External DNS forward lookup cannot reach your DNS server

Authority mappings

Which work roles, knowledge units, and EWU courses this error pattern touches. Hover for context, click to drill in.

What the message means

The scoring engine tried to query your external DNS (e.g. A record for team<N>.ncaecybergames.org) via your router's public IP on UDP port 53 and got either no response or a refused connection. This almost always means the **MikroTik router is not forwarding port 53 to your internal BIND server**, not that BIND itself is broken. At the 2026-03-14 regional, only 1 of 13 teams kept this service above 50% uptime.

Why the service is down

• MikroTik `/ip firewall nat` is missing a dstnat rule for UDP+TCP port 53.
• The rule exists but points to the wrong internal address (server IP vs DNS VM IP).
• BIND is running on the DNS VM but not listening on the internal interface (`listen-on` wrong).
• A firewall filter rule on the router or host is dropping DNS traffic from the scoring engine.
• BIND has zone-file syntax errors and refused to start (rare. usually caught at boot).

Commands in order

1. 1. 1. Confirm BIND itself works from inside the network

   copy dig @192.168.<N>.12 team<N>.ncaecybergames.org +short

   Expect

   IP address, e.g., 172.18.<N>.X (or the correct A record)

   Interpret and next

   If this works internally, the problem is ONLY the router port-forward. skip to step 4.
2. 2. 2. If internal DNS fails, check BIND is running

   copy systemctl status bind9 || systemctl status named

   Expect

   active (running)

   Interpret and next

   inactive/failed = BIND is down. `systemctl start bind9` to recover.
3. 3. 3. Verify BIND is listening on the internal interface on port 53

   copy ss -ulnp | grep :53

   Expect

   UDP 0.0.0.0:53 or 192.168.<N>.12:53 with pid (named)

   Interpret and next

   If nothing: named isn't binding. Check `listen-on { any; };` in `named.conf.options`.
4. 4. 4. Check router dstnat for DNS

   copy /ip firewall nat print where dst-port=53

   Expect

   Two rules: UDP 53 -> 192.168.<N>.12:53 and TCP 53 -> 192.168.<N>.12:53

   Interpret and next

   If missing, add them (see step 5). If they point at wrong IP, fix the `to-addresses`.
5. 5. 5. Add router dstnat rules (MikroTik)

   copy /ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=dst-nat to-addresses=192.168.<N>.12 to-ports=53 /ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=dst-nat to-addresses=192.168.<N>.12 to-ports=53

   Expect

   No error output. `/ip firewall nat print` now shows both rules.

   Interpret and next

   Scoring engine will see success on the next 60-second tick.
6. 6. 6. Test externally (from scoring-engine perspective)

   copy dig @<router-public-IP> team<N>.ncaecybergames.org +short

   Expect

   Same IP as step 1 returned

   Interpret and next

   Nothing returned = router still blocking. Check `/ip firewall filter` for a drop rule on 53.

Decision tree

Answer each question to route to the right fix.

External references

• NCAE Cyber Games. official rules and scoring
• NCAE Cyber Games. rules and scoring weights
• ISC BIND 9 administrator reference manual
• RFC 1035. Domain Names (protocol spec)
• Illinois Tech. Linux Defence Materials (2022 national winners)
  Original defense checklist that NCAE videos are based on.
• Cloudflare. What is DNS (intro)
• MikroTik. NAT and destination port forwarding
• NCAE Cyber Games. official tutorials channel
  44 tutorials. Numbers 23–32 are the Defense Checklist.

Other patterns on this service

• 144.4 partial Failed to lookup: ns1.team15.ncaecybergames.org, files.team15.ncaecybergames.org, shell.t.
• 69.4 partial Connected to IP:53, no useful content though...
• 36.1 partial Failed to lookup: ns1.team18.ncaecybergames.org, files.team18.ncaecybergames.org, shell.t.