problem, I will manage that later.