[SOLVED] DNS server not able to resolve from DNS clients!!

arjunstarz · 01-31-2017, 02:10 AM

Hi All,

I have recently configured a DNS server (tehex051v -- x.x.75.18) and it seems to be working fine when I do the nslookup from DNS server itself. But for some reason, the other clients are not able to resolve host names from DNS server.

I could see the packets coming to DNS server but DNS server is not responding back.

Named service is running on port 53(x.x.75.18) and port 953 (127.0.0.1)

I have created 4 zone files (db-mgmt* for forward DNS lookup and db-*.10.in-addr.arpa for reverse DNS lookup)

The details are as follows:

<<<<DNS Server Settings>>>>

[root@tehex051v ~]# netstat -natlp | grep -i named
tcp 0 0 x.x.75.18:53 0.0.0.0:* LISTEN 10003/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10003/named
tcp 0 0 ::1:953 :::* LISTEN 10003/named

###############################################################################

[root@tehex051v ~]# cat /etc/resolv.conf
# Generated by NetworkManager

# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
search mgmt.dc.es.telefXXXXa
nameserver x.x.75.18

################################################################################

[root@tehex051v ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
x.x.115.31 tesbs741-bl460c.mgmt.dc.es.telefXXXXa tesbs741-bl460c
x.x.115.32 tesbs742-bl460c.mgmt.dc.es.telefXXXXa tesbs742-bl460c
x.x.115.33 tesbs743-bl460c.mgmt.dc.es.telefXXXXa tesbs743-bl460c
x.x.115.34 tesbs744-bl460c.mgmt.dc.es.telefXXXXa tesbs744-bl460c
x.x.115.35 tesbs745-bl460c.mgmt.dc.es.telefXXXXa tesbs745-bl460c
x.x.115.36 tesbs746-bl460c.mgmt.dc.es.telefXXXXa tesbs746-bl460c
x.x.115.37 tesbs747-bl460c.mgmt.dc.es.telefXXXXa tesbs747-bl460c
x.x.115.38 tesbs748-bl460c.mgmt.dc.es.telefXXXXa tesbs748-bl460c
x.x.115.39 tesbs749-bl460c.mgmt.dc.es.telefXXXXa tesbs749-bl460c
x.x.115.40 tesbs74a-bl460c.mgmt.dc.es.telefXXXXa tesbs74a-bl460c
x.x.115.41 tesbs74b-bl460c.mgmt.dc.es.telefXXXXa tesbs74b-bl460c
x.x.115.42 tesbs74c-bl460c.mgmt.dc.es.telefXXXXa tesbs74c-bl460c
x.x.115.43 tesbs74d-bl460c.mgmt.dc.es.telefXXXXa tesbs74d-bl460c
x.x.115.44 tesbs74e-bl460c.mgmt.dc.es.telefXXXXa tesbs74e-bl460c
x.x.115.45 tesbs74f-bl460c.mgmt.dc.es.telefXXXXa tesbs74f-bl460c
x.x.115.46 tesbs74g-bl460c.mgmt.dc.es.telefXXXXa tesbs74g-bl460c
x.x.83.12 tehex038v.mgmt.dc.es.telefXXXXa tehex038v
x.x.83.13 tehex039v.mgmt.dc.es.telefXXXXa tehex039v
x.x.83.14 tehex040v.mgmt.dc.es.telefXXXXa tehex040v
x.x.83.15 tehex041v.mgmt.dc.es.telefXXXXa tehex041v
x.x.83.16 tehex042v.mgmt.dc.es.telefXXXXa tehex042v
x.x.83.17 tehex043v.mgmt.dc.es.telefXXXXa tehex043v
x.x.83.18 tehex044v.mgmt.dc.es.telefXXXXa tehex044v
x.x.75.12 tehex045v.mgmt.dc.es.telefXXXXa tehex045v
x.x.75.13 tehex046v.mgmt.dc.es.telefXXXXa tehex046v
x.x.75.14 tehex047v.mgmt.dc.es.telefXXXXa tehex047v
x.x.75.15 tehex048v.mgmt.dc.es.telefXXXXa tehex048v
x.x.75.16 tehex049v.mgmt.dc.es.telefXXXXa tehex049v
x.x.75.17 tehex050v.mgmt.dc.es.telefXXXXa tehex050v
x.x.75.18 tehex051v.mgmt.dc.es.telefXXXXa tehex051v
x.x.75.19 tehex052v.mgmt.dc.es.telefXXXXa tehex052v
x.x.75.20 tehex053v.mgmt.dc.es.telefXXXXa tehex053v
x.x.75.21 tehex054v.mgmt.dc.es.telefXXXXa tehex054v
x.x.75.22 tehex055v.mgmt.dc.es.telefXXXXa tehex055v
x.x.75.23 tehex056v.mgmt.dc.es.telefXXXXa tehex056v
x.x.75.24 tehex057v.mgmt.dc.es.telefXXXXa tehex057v
x.x.75.25 tehex058v.mgmt.dc.es.telefXXXXa tehex058v
x.x.75.26 tehex059v.mgmt.dc.es.telefXXXXa tehex059v
x.x.75.27 tehex060v.mgmt.dc.es.telefXXXXa tehex060v
x.x.75.28 tevrh034v.mgmt.dc.es.telefXXXXa tevrh034v
x.x.75.29 tevrh035v.mgmt.dc.es.telefXXXXa tevrh035v
x.x.75.30 tevrh036v.mgmt.dc.es.telefXXXXa tevrh036v
x.x.75.31 tevrh037v.mgmt.dc.es.telefXXXXa tevrh037v

##################################################################################################

[root@tehex051v ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { x.x.75.18; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
// dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "mgmt.dc.es.telefXXXXa." {
file "db.mgmt.dc.es.telefXXXXa";
type master;

};

zone "115.147.10.in-addr.arpa." {
file "db.x.x.115";
type master;

};

zone "75.147.10.in-addr.arpa." {
file "db.x.x.75";
type master;

};

zone "83.147.10.in-addr.arpa." {
file "db.x.x.83";
type master;

};

zone "0.0.127.in-addr.arpa." {
file "db.127.0.0";
type master;

};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

###################################################################################

[root@tehex051v named]# cat db.mgmt.dc.es.telefXXXXa
$ORIGIN mgmt.dc.es.telefXXXXa.
$TTL 3600
mgmt.dc.es.telefXXXXa. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
tehex038v A x.x.83.12
tehex039v A x.x.83.13
tehex040v A x.x.83.14
tehex041v A x.x.83.15
tehex042v A x.x.83.16
tehex043v A x.x.83.17
tehex044v A x.x.83.18
tehex045v A x.x.75.12
tehex046v A x.x.75.13
tehex047v A x.x.75.14
tehex048v A x.x.75.15
tehex049v A x.x.75.16
tehex050v A x.x.75.17
tehex051v A x.x.75.18
tehex052v A x.x.75.19
tehex053v A x.x.75.20
tehex054v A x.x.75.21
tehex055v A x.x.75.22
tehex056v A x.x.75.23
tehex057v A x.x.75.24
tehex058v A x.x.75.25
tehex059v A x.x.75.26
tehex060v A x.x.75.27
tevrh034v A x.x.75.28
tevrh035v A x.x.75.29
tevrh036v A x.x.75.30
tevrh037v A x.x.75.31
tesbs741-bl460c A x.x.115.31
tesbs742-bl460c A x.x.115.32
tesbs743-bl460c A x.x.115.33
tesbs744-bl460c A x.x.115.34
tesbs745-bl460c A x.x.115.35
tesbs746-bl460c A x.x.115.36
tesbs747-bl460c A x.x.115.37
tesbs748-bl460c A x.x.115.38
tesbs749-bl460c A x.x.115.39
tesbs74a-bl460c A x.x.115.40
tesbs74b-bl460c A x.x.115.41
tesbs74c-bl460c A x.x.115.42
tesbs74d-bl460c A x.x.115.43
tesbs74e-bl460c A x.x.115.44
tesbs74f-bl460c A x.x.115.45
tesbs74g-bl460c A x.x.115.46

#################################################################################

[root@tehex051v named]# cat db.127.0.0
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 3600
0.0.127.in-addr.arpa. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
1 PTR localhost

#################################################################################

[root@tehex051v named]# cat db.x.x.75
$ORIGIN 75.147.10.in-addr.arpa.
$TTL 3600
75.147.10.in-addr.arpa. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
12 PTR tehex045v.mgmt.dc.es.telefXXXXa.
13 PTR tehex046v.mgmt.dc.es.telefXXXXa.
14 PTR tehex047v.mgmt.dc.es.telefXXXXa.
15 PTR tehex048v.mgmt.dc.es.telefXXXXa.
16 PTR tehex049v.mgmt.dc.es.telefXXXXa.
17 PTR tehex050v.mgmt.dc.es.telefXXXXa.
18 PTR tehex051v.mgmt.dc.es.telefXXXXa.
19 PTR tehex052v.mgmt.dc.es.telefXXXXa.
20 PTR tehex053v.mgmt.dc.es.telefXXXXa.
21 PTR tehex054v.mgmt.dc.es.telefXXXXa.
22 PTR tehex055v.mgmt.dc.es.telefXXXXa.
23 PTR tehex056v.mgmt.dc.es.telefXXXXa.
24 PTR tehex057v.mgmt.dc.es.telefXXXXa.
25 PTR tehex058v.mgmt.dc.es.telefXXXXa.
26 PTR tehex059v.mgmt.dc.es.telefXXXXa.
27 PTR tehex060v.mgmt.dc.es.telefXXXXa.
28 PTR tevrh034v.mgmt.dc.es.telefXXXXa.
29 PTR tevrh035v.mgmt.dc.es.telefXXXXa.
30 PTR tevrh036v.mgmt.dc.es.telefXXXXa.
31 PTR tevrh037v.mgmt.dc.es.telefXXXXa.

#################################################################################

[root@tehex051v named]# cat db.x.x.83
$ORIGIN 83.147.10.in-addr.arpa.
$TTL 3600
83.147.10.in-addr.arpa. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
12 PTR tehex038v.mgmt.dc.es.telefXXXXa.
13 PTR tehex039v.mgmt.dc.es.telefXXXXa.
14 PTR tehex040v.mgmt.dc.es.telefXXXXa.
15 PTR tehex041v.mgmt.dc.es.telefXXXXa.
16 PTR tehex042v.mgmt.dc.es.telefXXXXa.
17 PTR tehex043v.mgmt.dc.es.telefXXXXa.
18 PTR tehex044v.mgmt.dc.es.telefXXXXa.

#################################################################################

[root@tehex051v named]# cat db.x.x.115
$ORIGIN 115.147.10.in-addr.arpa.
$TTL 3600
115.147.10.in-addr.arpa. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
31 PTR tesbs741-bl460c.mgmt.dc.es.telefXXXXa.
32 PTR tesbs742-bl460c.mgmt.dc.es.telefXXXXa.
33 PTR tesbs743-bl460c.mgmt.dc.es.telefXXXXa.
34 PTR tesbs744-bl460c.mgmt.dc.es.telefXXXXa.
35 PTR tesbs745-bl460c.mgmt.dc.es.telefXXXXa.
36 PTR tesbs746-bl460c.mgmt.dc.es.telefXXXXa.
37 PTR tesbs747-bl460c.mgmt.dc.es.telefXXXXa.
38 PTR tesbs748-bl460c.mgmt.dc.es.telefXXXXa.
39 PTR tesbs749-bl460c.mgmt.dc.es.telefXXXXa.
40 PTR tesbs74a-bl460c.mgmt.dc.es.telefXXXXa.
41 PTR tesbs74b-bl460c.mgmt.dc.es.telefXXXXa.
42 PTR tesbs74c-bl460c.mgmt.dc.es.telefXXXXa.
43 PTR tesbs74d-bl460c.mgmt.dc.es.telefXXXXa.
44 PTR tesbs74e-bl460c.mgmt.dc.es.telefXXXXa.
45 PTR tesbs74f-bl460c.mgmt.dc.es.telefXXXXa.
46 PTR tesbs74g-bl460c.mgmt.dc.es.telefXXXXa.

###################################################################################

[root@tehex051v named]# cat db.root
$ORIGIN .
$TTL 3600
. IN SOA tehex051v.mgmt.dc.es.telefXXXXa. root.tehex051v.mgmt.dc.es.telefXXXXa. (
2017010900 ; Serial
28800 ; Refresh
1200 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
NS tehex051v.mgmt.dc.es.telefXXXXa.
localhost A 127.0.0.1
$ORIGIN mgmt.dc.es.telefXXXXa.
@ NS tehex051v.mgmt.dc.es.telefXXXXa.

###################################################################################

[root@tehex051v named]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "v1hd7x3x3NJbn02pGvc39w==";
};
[root@tehex051v named]# cat /etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "v1hd7x3x3NJbn02pGvc39w==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};

###################################################################################

<<<<DNS Client Settings>>>>>

tevrh036v:~ # cat /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#

# special IPv6 addresses

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
# VAMI_EDIT_BEGIN
127.0.0.1 localhost localhost
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
x.x.115.31 tesbs741-bl460c.mgmt.dc.es.telefXXXXa tesbs741-bl460c
x.x.115.32 tesbs742-bl460c.mgmt.dc.es.telefXXXXa tesbs742-bl460c
x.x.115.33 tesbs743-bl460c.mgmt.dc.es.telefXXXXa tesbs743-bl460c
x.x.115.34 tesbs744-bl460c.mgmt.dc.es.telefXXXXa tesbs744-bl460c
x.x.115.35 tesbs745-bl460c.mgmt.dc.es.telefXXXXa tesbs745-bl460c
x.x.115.36 tesbs746-bl460c.mgmt.dc.es.telefXXXXa tesbs746-bl460c
x.x.115.37 tesbs747-bl460c.mgmt.dc.es.telefXXXXa tesbs747-bl460c
x.x.115.38 tesbs748-bl460c.mgmt.dc.es.telefXXXXa tesbs748-bl460c
x.x.115.39 tesbs749-bl460c.mgmt.dc.es.telefXXXXa tesbs749-bl460c
x.x.115.40 tesbs74a-bl460c.mgmt.dc.es.telefXXXXa tesbs74a-bl460c
x.x.115.41 tesbs74b-bl460c.mgmt.dc.es.telefXXXXa tesbs74b-bl460c
x.x.115.42 tesbs74c-bl460c.mgmt.dc.es.telefXXXXa tesbs74c-bl460c
x.x.115.43 tesbs74d-bl460c.mgmt.dc.es.telefXXXXa tesbs74d-bl460c
x.x.115.44 tesbs74e-bl460c.mgmt.dc.es.telefXXXXa tesbs74e-bl460c
x.x.115.45 tesbs74f-bl460c.mgmt.dc.es.telefXXXXa tesbs74f-bl460c
x.x.115.46 tesbs74g-bl460c.mgmt.dc.es.telefXXXXa tesbs74g-bl460c
x.x.83.12 tehex038v.mgmt.dc.es.telefXXXXa tehex038v
x.x.83.13 tehex039v.mgmt.dc.es.telefXXXXa tehex039v
x.x.83.14 tehex040v.mgmt.dc.es.telefXXXXa tehex040v
x.x.83.15 tehex041v.mgmt.dc.es.telefXXXXa tehex041v
x.x.83.16 tehex042v.mgmt.dc.es.telefXXXXa tehex042v
x.x.83.17 tehex043v.mgmt.dc.es.telefXXXXa tehex043v
x.x.83.18 tehex044v.mgmt.dc.es.telefXXXXa tehex044v
x.x.75.12 tehex045v.mgmt.dc.es.telefXXXXa tehex045v
x.x.75.13 tehex046v.mgmt.dc.es.telefXXXXa tehex046v
x.x.75.14 tehex047v.mgmt.dc.es.telefXXXXa tehex047v
x.x.75.15 tehex048v.mgmt.dc.es.telefXXXXa tehex048v
x.x.75.16 tehex049v.mgmt.dc.es.telefXXXXa tehex049v
x.x.75.17 tehex050v.mgmt.dc.es.telefXXXXa tehex050v
x.x.75.18 tehex051v.mgmt.dc.es.telefXXXXa tehex051v
x.x.75.19 tehex052v.mgmt.dc.es.telefXXXXa tehex052v
x.x.75.20 tehex053v.mgmt.dc.es.telefXXXXa tehex053v
x.x.75.21 tehex054v.mgmt.dc.es.telefXXXXa tehex054v
x.x.75.22 tehex055v.mgmt.dc.es.telefXXXXa tehex055v
x.x.75.23 tehex056v.mgmt.dc.es.telefXXXXa tehex056v
x.x.75.24 tehex057v.mgmt.dc.es.telefXXXXa tehex057v
x.x.75.25 tehex058v.mgmt.dc.es.telefXXXXa tehex058v
x.x.75.26 tehex059v.mgmt.dc.es.telefXXXXa tehex059v
x.x.75.27 tehex060v.mgmt.dc.es.telefXXXXa tehex060v
x.x.75.28 tevrh034v.mgmt.dc.es.telefXXXXa tevrh034v
x.x.75.29 tevrh035v.mgmt.dc.es.telefXXXXa tevrh035v
x.x.75.30 tevrh036v.mgmt.dc.es.telefXXXXa tevrh036v
x.x.75.31 tevrh037v.mgmt.dc.es.telefXXXXa tevrh037v
# VAMI_EDIT_END
tevrh036v:~ # cat /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
nameserver x.x.75.18

#################################################################################################### ###############################

tevrh036v:~ # nslookup tehex051v.mgmt.dc.es.telefXXXXa
;; connection timed out; no servers could be reached

<<<<DNS nslookup output>>>>

[root@tehex051v named]# nslookup tehex049v.mgmt.dc.es.telefXXXXa
Server: x.x.75.18
Address: x.x.75.18#53

Name: tehex049v.mgmt.dc.es.telefXXXXa
Address: x.x.75.16

[root@tehex051v named]# nslookup x.x.115.31
Server: x.x.75.18
Address: x.x.75.18#53

31.115.147.10.in-addr.arpa name = tesbs741-bl460c.mgmt.dc.es.telefXXXXa.

[root@tehex051v named]# nslookup tesbs748-bl460c.mgmt.dc.es.telefXXXXa.
Server: x.x.75.18
Address: x.x.75.18#53

Name: tesbs748-bl460c.mgmt.dc.es.telefXXXXa
Address: x.x.115.38

#################################################################################################### ######

Jan 31 08:49:56 tehex051v named[10003]: received control channel command 'stop'
Jan 31 08:49:56 tehex051v named[10003]: shutting down: flushing changes
Jan 31 08:49:56 tehex051v named[10003]: stopping command channel on 127.0.0.1#953
Jan 31 08:49:56 tehex051v named[10003]: stopping command channel on ::1#953
Jan 31 08:49:56 tehex051v named[10003]: no longer listening on x.x.75.18#53
Jan 31 08:49:56 tehex051v named[10003]: exiting
Jan 31 08:49:58 tehex051v named[10221]: starting BIND 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 -u named -t /var/named/chroot
Jan 31 08:49:58 tehex051v named[10221]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-rpz-nsip' '--enable-rpz-nsdname' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Jan 31 08:49:58 tehex051v named[10221]: ----------------------------------------------------
Jan 31 08:49:58 tehex051v named[10221]: BIND 9 is maintained by Internet Systems Consortium,
Jan 31 08:49:58 tehex051v named[10221]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan 31 08:49:58 tehex051v named[10221]: corporation. Support and training for BIND 9 are
Jan 31 08:49:58 tehex051v named[10221]: available at https://www.isc.org/support
Jan 31 08:49:58 tehex051v named[10221]: ----------------------------------------------------
Jan 31 08:49:58 tehex051v named[10221]: adjusted limit on open files from 4096 to 1048576
Jan 31 08:49:58 tehex051v named[10221]: found 8 CPUs, using 8 worker threads
Jan 31 08:49:58 tehex051v named[10221]: using up to 4096 sockets
Jan 31 08:49:58 tehex051v named[10221]: loading configuration from '/etc/named.conf'
Jan 31 08:49:58 tehex051v named[10221]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 31 08:49:58 tehex051v named[10221]: using default UDP/IPv4 port range: [1024, 65535]
Jan 31 08:49:58 tehex051v named[10221]: using default UDP/IPv6 port range: [1024, 65535]
Jan 31 08:49:58 tehex051v named[10221]: listening on IPv4 interface eth0, x.x.75.18#53
Jan 31 08:49:58 tehex051v named[10221]: generating session key for dynamic DNS
Jan 31 08:49:58 tehex051v named[10221]: sizing zone task pool based on 11 zones
Jan 31 08:49:58 tehex051v named[10221]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Jan 31 08:49:58 tehex051v named[10221]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 127.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: D.F.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: A.E.F.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: B.E.F.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 31 08:49:58 tehex051v named[10221]: command channel listening on 127.0.0.1#953
Jan 31 08:49:58 tehex051v named[10221]: command channel listening on ::1#953
Jan 31 08:49:58 tehex051v named[10221]: zone 0.in-addr.arpa/IN: loaded serial 0
Jan 31 08:49:58 tehex051v named[10221]: zone 115.147.10.in-addr.arpa/IN: loaded serial 2017010900
Jan 31 08:49:59 tehex051v named[10221]: zone 75.147.10.in-addr.arpa/IN: loaded serial 2017010900
Jan 31 08:49:59 tehex051v named[10221]: zone 83.147.10.in-addr.arpa/IN: loaded serial 2017010900
Jan 31 08:49:59 tehex051v named[10221]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2017010900
Jan 31 08:49:59 tehex051v named[10221]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jan 31 08:49:59 tehex051v named[10221]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jan 31 08:49:59 tehex051v named[10221]: zone localhost.localdomain/IN: loaded serial 0
Jan 31 08:49:59 tehex051v named[10221]: zone localhost/IN: loaded serial 0
Jan 31 08:49:59 tehex051v named[10221]: zone mgmt.dc.es.telefXXXXa/IN: loaded serial 2017010900
Jan 31 08:49:59 tehex051v named[10221]: managed-keys-zone ./IN: loaded serial 98
Jan 31 08:49:59 tehex051v named[10221]: running

<<<<DNS client failure>>>>

#################################################################################################### ###############################

tevrh036v:~ # nslookup tehex050v.mgmt.dc.es.telefXXXXa
;; connection timed out; no servers could be reached

#################################################################################################### ###############################

tevrh036v:~ # nslookup tehex051v.mgmt.dc.es.telefXXXXa
;; connection timed out; no servers could be reached

Any leads will definitely help!!

Arjun

MensaWater · 01-31-2017, 09:56 AM

Have you checked the DNS server's firewall (e.g. iptables or firewalld) to verify it is allowing connections to port 53?

If you "nc -vw2 tehex051v 53" from one of your clients what do you see?
(or alternatively "nc -vw2 10.147.75.18 53")

Ellendhel · 01-31-2017, 10:34 AM

Quote:

Originally Posted by arjunstarz

Named service is running on port 53(10.147.75.18) and port 953 (127.0.0.1)

Just as a reminder: DNS uses UDP/53 and TCP/53, please make sure that both ports are opened to your clients on your firewall.

Port TCP/953 is used by BIND for control only, the client should not get access to that port.

On the client side, check that netconfig does not overwrite your specific configuration in /etc/resolv.conf.

MensaWater · 01-31-2017, 12:16 PM

Quote:

Originally Posted by Ellendhel

Just as a reminder: DNS uses UDP/53 and TCP/53, please make sure that both ports are opened to your clients on your firewall.

Good point.

On client side you can specify the DNS server to query with dig @<servername> or dig @<IP address>. This bypasses resolv.conf.

arjunstarz · 01-31-2017, 11:35 PM

Hi,

Please find here with the port status:

[root@tehex051v ~]# netstat -natlp | grep -i named
tcp 0 0 10.147.75.18:53 0.0.0.0:* LISTEN 10003/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10003/named
tcp 0 0 ::1:953 :::* LISTEN 10003/named

There is one more DNS running in one of the machine where it is working perfectly and the status for that machine:

[root@na168vm3 ~]# netstat -natlp | grep -i named
tcp 0 0 10.61.9.123:53 0.0.0.0:* LISTEN 10142/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10142/named

###############################################

resolv.conf is configured with only the DNS server as stated below:

tevrh036v:~ # cat /etc/resolv.conf
### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
nameserver 10.147.75.18

As i said earlier, the udp packet is arriving at 10.147.75.18 but it is not getting processed by the server.

MensaWater · 02-01-2017, 07:34 AM

So you're just going to ignore what the last 2 posts suggested and/or asked?

Nothing you've shown proves udp connections on port 53 are allowed.

Nothing you've shown answers the question about firewall allowing either udp 53 or tcp 53.

Talking about resolv.conf ignores what I told you about being able to bypass resolv.conf by using dig specifying the server.

I don't see where you tested with netcat (nc) as I suggested.

Ellendhel · 02-01-2017, 10:37 AM

If you like to check about the ports that are in use on your server:

Code:

# ss -anput | more

In the output, you should find something similar to:

Code:

Netid  State      Recv-Q Send-Q     Local Address:Port       Peer Address:Port
udp    UNCONN     0      0                      *:53                    *:*      users:(("unbound",9346,3))
tcp    LISTEN     0      128                    *:53                    *:*      users:(("unbound",9346,4))

That's an example where I have the Unbound DNS server running, not BIND, but except for the process name you should get something pretty similar.

As suggested, using dig to check from the client side would be helpful too.
To check if your firewall is filtering something or not, please provide the output from the following command:

Code:

iptables -L -n -v --line-number

Depending on the system that you are using and your configuration, you may have other restrictions to check on (like the /etc/hosts.allow and /etc/hosts.deny files for instance).

MensaWater · 02-01-2017, 11:59 AM

Quote:

Originally Posted by Ellendhel

If you like to check about the ports that are in use on your server:

Code:

# ss -anput | more

Thanks for that one - I usually use lsof here but ss seems to be a useful tool based on the testing I just did on it.

By the way if one is running firewalld it does update iptables behind the scenes but the display isn't quite the same and updates should be done via firewall-cmd rather than direct edits with iptables command itself. Command to display all zones and rules:
firewall-cmd --list-all-zones
It's important to update rules in the correct zone(s) if using firewalld.

arjunstarz · 02-09-2017, 01:25 AM

Great thanks... We were able to resolve that issue.. it was the firewall blocking it ...