NCAE Mapping Hub
Overview Scoreboard Data Roles Exercised Checklists Lessons Skill Drills Practice Terminal Progress
NCAE / Scoreboard / DNS INT REV failure 1x weight measured
events 4,604 teams 13/13 pts/check 1.4 pts missed 6,394.4

Internal DNS. BIND not reachable from the internal network

Can't contact DNS Server on INT_IP

TL;DR The scoring engine's internal probe (DNS INT FWD for A records, DNS INT REV for PTR) can't reach your BIND from inside the team subnet.

Commands in order

  1. 1. 1. BIND service status #
    sudo systemctl status bind9 2>/dev/null || sudo systemctl status named
    Expect: active (running)
    If not: Inactive: systemctl start bind9. Won't start: named-checkconf shows syntax errors, or journalctl -u bind9 -n 50 for permission/zone-load problems.
  2. 2. 2. Config + zone syntax validation #
    named-checkconf && for z in /etc/bind/db.*; do echo "== $z =="; named-checkzone $(basename $z) $z; done
    Expect: No named-checkconf output + OK for each zone
    If not: Any error message names the file/line. Common: missing trailing dot on FQDN, wrong $ORIGIN, un-bumped SOA serial after an edit.
  3. 3. 3. Listening on both UDP AND TCP 53? #
    ss -ulnp | grep :53 ; echo '---'; ss -tlnp | grep :53
    Expect: UDP and TCP on the internal IP (not just 127.0.0.1)
    If not: Missing one: set listen-on { any; }; in named.conf.options and listen-on-v6 { any; };, reload.
  4. 4. 4. Test forward zone from localhost #
    dig @127.0.0.1 team<N>.ncaecybergames.org A +short
    Expect: The A record's IP
    If not: Empty / SERVFAIL = zone not loaded, or the name isn't in the zone. See DNS EXT FWD playbook for adding the record.
  5. 5. 5. Test reverse zone from localhost (separate structure, often forgotten) #
    dig @127.0.0.1 -x <one-of-your-internal-IPs> +short
    Expect: A PTR record with trailing dot
    If not: Empty = reverse zone not configured. See DNS EXT REV playbook step 4 for a minimal in-addr.arpa zone.
  6. 6. 6. Test from a DIFFERENT internal host (mirror the scorer) #
    # from any other internal machine: dig @<dns-vm-ip> team<N>.ncaecybergames.org +short
    Expect: The A record's IP
    If not: Fails from elsewhere but works on the DNS VM = listen-on too narrow OR host firewall dropping inbound 53. Check ufw/iptables.
  7. 7. 7. Host firewall not blocking 53 inbound? #
    sudo iptables -L INPUT -nv | grep -E ':53|dpt:53'; sudo ufw status 2>/dev/null
    Expect: No DROP/REJECT on tcp/udp 53
    If not: Drop rule: iptables -D INPUT <num> or ufw allow 53. Make sure BOTH udp and tcp are allowed.
  8. 8. 8. AppArmor denials (silent cause of zone-not-loading) #
    grep -i 'apparmor' /var/log/syslog | grep -i named | tail; sudo aa-status 2>/dev/null | grep named
    Expect: No denials; or named in complain mode
    If not: DENIED lines for /etc/bind/db.<something> = AppArmor blocking. Either move zone files into /etc/bind/ or edit /etc/apparmor.d/local/usr.sbin.named to grant read.
  9. 9. 9. recursion no recommended for authoritative servers #
    grep -E 'recursion|allow-recursion' /etc/bind/named.conf.options
    Expect: recursion no; and allow-recursion { none; };
    If not: Open resolvers get DDoS-amplified. You only need to answer queries for YOUR zones; recursion=no and allow-recursion={none} locks it down.

Decision tree

Q: Is BIND running and listening on both UDP and TCP 53?
Yes:
Q: Does dig @127.0.0.1 <team-hostname> work locally?
Yes:
Q: Does the same dig work from a DIFFERENT internal host?
Yes: Working. If scoreboard still red, data may be stale. Watch next 2 rounds.
No: Either listen-on is scoped too narrowly OR host firewall is dropping 53. Check both.
No: Zone file problem. named-checkzone on each file; fix syntax and bump SOA serial.
No: Start BIND. If it won't start, named-checkconf + journalctl will tell you why (usually zone syntax or AppArmor).

Context

What the message means

The scoring engine's internal probe (DNS INT FWD for A records, DNS INT REV for PTR) can't reach your BIND from inside the team subnet. Unlike DNS EXT (which is almost always a router dst-nat problem), DNS INT is usually a BIND-side problem: the service is down, listening only on 127.0.0.1, or the zone files have a syntax error. If the internal probe works but EXT doesn't, you've confirmed the router is the issue. if BOTH are failing, start here — internal first, because the internal probe doesn't traverse any NAT. DNS INT FWD: 6,405 pts at regional. DNS INT REV: 6,394 pts.

Why the service is down
  • BIND not running on the DNS VM.
  • BIND listening only on 127.0.0.1 (listen-on { 127.0.0.1; }; instead of any or the internal IP).
  • Internal DNS VM's IP drifted (DHCP renewal), scoring probe still hits the old IP.
  • Zone files missing / invalid (BIND refuses to serve the zone; named-checkzone fails).
  • Host firewall on the DNS VM dropping 53 inbound.
  • AppArmor denying BIND to read zone files placed outside /etc/bind/ or /var/cache/bind/.
  • BIND bound to 0.0.0.0:53 but the internal interface is down (ip link show).
  • TCP fallback gotcha: host firewall allows UDP 53 but not TCP 53. Responses over 512 bytes (DNSSEC, multiple records) fail the TCP retry.
External references (9)

Other patterns on this service

Related errors (other services, same root cause)

Errors sharing this playbook title or the same key failure signature. Fixing one often fixes all.

Authority mappings (DCWF roles, NCAE KUs, EWU courses — cross-reference, not defense)
DCWF roles: CE-442 Network Technician CS-462 Control Systems Security Specialist CS-521 Cyber Defense Infrastructure Support Specialist IT-441 Network Operations Specialist IT-451 System Administrator
Knowledge Units: CD-BNW Basic Networking CD-NSA Network Security Administration CD-OSC Operating Systems Concepts
EWU courses: CSCD240-S26 CSCD240 CSCD330 CSCD380 CSCD434 CSCD470