did you forward port 53 tcp or udp?

tcp is for zone transfers and updates to other servers, and udp is for queries.

Quick answer, I have only one ethernet card on that machine and before you ask me why I haven't put another one I have to say that is not that easy, complicated waranty politics invovled. Can you help me out with tcdump to check if the responde is going back ok?

i dont think tcpdump is what you need. post us the output from

route -n

if you have only 1 ethernet card, your likely having routing issues.

*edit* wait, did you say you can ssh to the internet ip address? if yes, then i revert back to my previous question, do you have udp 53 open?

Here is the output> route -n

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.32 0.0.0.0 255.255.255.224 U 0 0 0 eth0
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 1.2.3.4 0.0.0.0 UG 0 0 0 eth0

ok, so external gateway looks like what you are using for internet access and traffic. again, my guess is that port 53 udp is not open.

Well, I can telnet dnsBox on port 53 from outside the network. Is that enough to say udp port is open (I know telcel is a conection-oriented application, i.e.m it work over tcp), my point is, how do I know if udp is open? (remeber I cannot see the router)

nope, because telnet is tcp. without udp53, dns will not work

Ok, udp is OPEN:

did you just now open it, or was it already open?

if you just now did it, retest and let us know what happened.

It was already open and it still doesn't work ... any other idea?

Greetings,

I realize it was some time ago that this thread was posted however I neither seen a resolution to it nor can find any answers elsewhere so thought I would throw this at the wall and see if it sticks.

I am having the same issue as described above. I have created a new BIND9 DNS service on a Mandriva Server in a VM environment.

I also have freeradius running (and working) on this same VM.

I can query the server till the cows come home from the inside of the network however I can not from the outside. Now... unlike the posts above... I can not get a response on port 53 from the outside other than a time out.

The VM, as are all my internet servers, is sitting behind an IPCOP firewall. I have an old separate BIND4 server running on an independent box behind another IPCOP firewall (not the same one) and it has been running without incident for years. Only servers are behind the firewall. There are no internal (private) boxes attached. I do this for added security on the server boxes because I have been hacked so many times over the years on boxes with live IP addresses.

Here's what I have done...

Using tcpdump I have confirmed that requests ARE making it through the firewall from the outside AND are being seen at the BIND9 box. The requests are just not being answered by named. It has no problem answering all the requests you give from within the network on the green side of the firewall.

What is interesting however is that if I look at the query.log file for named it has ongoing listings of queries for domains hosted only on that server. There are no entries in query.log for any non-hosted domains unless those requests are generated on the same "internal" subnet.

I have spent two days straight trying to overcome this issue and I'm pretty certain it is staring me right in the face but I can't see it for the streaming characters flashing across my screen from log file dumps.

I have tried to find reference to it on the internet but have had no luck. Is there a 'switch' in BIND9 that says work with local address requests only or work with 'any' requests?

I have these software switches set in the named.conf file which I thought would cover it all... but... nope:

listen-on port 53 { any; };

allow-query { any; };
allow-recursion { any; };

blackhole { bogon; };
forwarders {
192.168.70.2;
};
There are no errors in the named default.log file and here are a couple entries from the query.log file:

20-Jan-2009 15:42:26.716 client 192.168.70.14#3448: query: 1.0.0.127.in-addr.arpa IN PTR +
20-Jan-2009 15:42:27.429 client 189.138.196.205#56663: query: robertsimaging.com IN MX +
20-Jan-2009 15:42:37.882 client 69.30.226.50#44835: query: ns2.slingshottech.net IN AAAA -E
20-Jan-2009 15:42:38.530 client 206.13.29.42#10710: query: robertsimaging.com IN A -E
20-Jan-2009 15:43:09.288 client 192.168.70.14#3502: query: 1.0.0.127.in-addr.arpa IN PTR +
20-Jan-2009 15:43:48.750 client 68.87.72.133#37195: query: blog.robertsimaging.com IN A -
20-Jan-2009 15:43:51.948 client 192.168.70.14#3567: query: 1.0.0.127.in-addr.arpa IN PTR +
20-Jan-2009 15:44:16.663 client 206.141.193.34#26154: query: robertsimaging.com IN A -E

Now if my hunch is correct... outside clients ARE being seen by named as showing above but it just simply doesn't respond to them. It does respond to the internal requests however.

Any assistance here would be much appreciated.

Thanks

Ok... figured it out.

The install of bind9 automatically installs two references in the named.conf file to external acl files. These files are supposedly suppose to contain known IP subnets that are test nets, etc. Apparently they are not all test nets any longer.

I disabled both these include references and everything is working properly now.