Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: DNS Problem (BIND)

  1. #1
    Associate
    Join Date
    Jan 2010
    Posts
    13

    DNS Problem (BIND)

    I'm completely stumped. Here's the issue. I have a Gentoo server running Apache and BIND v9.x. I have two NIC's, one for my public address, a bridged connection with a static IP, and one for the local network. BIND is working on the internal network (192.168.0.1/24) just fine. So is Apache. I have configured iptables to allow udp/tcp traffic on port 53, and BIND is listening on all interfaces on port 53. I can telnet to port 53 over the internet just fine, and the connection shows up in netstat's output on the server (netstat ran via ssh). I can even see that port 53 is open when I NMAP the public IP. The public view in the BIND config seems to be working just fine if I query from the localhost (via ssh). But if I use nslookup, or dig and use the public IP as the nameserver, the connection times out and the reply is "no servers could be reached". HELP!?

  2. #2
    Associate
    Join Date
    Jan 2010
    Posts
    13
    Here is the bind configuration:

    options {
    directory "/var/bind";
    pid-file "/var/run/named/named.pid";
    allow-transfer { none; };
    listen-on port 53 { any; };
    };

    logging {
    channel log {
    file "/var/log/named/named.log" versions 3 size 5m;
    severity dynamic;
    print-time yes;
    print-severity yes;
    print-category yes;
    };

    category default { log; };
    category general { log; };
    category config { log; };
    category queries { log; };
    category network { log; };
    category notify { log; };
    };

    view "private" {
    match-clients { 127.0.0.1; 192.168.0.1/24; };
    recursion yes;

    zone "." IN {
    type hint;
    file "named.ca";
    };

    zone "localhost" IN {
    type master;
    file "pri/localhost.zone";
    allow-update { none; };
    notify no;
    };

    zone "127.in-addr.arpa" IN {
    type master;
    file "pri/localhost-rev.zone";
    allow-update { none; };
    notify no;
    };

    zone "d45h.net" IN {
    type master;
    file "pri/private.zone";
    allow-update { none; };
    notify no;
    };

    zone "0.168.192.in-addr.arpa" IN {
    type master;
    file "pri/private-rev.zone";
    allow-update { none; };
    notify no;
    };
    };

    view "public" {
    match-clients { any; };
    match-destinations { any; };
    recursion no;

    zone "d45h.net" {
    type master;
    file "pri/public.zone";
    allow-query { any; };
    allow-update { none; };
    notify no;
    };

    zone "45.79.64.in-addr.arpa" IN {
    type master;
    file "pri/public-rev.zone";
    allow-query { any; };
    allow-update { none; };
    };
    };

  3. #3
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    Posts
    882
    Does this happen when you try it from a machine / host on the internet?

    Do you have iptables set to log all denied traffic? You should. What do the logs show on udp/tcp port 53 when this fails?

  4. #4
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    Posts
    882
    BTW, welcome to the forums!

  5. #5
    Associate
    Join Date
    Jan 2010
    Posts
    13
    Thank You!

    Yes this error occurs when trying to use nslookup from a computer on the internet, or a remote host of any kind.

    I'm not all that familiar with the details of iptables. I'm not sure I have logging enabled. I'll do some looking and try to get that working.

    The funny part is that I get the same error even if I disable iptables completely.

  6. #6
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    Posts
    882
    What happens when you do something like this with the external view?
    Code:
    match-clients      { !localnets; !localhost; !safe-subnet; any;};
    and do the query externally from the internet?

    Based on this DNS configuration example?

  7. #7
    Associate
    Join Date
    Jan 2010
    Posts
    13
    No dice. In fact the !safe-subnet argument broke the config all together. I guess my version of BIND doesn't support that.

  8. #8
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    Posts
    882
    Sorry, the !safe-subnet was taken literally from the page. So it didn't work then with the others?

  9. #9
    Associate
    Join Date
    Jan 2010
    Posts
    13
    Yeah I tried it with the other arguments, and it still timed out.

  10. #10
    Associate
    Join Date
    Jan 2010
    Posts
    13

    New Development

    I installed wireshark on the server and set up a packet capture for anything coming in on port 53. When I use nmap from a remote host to the public, external IP of the server, I get hits on the packet capture. So connectivity on port 53 is working, or so it would seem. When I try dig @ip_of_server, nothing shows up on the packet capture. Anyone have any ideas?

Similar Threads

  1. BIND problem [rndc connect failure]
    By ShafiqPH in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 10-09-2006, 10:21 AM
  2. Bind IP With MAC??/
    By sapheroth in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 09-20-2006, 11:42 AM
  3. Bind won't resolv
    By kenshi in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 12-30-2001, 06:31 PM
  4. webmin and bind
    By agar in forum Linux - Hardware, Networking & Security
    Replies: 4
    Last Post: 12-03-2001, 07:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •