DNS-Server cant be reached (TCP-Issue?)

Freki · 07-20-2017, 10:47 AM

Hey Community,

First of all, Sorry for my english.
Im facing a problem with DNS on my Redhatservers.
I have 2 Servers which should use 8.8.8.8 as DNS-Server
both resolv.conf are showing this:

Quote:

Nameserver 8.8.8.8

ping to this server works, but i cant resolve any hostnames.
So i tried to do a netcat on port 53 to 8.8.8.8:

Code:

# nc -s 10.1.33.67 -v 8.8.8.8 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection refused.

As u can see, this doesnt work.
If i use the -u option (UDP), it works fine:

Code:

# nc -u  -s 10.1.33.67 -v 8.8.8.8 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.1.33.67:53.

So i tried it between my 2 Servers:

Code:

nc -u  -s 10.1.33.67 -v 10.1.33.80 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.1.33.80:53.

# nc -s 10.1.33.67 -v 10.1.33.80 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection refused.

If i try the same way between both servers, i also get a refused without the -u option. If i use it, both servers connect fine. Iptables dont have any rules by now, so this cant be the trigger.

So why is netcat not possible per default (TCP) and could this be the reason, why i cant use the DNS?

Thanks a lot!

MensaWater · 07-20-2017, 12:12 PM

I can confirm that 8.8.8.8 is responding on TCP port 53 from here.

Presumably 10.1.33.67 is one IP on the server you're testing from?

By default iptables allows OUTBOUND connections so you would have had to create a rule prohibiting port 53 (or allowing only certain ports while prohibition all others). If iptables isn't running it isn't your problem.

You probably have something upstream of the server (e.g. a switch, a router or your ISP) that is blocking tcp port 53 to 8.8.8.8.

For you to be able to connect to port 53 on one your internal servers from another internal you would need that server to be LISTENing on port 53 and have that server's iptables allowing port 53. You don't mention your internal servers being DNS servers in and of themselves so it isn't clear if they are. If the server IS listening on port 53 AND iptables isn't blocking it then again it is likely your router or switch or ISP is blocking the traffic.

Freki · 07-21-2017, 03:22 AM

Thanks for the reply,

Quote:

Presumably 10.1.33.67 is one IP on the server you're testing from?

Yep one is the .67 and one the 80.

Quote:

# nc -u -s 10.1.33.67 -v 8.8.8.8 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.1.33.67:53.

that was just a copy paste mistake... should be:

# nc -u -s 10.1.33.67 -v 10.1.33.80 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 10.1.33.80:53.

Quote:

For you to be able to connect to port 53 on one your internal servers from another internal you would need that server to be LISTENing on port 53 and have that server's iptables allowing port 53

I just did. a nc -l (listen) on the servers to check. Otherwise i wouldnt have got an answer. As i said, IP-Tables dont have any rules.

I also thought, there is something in the network configuration. Sadly those are hosted Servers, so it seems like i need to write the Hoster-

But anyway thanks. Your Post helped me a lot