BIND9 on Ubuntu 20 - Cannot configure Zone to work properly

Question

I installed it on Ubunto 20 and configured two zones Options config file

acl internal {
        localhost;
        localnets;
        192.168.70.0/24;
        10.200.157.0/24;
};
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                9.9.9.9;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;
        //auth-nxdomain no;

        listen-on { 127.0.0.1; 192.168.70.66; };
        listen-on-v6 { ::1; };
        allow-recursion { any; };
        allow-query-cache { any; };
        allow-query { any; };
};

Local config file

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "wisam.rph" {
 type master;
 file "/etc/bind/forward.wisam.rph";
 allow-query { any; };
};
zone "70.168.192.in-addr.arpa" {
 type master;
 file "/etc/bind/reverse.wisam.rph";
 allow-query { any; };
};
logging {
 channel query.log {
        file "/var/log/named/query.log";
        // Set the severity to dynamic to see all the debug messages.
        severity dynamic;
 };
};

Forward Zone

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     vmubuntuauthserver.wisam.rph. root.vmubuntuauthserver.wisam.rph. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
vmubuntuauthserver      IN      A       192.168.70.66
;
@       IN      NS      vmubuntuauthserver.wisam.rph.
nameserver      IN      A       192.168.70.66
www     IN      A       192.168.70.66
@       IN      AAAA    ::1

Reverse Zone

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     nameserver.wisam.rph. root.nameserver.wisam.rph. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      nameserver.wisam.rph.
66      IN      PTR     nameserver.wisam.rph.

Note IP of the server is 192.168.70.66 I have disabled systemd-resolved removed the resolv.conf file and recreated with the following contents resolv.conf

nameserver 192.168.70.66
search wisam.rph

within the server if i execute "dig nameserver.wisam.rph" the result I get is

; <<>> DiG 9.16.1-Ubuntu <<>> nameserver.wisam.rph
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61584
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 32e45ecf7d5069f601000000653a9e7e43d963d1c233e471 (good)
;; QUESTION SECTION:
;nameserver.wisam.rph.          IN      A
;; ANSWER SECTION:
nameserver.wisam.rph.   604800  IN      A       192.168.70.66
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:14:38 UTC 2023
;; MSG SIZE  rcvd: 93

and for the reverse "dig -x 192.168.70.66" I get

; <<>> DiG 9.16.1-Ubuntu <<>> -x 192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45455
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: add17d7373cfe21c01000000653a9ed0d83ec9b4b4f3cfb0 (good)
;; QUESTION SECTION:
;66.70.168.192.in-addr.arpa.    IN      PTR
;; ANSWER SECTION:
66.70.168.192.in-addr.arpa. 604800 IN   PTR     nameserver.wisam.rph.
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:16:00 UTC 2023
;; MSG SIZE  rcvd: 117

At this point I can't find any issues I did run the command "sudo ufw allow Bind9" to be sure the traffic is allowed Yet on another ubuntu 20 desktop setting the dns to 192.168.70.66 and try to execute this command "dig nameserver.wisam.rph @192.168.70.66" I get

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> nameserver.wisam.rph @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46698
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nameserver.wisam.rph.          IN      A
;; Query time: 4 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:19:36 EDT 2023
;; MSG SIZE  rcvd: 49

Yet if I ping it I get

PING 192.168.70.66 (192.168.70.66) 56(84) bytes of data.
64 bytes from 192.168.70.66: icmp_seq=1 ttl=64 time=0.937 ms
64 bytes from 192.168.70.66: icmp_seq=2 ttl=64 time=0.644 ms
64 bytes from 192.168.70.66: icmp_seq=3 ttl=64 time=0.803 ms
64 bytes from 192.168.70.66: icmp_seq=4 ttl=64 time=0.707 ms
64 bytes from 192.168.70.66: icmp_seq=5 ttl=64 time=0.660 ms
64 bytes from 192.168.70.66: icmp_seq=6 ttl=64 time=0.690 ms
64 bytes from 192.168.70.66: icmp_seq=7 ttl=64 time=0.751 ms
64 bytes from 192.168.70.66: icmp_seq=8 ttl=64 time=0.784 ms
64 bytes from 192.168.70.66: icmp_seq=9 ttl=64 time=0.675 ms
64 bytes from 192.168.70.66: icmp_seq=10 ttl=64 time=0.384 ms
64 bytes from 192.168.70.66: icmp_seq=11 ttl=64 time=0.504 ms
64 bytes from 192.168.70.66: icmp_seq=12 ttl=64 time=0.378 ms
64 bytes from 192.168.70.66: icmp_seq=13 ttl=64 time=0.558 ms
64 bytes from 192.168.70.66: icmp_seq=14 ttl=64 time=0.401 ms
64 bytes from 192.168.70.66: icmp_seq=15 ttl=64 time=1.13 ms
64 bytes from 192.168.70.66: icmp_seq=16 ttl=64 time=0.355 ms
64 bytes from 192.168.70.66: icmp_seq=17 ttl=64 time=0.340 ms
64 bytes from 192.168.70.66: icmp_seq=18 ttl=64 time=0.359 ms
64 bytes from 192.168.70.66: icmp_seq=19 ttl=64 time=0.290 ms
64 bytes from 192.168.70.66: icmp_seq=20 ttl=64 time=0.410 ms
64 bytes from 192.168.70.66: icmp_seq=21 ttl=64 time=0.426 ms
64 bytes from 192.168.70.66: icmp_seq=22 ttl=64 time=0.605 ms
64 bytes from 192.168.70.66: icmp_seq=23 ttl=64 time=0.420 ms
64 bytes from 192.168.70.66: icmp_seq=24 ttl=64 time=0.412 ms
64 bytes from 192.168.70.66: icmp_seq=25 ttl=64 time=0.428 ms

And if I execute "dig google.com @192.168.70.66" I get

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> google.com @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57387
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A
;; ANSWER SECTION:
google.com.             33      IN      A       142.250.176.206
;; Query time: 12 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:21:55 EDT 2023
;; MSG SIZE  rcvd: 55

result of "netstat -lnptu | grep 53" is

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.70.66:53        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:53                  :::*                    LISTEN      -
tcp6       0      0 ::1:953                 :::*                    LISTEN      -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 :::5353                 :::*                                -

By using wireshark here is the response to the attempt to ping namespace.wisam.rph

Domain Name System (response)
    Transaction ID: 0x56ba
    Flags: 0x8183 Standard query response, No such name
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0011 = Reply code: No such name (3)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 0
    Queries
        namespace.wisam.rph: type A, class IN
    Authoritative nameservers
        <Root>: type SOA, class IN, mname a.root-servers.net
    [Request In: 187889]
    [Time: 0.016853000 seconds]

when running "sudo systemctl status named" this is what I get

named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-10-29 23:25:46 UTC; 1s ago
       Docs: man:named(8)
   Main PID: 51693 (named)
      Tasks: 14 (limit: 19082)
     Memory: 26.6M
     CGroup: /system.slice/named.service
             └─51693 /usr/sbin/named -f -u bind

Oct 29 23:25:46 vmubuntuauthserver named[51693]: command channel listening on ::1#953
Oct 29 23:25:46 vmubuntuauthserver named[51693]: managed-keys-zone: loaded serial 6
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 0.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone localhost/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 70.168.192.in-addr.arpa/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone wisam.rph/IN: loaded serial 4
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 127.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 255.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: all zones loaded
Oct 29 23:25:46 vmubuntuauthserver named[51693]: running

What am I missing? For the lines I commented I tried with and without same result [Note the lines for listening and forwarding I added them commented them out and currently was uncommented]

Answer 1

Create a SOA (Start Of Authority) record for wisam.rph only, and give it an IP address. Then create the nameserver records. So, this:

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     wisam.rph. root.wisam.rph. (
2         ; Serial
604800         ; Refresh
86400         ; Retry
2419200         ; Expire
604800 )       ; Negative Cache TTL
        IN      A       192.168.70.66
;
@       IN      NS      nameserver.wisam.rph.
nameserver      IN      A       192.168.70.66
www     IN      A       192.168.70.66
@       IN      AAAA    ::1

Your reverse file should not contain a forward type record. So, this:

;
; BIND reverse data file for local 192.168.70.XXX net
;
$TTL    604800
@       IN      SOA     nameserver.wisam.rph. root.wisam.rph. (
1         ; Serial
604800         ; Refresh
86400         ; Retry
2419200         ; Expire
604800 )       ; Negative Cache TTL
;
@       IN      NS      nameserver.wisam.rph.
66      IN      PTR     nameserver.wisam.rph.