DNS server times out when testing from different machine

[PeterTaps]

Folks,

I am getting an DNS error that I cannot figure out. I would appreciate it if someone can provide some guidance.

I have set up DNS server on Fedora 11. The configuration files are at the end of the message. (Note: I couldn't include zone files as I get an "url not allowed" error while posting this info).

The DNS server machine is called einstein.

When I run nslookup for local machine, I have no problems in resolving intranet addresses as well as extranet addresses.

When I run nslookup from a different machine (Windows), local intranet queries work fine. However, when I type in an extranet address such as wwwDotgoogleDotcom, I get an error that "DNS request timed out.

It is not a firewall problem as I am able to resolve local addresses correctly. I even tried "telnet einstein 53" and that seems to connect. As you know, 53 is the port where DNS server is listening.

I also see that ludewig (my Windows machine) successfully registers itself with einstein when booten. Both forward and reverse zone files are getting updated with new information.

On the Internet, there was some comment about not having reverse pointer in the zone file. However, if you look at my configuration, you will see that I do have reverse configuration set up.

Can someone please tell me what is it that I am not doing right?

Regards,
Peter

Configuration files:

#file /etc/resolv.conf

domain abc.net
search abc.net
nameserver 127.0.0.1
nameserver 66.60.130.2

#file /etc/named.conf


options {
listen-on port 53 {any; };
listen-on-v6 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
};

acl ournet {
192.168.15.0/24;
127.0.0.1;
};

zone "abc.net" {
type master;
notify no;
allow-query {any; };
allow-update { ournet; };
file "abc.zone";
};

zone "15.168.192.in-addr.arpa" {
type master;
notify no;
allow-query {any;};
file "192-168-15.zone";
};

(some more standard stuff here in the file)

[PeterTaps]

Folks,

I reinstalled Fedora 11. Disabled SELinux. Disabled firewall. Still getting the same problem.

To summarize my problem:

nslookup for wwwDotgoogleDotcom works great from the local linux machine. When I try nslookup from another machine, I get an error "DNS request timed out."

File /var/log/messages show the following error:

network unreachable resolving 'wwwDotgoogleDotcom/A/IN': 2001:500:1:803f:235#53.

I think what is going on is that, on the local machine, nslookup first looks at
127.0.01. Next, it looks at 66.60.130.2 (the dns server given by my ISP provider). The ip is resolved and returned. However, from remote machines, 66.60.130.2 was never consulted.

So I commented out "nameserver 66.60.130.2" line from my /etc/resolv.conf. Now, I can reproduce the problem on the local machine itself.

I still don't know how to fix the problem. I would appreciate it if someone can point me in the right direction.

Thank you in advance for your help.

Regards,
Peter

[Lazydog]

Do you have a root hint file for your dns setup? This is what DNS uses to locate the corect serve with the information you are trying to resolve.

66.60.130.2 is never questioned if dns is up and running on 127.0.0.1

To test this you can move 66.60.130.2 up and lookup google again.

[HROAdmin26]

How DNS Works

Forwarders
A DNS server generally attempts to resolve a query against its local cache and zone files. Failing that, the DNS server queries one or more other name servers to resolve the query.

I don't see any BIND forwarders entry in your server config.

[Lazydog]

How DNS Works



I don't see any BIND forwarders entry in your server config.

The only time you need forwards is when you are looking for another DNS server to do the work.

[HROAdmin26]

If the DNS *server* is not configured to forward, then lookups outside the authority of the server's SOA will fail.

This is because of client behavior. If the DNS client gets a response from a server, that's the answer - name not found, here's the IP, etc. If the DNS server doesn't respond (seems to be offline), the client will move to the next DNS server in the list. I have seen variation in some DNS clients depending on OS as well.

[PeterTaps]

Thank you all for your help.

I added "forwarders {66.60.130.2; };}" in options file and restarted named. Still the problem does not go away.

My firewall is disabled.
SELinux is disabled
chkconfig iptables off
chkconfig ip6tabes off

I see a bunch of people having the same problem on the Internet. However, I haven't found any solution.

Anyone has any idea on what could be going on?

Thank you once again for your help.

Regards,
Peter

[Lazydog]

If the DNS *server* is not configured to forward, then lookups outside the authority of the server's SOA will fail.

This is because of client behavior. If the DNS client gets a response from a server, that's the answer - name not found, here's the IP, etc. If the DNS server doesn't respond (seems to be offline), the client will move to the next DNS server in the list. I have seen variation in some DNS clients depending on OS as well.

The OP is setting up his own DNS server. Since he is setting up his own server with zones and all it will be able to properly resolve all requests as long as the root.hints section is setup correctly.

Forwarders are used when you want another server to do the work for you. Either because you do not know what you are doing or too lazy to set it up correctly.

If you are setting up you own DNS server you do not need to forward as the DNS server can do it all.

Thank you all for your help.

I added "forwarders {66.60.130.2; };}" in options file and restarted named. Still the problem does not go away.

My firewall is disabled.
SELinux is disabled
chkconfig iptables off
chkconfig ip6tabes off

Looking at the above I am going to assume you are using a RH product or one like it.

Run the following commands please and post the output;

Code:

named-checkconf <path>/named.conf
named-checkzone <zone name> <path to file>

Please also give the complete path to named.conf and the zone files.

I see a bunch of people having the same problem on the Internet. However, I haven't found any solution.

Anyone has any idea on what could be going on?

Thank you once again for your help.

Regards,
Peter

Not sure yet. Would like to see a complete named.conf file

[PeterTaps]

I just rebuilt the box once again. This time, I did not even set up the internal zones yet as the problem was with external names only.

Here is the complete listing from my /etc/named.conf. I just used the sample named.conf that is found in /usr/share/doc/bind.../sample directory.

Peter

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;

};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

include "/etc/pki/dnssec-keys//named.dnssec.keys";
include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";

[Lazydog]

What is the OS running on this box?