Find the answer to your Linux question:
Results 1 to 7 of 7
Greetings, I have created a new BIND9 DNS service on a Mandriva Server in a VM environment. I also have freeradius running (and working) on this same VM. I can ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5

    Bind9 not responding to public requests - only private


    Greetings,

    I have created a new BIND9 DNS service on a Mandriva Server in a VM environment.

    I also have freeradius running (and working) on this same VM.

    I can query the server till the cows come home from the inside of the network however I can not from the outside. Now... unlike the posts above... I can not get a response on port 53 from the outside other than a time out.

    The VM, as are all my internet servers, is sitting behind an IPCOP firewall. I have an old separate BIND4 server running on an independent box behind another IPCOP firewall (not the same one) and it has been running without incident for years. Only servers are behind the firewall. There are no internal (private) boxes attached. I do this for added security on the server boxes because I have been hacked so many times over the years on boxes with live IP addresses.

    Here's what I have done...

    Using tcpdump I have confirmed that requests ARE making it through the firewall from the outside AND are being seen at the BIND9 box. The requests are just not being answered by named. It has no problem answering all the requests you give from within the network on the green side of the firewall.

    What is interesting however is that if I look at the query.log file for named it has ongoing listings of queries for domains hosted only on that server. There are no entries in query.log for any non-hosted domains unless those requests are generated on the same "internal" subnet.

    I have spent two days straight trying to overcome this issue and I'm pretty certain it is staring me right in the face but I can't see it for the streaming characters flashing across my screen from log file dumps.

    I have tried to find reference to it on the internet but have had no luck. Is there a 'switch' in BIND9 that says work with local address requests only or work with 'any' requests?

    I have these software switches set in the named.conf file which I thought would cover it all... but... nope:

    listen-on port 53 { any; };

    allow-query { any; };
    allow-recursion { any; };

    blackhole { bogon; };
    forwarders {
    192.168.70.2;
    };
    There are no errors in the named default.log file and here are a couple entries from the query.log file:

    20-Jan-2009 15:42:26.716 client 192.168.70.14#3448: query: 1.0.0.127.in-addr.arpa IN PTR +
    20-Jan-2009 15:42:27.429 client 189.138.196.205#56663: query: robertsimaging.com IN MX +
    20-Jan-2009 15:42:37.882 client 69.30.226.50#44835: query: ns2.slingshottech.net IN AAAA -E
    20-Jan-2009 15:42:38.530 client 206.13.29.42#10710: query: robertsimaging.com IN A -E
    20-Jan-2009 15:43:09.288 client 192.168.70.14#3502: query: 1.0.0.127.in-addr.arpa IN PTR +
    20-Jan-2009 15:43:48.750 client 68.87.72.133#37195: query: blog.robertsimaging.com IN A -
    20-Jan-2009 15:43:51.948 client 192.168.70.14#3567: query: 1.0.0.127.in-addr.arpa IN PTR +
    20-Jan-2009 15:44:16.663 client 206.141.193.34#26154: query: robertsimaging.com IN A -E

    Now if my hunch is correct... outside clients ARE being seen by named as showing above but it just simply doesn't respond to them. It does respond to the internal requests however.

    Any assistance here would be much appreciated.

    Thanks

  2. #2
    Just Joined!
    Join Date
    Jan 2009
    Posts
    10

    Re: Named

    That sounds weird to me....
    Is your named chrooted?
    Just to make sure, could you try again after a service iptables/firewall stop or most likely the same command if your are not using red hat/fedora)
    You can also try with a dig/nslookup/host specifying your own BIND server and see if it works.

    P.S Could you post the details of /var/log/messages | grep named ?
    That might help us

  3. #3
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5
    Here are the entires in the messages log pertaining to named:

    Jan 21 19:10:15 localhost named[25349]: starting BIND 9.3.2 -u named -t /var/lib/named
    Jan 21 19:10:15 localhost named[25349]: loading configuration from '/etc/named.conf'
    Jan 21 19:10:15 localhost named[25349]: /etc/named.conf:93: when using 'view' statements, all zones must be in views
    Jan 21 19:10:15 localhost named[25349]: listening on IPv4 interface lo, 127.0.0.1#53
    Jan 21 19:10:15 localhost named[25349]: listening on IPv4 interface eth0, 192.168.70.112#53
    Jan 21 19:10:15 localhost named[25349]: listening on IPv4 interface eth1, 192.168.1.112#53
    Jan 21 19:10:15 localhost named[25349]: command channel listening on 127.0.0.1#953
    Jan 21 19:10:15 localhost named: named startup succeeded

    I didn't manually chroot named however if you look at the execution line above it has /var/lib/named appended to it which has the same affect as I discovered that that was the root path to the application and all other files are expected to be seen under that. Discovered that when I kept putting the zone files in /var/named and it wouldn't see them until I placed them into /var/lib/named/var/named.

    In the end, there are no errors reported on start up in the messages log or default.log under /var/log/named and again.... I can dig the server at will with 100% good results from within the network. Just don't get any reply from named when doing so from the outside. Just a reminder... tcpdump DOES show the requests hitting the dns box at the ethernet card... named just doesn't respond back.

    Here are examples of replies inside the network and outside:

    Inside:

    Server: 192.168.1.112
    Address: 192.168.1.112#53

    Non-authoritative answer:
    Name: ebay.com
    Address: 66.135.205.13
    Name: ebay.com
    Address: 66.135.205.14
    Name: ebay.com
    Address: 66.135.221.10
    Name: ebay.com
    Address: 66.135.221.11
    Name: ebay.com
    Address: 66.211.160.87
    Name: ebay.com
    Address: 66.211.160.88

    Outside:

    > ebay.com
    Server: ns2.slingshottech.net
    Address: 173.9.204.187

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to ns2.slingshottech.net timed-out

    Hope this helps

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by hdokes View Post
    Here are the entires in the messages log pertaining to named:

    Jan 21 19:10:15 localhost named[25349]: /etc/named.conf:93: when using 'view' statements, all zones must be in views
    Are you using VIEWS in your named.conf?
    What about ACL's?
    Also why would you allow the outside to do recursion?

    It might help if you could post your named.conf file.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5
    include "/etc/rndc.key";

    controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { mykey; };
    };

    // Access lists (ACL's) should be defined here
    include "/etc/bogon_acl.conf";
    include "/etc/trusted_networks_acl.conf";


    view "external" {
    match-clients { any; };
    };


    // Define logging channels
    include "/etc/logging.conf";

    options {
    version "";
    directory "/var/named";
    dump-file "/var/tmp/named_dump.db";
    pid-file "/var/run/named.pid";
    statistics-file "/var/tmp/named.stats";
    zone-statistics yes;
    // datasize 256M;
    coresize 100M;
    // fetch-glue no;
    // recursion no;
    // recursive-clients 10000;
    auth-nxdomain yes;
    query-source address * port *;
    listen-on port 53 { any; };
    cleaning-interval 120;
    transfers-in 20;
    transfers-per-ns 2;
    lame-ttl 0;
    max-ncache-ttl 10800;



    allow-query { any; };
    allow-recursion { any; };

    // Deny anything from the bogon networks as
    // detailed in the "bogon" ACL.
    blackhole { bogon; };
    forwarders {
    192.168.70.2;
    };
    };

    // workaround stupid stuff... (OE: Wed 17 Sep 2003)
    zone "ac" { type delegation-only; };
    zone "cc" { type delegation-only; };
    zone "com" { type delegation-only; };
    zone "cx" { type delegation-only; };
    zone "lv" { type delegation-only; };
    zone "museum" { type delegation-only; };
    zone "net" { type delegation-only; };
    zone "nu" { type delegation-only; };
    zone "ph" { type delegation-only; };
    zone "sh" { type delegation-only; };
    zone "tm" { type delegation-only; };
    zone "ws" { type delegation-only; };


    This is the primary contents of the named.conf file less the locally hosted domains. This is the first time I have used bind9 so the settings here are default to what the install provided. As it was working within the local network I didn't see a need to change anything until I realized I couldn't get named responses to outside requests. Again.. I do know for sure the requests are making it to the name server box in question. The use of tcpdump within the box confirms this. It also confirms there is not response.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by hdokes View Post
    // Access lists (ACL's) should be defined here
    include "/etc/bogon_acl.conf";
    include "/etc/trusted_networks_acl.conf";
    Is there anything in these files that would stop the queries?

    view "external" {
    match-clients { any; };
    };
    You are setting up views. This requires that you state what zones they are allowed to look/resolve.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5
    I set up the view to see if it would make a difference. It didn't. It is my understanding that the reserverd word 'any' implies, answer any incoming request. Am I incorrect?

    Later...

    well balls. commented out both those include files and damn if it ain't working from the outside now. Thing is... the header comment in the bogon_acl.conf file reads this:

    // Filter out the bogon networks. These are networks
    // listed by IANA as test, RFC1918, Multicast, experi-
    // mental, etc. If you see DNS queries or updates with
    // a source address within these networks, this is likely
    // of malicious origin. CAUTION: If you are using RFC1918
    // netblocks on your network, remove those netblocks from
    // this list of blackhole ACLs!

    What's up with that? Ifn it's spose to be protecting ya... I guess it's REALLY protecting ya!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •