This page provides a guide to common BIND error messages and their solutions for troubleshooting DNS issues.
Description: BIND is unable to resolve a DNS query due to network connectivity issues.
Possible Causes:
Troubleshooting Steps:
Check network connectivity:
ping 8.8.8.8
traceroute 8.8.8.8
Test direct DNS resolution:
dig @8.8.8.8 example.com
nslookup example.com 8.8.8.8
Verify firewall rules allow outbound DNS traffic:
# Check iptables
sudo iptables -L OUTPUT
# Check firewalld
sudo firewall-cmd --list-all
Review forwarders configuration in named.conf:
options {
forwarders {
8.8.8.8;
8.8.4.4;
};
};
Description: BIND receives a “connection refused” error when trying to connect to upstream DNS servers.
Possible Causes:
Troubleshooting Steps:
Verify upstream DNS server status:
telnet 8.8.8.8 53
nc -zv 8.8.8.8 53
Check BIND service status:
sudo systemctl status bind9 # Debian/Ubuntu
sudo systemctl status named # RHEL
Test with different forwarders:
options {
forwarders {
1.1.1.1; # Cloudflare
9.9.9.9; # Quad9
};
};
Description: DNS query times out before receiving a response.
Possible Causes:
Troubleshooting Steps:
Adjust timeout settings in named.conf:
options {
dialup yes;
dialup-timeout 10; # seconds
};
Test with different upstream servers
Check server resources (CPU, memory, network)
Description: BIND returns a SERVFAIL response indicating it cannot process the query.
Possible Causes:
Troubleshooting Steps:
Check zone file syntax:
sudo named-checkzone example.com /etc/bind/db.example.com
sudo named-checkconf
Verify DNSSEC configuration:
dig +dnssec example.com
Monitor system resources:
top
df -h
Check logs for specific error details:
sudo journalctl -u bind9 -f
Description: Domain does not exist according to authoritative servers.
Possible Causes:
Troubleshooting Steps:
dig +trace example.com
Description: BIND denies a DNS query due to access control restrictions.
Possible Causes:
allow-query settingsTroubleshooting Steps:
Review access control settings:
options {
allow-query { localhost; 192.168.0.0/16; };
allow-query-cache { localhost; 192.168.0.0/16; };
};
Define proper ACLs:
acl "trusted" {
localhost;
192.168.0.0/16;
10.0.0.0/8;
};
options {
allow-query { trusted; };
allow-query-cache { trusted; };
};
Reload configuration:
sudo rndc reload
Description: BIND refuses to answer queries for zones it’s not authoritative for.
Possible Causes:
Troubleshooting Steps:
Ensure recursive queries are allowed:
options {
recursion yes;
allow-recursion { trusted; };
};
Check if recursion should be enabled for the requesting network
Description: BIND cannot read zone files due to permission issues.
Possible Causes:
Troubleshooting Steps:
Set correct ownership:
# Debian/Ubuntu
sudo chown bind:bind /etc/bind/db.example.com
# RHEL
sudo chown named:named /var/named/db.example.com
Set correct permissions:
sudo chmod 644 /path/to/zone/file
Check SELinux status if enabled:
sestatus
ls -Z /path/to/zone/files # Check SELinux contexts
Description: Zone file is missing required NS (Name Server) records.
Solution:
Add NS records to your zone file:
$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. (
2026021401 ; Serial
3600 ; Refresh
1800 ; Retry
1209600 ; Expire
86400 ) ; Negative Cache TTL
; Name servers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; A records for name servers
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
Description: BIND is configured as a recursive resolver but has no forwarders defined.
Solution:
Add forwarders to named.conf:
options {
forwarders {
8.8.8.8;
8.8.4.4;
};
};
Description: Attempting to start BIND when it’s already running.
Solution:
Check if BIND is running:
sudo systemctl status bind9 # Debian/Ubuntu
sudo systemctl status named # RHEL
If not running properly, restart:
sudo systemctl restart bind9
Description: DNSSEC validation failure due to missing or invalid signatures.
Possible Causes:
Troubleshooting Steps:
Check DNSSEC status:
dig +dnssec example.com
Verify DNSKEY records:
dig DNSKEY example.com
Temporarily disable DNSSEC validation for testing:
options {
dnssec-validation no;
};
Description: Client sent EDNS query with buffer size exceeding configured limits.
Solution:
Adjust EDNS settings in named.conf:
options {
edns-udp-size 4096;
max-udp-size 4096;
};
Description: BIND has exhausted available memory.
Possible Causes:
Troubleshooting Steps:
Monitor memory usage:
top
htop
Adjust cache size:
options {
max-cache-size 256m; # Limit cache size
};
Restart BIND if necessary:
sudo systemctl restart bind9
sudo named-checkconf # Check main config
sudo named-checkzone example.com /path/to/zone/file # Check zone file
sudo systemctl status bind9 # Check service status
sudo journalctl -u bind9 -f # Follow logs
sudo rndc status # Check named status
sudo rndc reload # Reload config without restart
dig @localhost example.com # Test local resolution
nslookup example.com localhost # Alternative test
dig +trace example.com # Trace resolution path