domain name system - Query between two DNS servers

I’ve been struggling with understanding DNS with BIND9.

I’ve used two machines, A and B, connected by a LAN and not for global use.

A is running a name server managing “example” domain and web server named “www”.

B is running a name server managing “sub.example” domain as subdomain with delegation from A and web server named “www” too.

Configuration files are bellow.

"named.conf" for "example" at machine A.

options {
            directory "C:\dns\etc"; 
            recursion yes; 
            version "XXX DNS Server 1.0X";

};

logging {
        channel my_file {
        file "c:\dns\etc\named.run" versions 5 size 1m;
        severity debug 0;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
        category default {my_file;};
        category queries {my_file;};

        category lame-servers {my_file;};
        category config {my_file;};
};


zone "." {
            type hint; 
            file "named.root";
};


zone "localhost" {
            type master;
            file "localhost/fwd";
            allow-update { none; };

};
zone "0.0.127.in-addr.arpa" {
            type master;
            file "localhost/rev";
            allow-update { none; };

};
zone "example" {
            type master;
            file "example/fwd";
            allow-update { none; };  

};
zone "72.11.16.172.in-addr.arpa" {
            type master;
            file "example/rev";

            allow-update { none; };
};

"zone file" for "example" at machine A.

$TTL 1H
@ 1H    IN SOA example. postmaster.example. (
    200508291  ; Serial
          15M  ; Refresh

           5M  ; Retry
           1D  ; Expire
          15M) ; TTL

        IN  NS  ns.example.
        IN  A   172.16.11.72
ns      IN  A   172.16.11.72
www     IN  A   172.16.11.72

sub     IN  NS  ns.sub.example.

ns.sub.example. IN  A   172.16.10.37

"named.conf" for "example" at machine B.

options {
            directory "C:\dns\etc"; 
            recursion yes; 
            version "unknown";
            allow-transfer {172.16.11.72; };


};
logging {
        channel my_file {
        file "c:\dns\etc\named.run" versions 5 size 1m;
        severity debug 0;
        print-category yes;
        print-severity yes;
        print-time yes;
        };

        category default {my_file;};
        category queries {my_file;};
        category lame-servers {my_file;};
        category config {my_file;};
};



zone "." {
            type hint; 

            file "named.root";
};

zone "localhost" {
            type master;
            file "localhost/fwd";
            allow-update { none; };

};
zone "0.0.127.in-addr.arpa" {

            type master;
            file "localhost/rev";
            allow-update { none; };
};
zone "sub.example" {
            type master;
            file "example/fwd";
            allow-update { none; };
};
zone "37.10.16.172.in-addr.arpa" {

            type master;
            file "example/rev";
            allow-update { none; };
}; 
zone "example" {
    type forward;
    forward only;
    forwarders {
        172.16.11.72;
    };

};

"zone file" for "sub.example" at machine B.

$TTL 1H
@ 1H    IN SOA sub.example. postmaster.sub.example. (
    200508291  ; Serial
          15M  ; Refresh
           5M  ; Retry

           1D  ; Expire
          15M) ; TTL

        IN  NS  ns.sub.example.
        IN  A   172.16.10.37
ns      IN  A   172.16.10.37
www     IN  A   172.16.10.37

Now I have four servers in two machines like below.

"ns.example"  and "www.example"   in machine A.

"ns.sub.example" and  "www.sub.example" in machine B.

I can resolve “www.example” from A and “www.sub.example” from B.

But I can’t resolve “www.sub.example” from A and “www.example” from B.

The messages dig command shows and being written in BIND's log are the bottom.

Both A and B are respond "SERVFAIL" or "connection timed out; no servers could be reached" but there are no error message in BIND's log.

Actually they are Windows2008 servers and I’ve changed windows firewall filter to accept UPD 53 port each other.

Strangely there are no DROP message, even ALLOW message too, in firewall log both A and B.

I mean if I dig "www.example" from A I can see ALLOW message but if I dig "www.sub.exaple" I can’t see ALLOW and DROP message.

I think I have to classify this problem into BIND caused or Windows firewall caused.

What do I have to do first?

For example, I guess DNS query can't be sent to another machine of name server. That's why dig showed message "no servers could be reached".

How can I check DNS query is sent or NOT and why if it’s not sent?

dig at machine A.

C:\dns\bin>dig www.sub.example

; <<>> DiG 9.9.2-P1 <<>> www.sub.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1777
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:
;www.sub.example.               IN      A

;; Query time: 0 msec
;; SERVER: 172.16.11.72#53(172.16.11.72)
;; WHEN: Wed Mar 13 08:42:04 2013
;; MSG SIZE  rcvd: 44

C:\dns\bin>dig @172.16.10.37 www.sub.example. a


; <<>> DiG 9.9.2-P1 <<>> @172.16.10.37 www.sub.example. a
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig at machine B.

C:\dns\bin>dig www.example


; <<>> DiG 9.9.2-P1 <<>> www.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.example.                   IN      A

;; Query time: 4015 msec
;; SERVER: 172.16.10.37#53(172.16.10.37)
;; WHEN: Wed Mar 13 09:40:31 2013
;; MSG SIZE  rcvd: 40

C:\dns\bin>dig @172.16.11.72 www.example. a

; <<>> DiG 9.9.2-P1 <<>> @172.16.11.72 www.example

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

BIND's log at A.

13-Mar-2013 14:43:22.624 general: info: managed-keys-zone: loaded serial 0
13-Mar-2013 14:43:22.624 general: info: zone 72.11.16.172.in-addr.arpa/IN: loaded serial 200508291
13-Mar-2013 14:43:22.624 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 200508291

13-Mar-2013 14:43:22.624 general: info: zone example/IN: loaded serial 200508291
13-Mar-2013 14:43:22.624 general: info: zone localhost/IN: loaded serial 200508291
13-Mar-2013 14:43:22.624 general: notice: all zones loaded
13-Mar-2013 14:43:22.624 general: notice: running
13-Mar-2013 14:43:22.624 notify: info: zone example/IN: sending notifies (serial 200508291)
13-Mar-2013 14:43:22.624 notify: info: zone 72.11.16.172.in-addr.arpa/IN: sending notifies (serial 200508291)
13-Mar-2013 14:44:34.515 queries: info: client 172.16.11.72#58221 (www.sub.example): query: www.sub.example IN A +E (172.16.11.72)
13-Mar-2013 14:44:39.515 queries: info: client 172.16.11.72#58221 (www.sub.example): query: www.sub.example IN A +E (172.16.11.72)
13-Mar-2013 14:44:44.515 queries: info: client 172.16.11.72#58221 (www.sub.example): query: www.sub.example IN A +E (172.16.11.72)

BIND's log at B

13-Mar-2013 14:38:27.281 general: info: managed-keys-zone: loaded serial 0
13-Mar-2013 14:38:27.281 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 200508291
13-Mar-2013 14:38:27.281 general: info: zone 37.10.16.172.in-addr.arpa/IN: loaded serial 200508291
13-Mar-2013 14:38:27.281 general: info: zone sub.example/IN: loaded serial 200508291
13-Mar-2013 14:38:27.281 general: info: zone localhost/IN: loaded serial 200508291
13-Mar-2013 14:38:27.296 general: notice: all zones loaded
13-Mar-2013 14:38:27.296 general: notice: running

13-Mar-2013 14:38:27.296 notify: info: zone sub.example/IN: sending notifies (serial 200508291)
13-Mar-2013 14:38:27.296 notify: info: zone 37.10.16.172.in-addr.arpa/IN: sending notifies (serial 200508291)
13-Mar-2013 14:46:08.984 queries: info: client 172.16.10.37#58326 (www.sub.example): query: www.sub.example IN A +E (172.16.10.37)
13-Mar-2013 14:46:11.250 queries: info: client 172.16.10.37#58330 (www.example): query: www.example IN A +E (172.16.10.37)
13-Mar-2013 14:46:17.250 queries: info: client 172.16.10.37#58330 (www.example): query: www.example IN A +E (172.16.10.37)

Answer

There are a couple of things I can think to suggest.

The first is that the return code you are getting in the failed digs is SERVFAIL. There can be several reasons for that, but one that you want to rule out first is that something is preventing name queries between machines. I recognize that you say you have turned off the Windows firewall rule for port 53 UDP, but I would suggest you demonstrate (to yourself, at least) that Machine B can do a "dig @machine-a www.example. a" and get the answer you expect. Then check that Machine A can query the server at Machine B.

Apart from that, it would be very helpful to see your named.conf and any messages named is logging. Showing us named.conf would allow us to check that your zones are specified correctly (most of the RRs in your zone files are relative to the zone origin so it's important to see how the zone is loaded so we can see what the origin really is..) and will help us figure out if either of the machines, or both, are supposed to be performing recursion.

Please provide more information; it will make it much easier to determine what is going on.

EDIT:

The dig output you have provided certainly makes it sound like the servers are not receiving requests from other machines:

; <<>> DiG 9.9.2-P1 <<>> @172.16.10.37 www.sub.example. a

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

and

; <<>> DiG 9.9.2-P1 <<>> @172.16.11.72 www.example
; (1 server found)
;; global options: +cmd

;; connection timed out; no servers could be reached

that would seem significant, wouldn't you agree?