bind9 - timed out resolving

Question

I have a bind9 server spun up on one of my old test test boxes, and it's close. Everything appears to be working, however I'm getting 'time out resolving' errors spamming my sys.log from what appears to be 3 specific DNS servers...

68.237.161.12
68.237.161.14
156.154.71.1

bind9 info

Jul 25 07:18:59 toe-lfs named[23935]: starting BIND 9.14.4 (Stable Release) <id:ab4c496>
Jul 25 07:18:59 toe-lfs named[23935]: running on Linux x86_64 4.9.9 #1 SMP Sat Sep 23 11:18:52 EDT 2017
Jul 25 07:18:59 toe-lfs named[23935]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--disable-static' '--without-python'
Jul 25 07:18:59 toe-lfs named[23935]: running as: named -4 -u named -t /srv/named -c /etc/named.conf
Jul 25 07:18:59 toe-lfs named[23935]: compiled by GCC 6.3.0
Jul 25 07:18:59 toe-lfs named[23935]: compiled with OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
Jul 25 07:18:59 toe-lfs named[23935]: linked to OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
Jul 25 07:18:59 toe-lfs named[23935]: compiled with zlib version: 1.2.11
Jul 25 07:18:59 toe-lfs named[23935]: linked to zlib version: 1.2.11

here's a sampling of my sys.log

Jul 25 06:24:56 toe-lfs named[16927]: timed out resolving 'ns2prod.18.azuredns-prd.info/A/IN': 68.237.161.14#53
Jul 25 06:24:57 toe-lfs named[16927]: timed out resolving 'static.xx.fbcdn.net/A/IN': 68.237.161.14#53
Jul 25 06:24:58 toe-lfs named[16927]: timed out resolving 'azuredns-prd.info/DS/IN': 68.237.161.12#53
Jul 25 06:24:59 toe-lfs named[16927]: timed out resolving 'azuredns-prd.info/DS/IN': 68.237.161.14#53
Jul 25 06:26:56 toe-lfs named[16927]: timed out resolving 'settingsfd-geo.trafficmanager.net/A/IN': 156.154.71.1#53
Jul 25 06:26:57 toe-lfs named[16927]: timed out resolving 'settingsfd-geo.trafficmanager.net/A/IN': 68.237.161.12#53
Jul 25 06:26:59 toe-lfs named[16927]: timed out resolving 'settingsfd-geo.trafficmanager.net/A/IN': 68.237.161.14#53
Jul 25 06:27:00 toe-lfs named[16927]: timed out resolving 'beacons.gcp.gvt2.com/A/IN': 68.237.161.12#53
Jul 25 06:27:01 toe-lfs named[16927]: timed out resolving 'beacons.gcp.gvt2.com/A/IN': 68.237.161.14#53
Jul 25 06:58:26 toe-lfs named[16927]: timed out resolving 'us-ne-courier-4.push-apple.com.akadns.net/A/IN': 68.237.161.14#53
Jul 25 06:58:27 toe-lfs named[16927]: timed out resolving 'gsp-ssl-geomap.ls-apple.com.akadns.net/A/IN': 68.237.161.14#53
Jul 25 06:58:28 toe-lfs named[16927]: timed out resolving 'us-ne-courier-4.push-apple.com.akadns.net/A/IN': 68.237.161.12#53
Jul 25 06:58:28 toe-lfs named[16927]: timed out resolving 'gsp-ssl-geomap.ls-apple.com.akadns.net/A/IN': 68.237.161.12#53
Jul 25 06:58:29 toe-lfs named[16927]: timed out resolving 'gsp-ssl-gspxramp.ls-apple.com.akadns.net/A/IN': 68.237.161.12#53
Jul 25 06:58:29 toe-lfs named[16927]: timed out resolving 'e4478.a.akamaiedge.net/A/IN': 68.237.161.12#53
Jul 25 06:58:29 toe-lfs named[16927]: timed out resolving 'e6858.dsce9.akamaiedge.net/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'help.apple.com/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'cds.apple.com/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'stocks-edge.apple.com/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'apple-finance.query.yahoo.com/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'stocks-sparkline.apple.com/A/IN': 68.237.161.12#53
Jul 25 06:58:30 toe-lfs named[16927]: timed out resolving 'gateway-carry.icloud.com/A/IN': 68.237.161.12#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'gsp-ssl-gspxramp.ls-apple.com.akadns.net/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'e4478.a.akamaiedge.net/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'e6858.dsce9.akamaiedge.net/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'help.apple.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'cds.apple.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'stocks-edge.apple.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'apple-finance.query.yahoo.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'stocks-sparkline.apple.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'gateway-carry.icloud.com/A/IN': 68.237.161.14#53
Jul 25 06:58:31 toe-lfs named[16927]: timed out resolving 'clientservices.googleapis.com/A/IN': 68.237.161.14#53

I can include the conf files if they'd be helpful. I would just need to triple check and sanitize them. Any thoughts?

edit: included named.conf

acl corpnets {
   localhost;
   172.30.24.0/22;
};

key "rndc-key" {
    algorithm hmac-sha256;
    secret "*****some secret key******";
 };

controls {
    inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
 };

options {
    directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

    ## listen-on { 172.30.24.1; };

    managed-keys-directory "/etc";

    recursion yes;
    allow-recursion { corpnets; };
    allow-query { corpnets; };

    allow-transfer { none; };

    forwarders {
                156.154.71.1;
                68.237.161.12;
                68.237.161.14;
                8.8.8.8;
                8.8.4.4;
        };
};

zone "." {
    type hint;
    file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
};

## zone "30.172.IN-ADDR.ARPA" {  
##     type master;  
##     file "/etc/namedb/db.30.172";  
## };

zone "24.30.172.IN-ADDR.ARPA" {  
type master;  
file "/etc/namedb/db.24.30.172";  
};

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
      null;                               // toss anything sent to
                                          // this channel
  };
};

Answer 1

I just had this and fixed it by removing the faulty forwarders. At the end of each timeout error is an IP from a forwarder from your config, but the errors never complain about google's ns (8.8.8.8). If you delete the first three forwarders, the errors should go away.