DNS Problem (BIND)

[nachlassen]

I'm running Apache and BIND v9.x on a Gentoo Linux Box. The box has two nics, one for the local network, and one with a public, static ip. iptables handles the NAT for the local network. DNS is working great for the internal network and I can even get a response from the public view when I query from the localhost. But when I try to query the public ip, nslookup replys connection timed out servers could not be reached. I have verified that port 53 is open with NMAP and telnet. I have even tried disabling iptables all together and still get the same response. Help?

Here is named.conf:

options {

directory "/var/bind";

pid-file "/var/run/named/named.pid";

allow-transfer { none; };

listen-on port 53 { any; };

};

logging {

channel log {

file "/var/log/named/named.log" versions 3 size 5m;

severity dynamic;

print-time yes;

print-severity yes;

print-category yes;

};

category default { log; };

category general { log; };

category config { log; };

category queries { log; };

category network { log; };

category notify { log; };

};

view "private" {

match-clients { 127.0.0.1; 192.168.0.1/24; };

recursion yes;

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "pri/localhost.zone";

allow-update { none; };

notify no;

};

zone "127.in-addr.arpa" IN {

type master;

file "pri/localhost-rev.zone";

allow-update { none; };

notify no;

};

zone "d45h.net" IN {

type master;

file "pri/private.zone";

allow-update { none; };

notify no;

};

zone "0.168.192.in-addr.arpa" IN {

type master;

file "pri/private-rev.zone";

allow-update { none; };

notify no;

};

};

view "public" {

match-clients { any; };

match-destinations { any; };

recursion no;

zone "d45h.net" {

type master;

file "pri/public.zone";

allow-query { any; };

allow-update { none; };

notify no;

};

zone "45.79.64.in-addr.arpa" IN {

type master;

file "pri/public-rev.zone";

allow-query { any; };

allow-update { none; };

};

};

[nachlassen]

Bump

[nachlassen]

A development!

I tried using dig +tcp @ip_of_server and the reply went through just fine. It appears that udp requests fail to even reach the server. I set up a packet capture on port 53 on the server, and there were no packets captured when using udp. Any ideas?

[+BudMan MVC]

Yeah your router is not forwarding udp packets, or your firewall is only set to allow tcp.

I have tried doing a simple query to your server listed for that domain, and I get no response be it tcp or udp. My bind server is setup not to allow queries from the public -- but I get a refused response from it.. Yours I get nothing. BTW pointing your 2 domain servers to the same IP pretty much defeats the purpose of having 2 nameservers for a domain.

Unless you have lots and lots of domains your going to provide dns for, and have the proper infrastructure to be able to support dns to the public I would highly suggest you host your public dns with a dns services.. http://www.zoneedit.com/ comes to mind -- FREE for 1st 5 domains, etc. There are plenty of services out there to host your dns needs.

So unless your whois record is wrong for your domain of d45h.net -- that server is not answering queries on either tcp or udp from the outside.. by default dns queries will use udp. but yes you should allow for both tcp and upd on 53

edit: BTW -- unless your ISP is going to hand off that ip zone to you, running a reverse for that IP range is not going to get you much, since nobody would ever query your server for it.

[nachlassen]

Thanks for the reply.

Why would I get a reply from BIND if I use dig +tcp @64.79.45.135 d45h.net and you wouldn't? I even tried this through a proxy and it worked.

Standard queries time out even with the firewall completely disabled. The server itself isn't behind a router either, it's connected directly to the ADSL modem which is set up to be a bridged connection. I use iptables to do NAT for the internal network on a second NIC in the server. Standard DNS queries work perfectly from the internal network.

I know pointing 2 ns records to the same IP is pointless, but GoDaddy requires 2 name servers and I was trying make the records match.

Oh and I have the reverse map on there because I read somewhere that nslookup times out if there is no PTR record, and because I was trying to be thorough. :)

I realize using a DNS service would be easier, but I would like to run my own and get it working just for the fun of it. I'm not really using the domain name for anything but just tinkering anyway, so it's not that critical that it works, it's not a high traffic site, and I definitely don't want to run a recursive public DNS server, or host a bunch of domains. This is really just for the fun of it.

[+BudMan MVC]

Well for the fun of its -- its not working ;)

From my webhost shell account I can do this to my bind server.

[homer]$ dig @hidden.homeip.net version.bind txt chaos

; <<>> DiG 9.2.4 <<>> @hidden.homeip.net version.bind txt chaos

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57392

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;version.bind. CH TXT

;; Query time: 82 msec

;; SERVER: 24.14.x.x#53(hidden.homeip.net)

;; WHEN: Wed Jan 6 05:31:15 2010

;; MSG SIZE rcvd: 30

Both udp and tcp

When I try your IP -- HEY now its giving me a response!!!

on tcp

; <<>> DiG 9.2.4 <<>> +tcp @64.79.45.135 versions.bind txt chaos

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22008

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;versions.bind. CH TXT

;; Query time: 95 msec

;; SERVER: 64.79.45.135#53(64.79.45.135)

;; WHEN: Wed Jan 6 05:33:54 2010

;; MSG SIZE rcvd: 31

; <<>> DiG 9.2.4 <<>> +tcp @64.79.45.135 d45h.net

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4403

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;d45h.net. IN A

;; ANSWER SECTION:

d45h.net. 86400 IN A 64.79.45.135

;; AUTHORITY SECTION:

d45h.net. 86400 IN NS ns1.d45h.net.

d45h.net. 86400 IN NS ns2.d45h.net.

;; ADDITIONAL SECTION:

ns1.d45h.net. 86400 IN A 64.79.45.135

ns2.d45h.net. 86400 IN A 64.79.45.135

;; Query time: 96 msec

;; SERVER: 64.79.45.135#53(64.79.45.135)

;; WHEN: Wed Jan 6 05:35:08 2010

;; MSG SIZE rcvd: 110

But UDP nothing still. So your modem is in bridge mode, and you get a public IP on your linux box's public interface -- and you have the linux firewall off? If this is the case its being blocked upstream?? Or bind is not listening on UDP?

You should be able to do a netstat to see it listening..

example on my freebsd box

tcp4 0 0 *.53 *.* LISTEN

udp4 0 0 *.53 *.*

Do you see it listening on all iterfaces on 53 for both udp and tcp?

[nachlassen]

Here is the output of:

netstat -l | grep 64.79.45.135

tcp 0 0 64.79.45.135:domain *:* LISTEN

udp 0 0 64.79.45.135:domain *:*

Is that right? It doesn't actually say LISTEN on the udp bit. Does this mean it has to be blocked upstream somewhere?

Is there an easy way to test if UDP traffic of any kind is even making it to the public interface on the server?

[+BudMan MVC]

Yeah thats right -- and you say you can query your public IP while your on the box right using udp right.. So the block must be upstream..

Very odd.. but sure if traffic is getting to your machine with a simple tcpdump, or your fav sniffer. My bind is running on a win2k8 box currently -- but here I just did a query from my webhost shell account and captured the traffic with windump (windows version of tcpdump)

C:\Users\Administrator>windump -i 1 -vvv udp port 53

windump: listening on \Device\NPF_{5226E263-70F2-4FC8-9406-A1D177ADE999}

14:11:43.326965 IP (tos 0x20, ttl 48, id 35813, offset 0, flags [DF], proto: UDP (17), length: 60) webhostshellmachine.58919 > mybindbox.53: [udp sum ok] 7540+ A? www.google.com. (32)

14:11:43.327214 IP (tos 0x0, ttl 128, id 18290, offset 0, flags [DF], proto: UDP (17), length: 60, bad cksum 0 (->4fc8)!) mybindbox.53 > webhostshellmachine.58919: [bad udp cksum f925!] 7540 Refused- q: A? www.google.com. 0/0/0 (32)

I snipped out my hostnames -- but as you can see the UDP query came in for www.google.com to port 53 from port 58919, and the bind box answered back from port 53 to the source port of the query 58919 with refused.

So sure just fireup tcpdump -- set it to only listen for udp traffic or more if you want -- and see what your interface is seeing..

[nachlassen]

The quries work fine on the box itself so it's got to be blocking them upstream somewhere. I'll talk to my ISP again and see what they think. It's possible that the modem is doing something funny. Thanks for the help, I'll do some more sniffing too and see what I come up with.

[+BudMan MVC]

Yeah let me know -- you got me real curious what the problem could be.. Makes no sense -- your firewall is off on the box, bind clearly responds to queries on the box to the IP. Even works tcp, etc.

Only thing makes sense is a block somewhere upstream to your box not letting udp 53 get to you??

[nachlassen]

Yeah just spoke with the ISP over the phone. Apparently they were having major problems with DoS attacks on their nameservers. They have blocked all DNS traffic at the edge, no queries, apparently only UDP, from any IP outside of their network even make it into their network. So it looks like having my own DNS server isn't going to work. But they will provide DNS for my domain for free. So I guess it's not a total loss.