LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-15-2005, 04:32 PM   #1
stardotstar
Member
 
Registered: Nov 2002
Location: /au/qld/bne/4157
Distribution: Gentoo mactel-linux
Posts: 238

Rep: Reputation: 30
TCP Port 53 Open - How to enable UDP 53?


Hi all, I am setting up a new web server (a first time experience for me with a dedicated clean install) and I have my bind configs sorted - name resolution working internally and for external lookups. But domain transfer has not worked.

I suspected port 53 blocked but with nmap found it open - but that was only TCP as I eventually found after some hunting and noticing this in my secondary and external DNS server (a trusted friendly server)

Code:

[myip]#53: failed while receiving responses: permission denied



It seems that bidirectional UDP port 53 and unidirectional TCP port 53
from secondary to primary is needed to effect domain transfer and get things really running...

So how do I enable UDP port 53 on my Debian Sarge server?

I am guessing it is default closed on the firewall and being new to these security measures and configurations I don't know where to start..

I have done a bit of a search on firewalls and 53 and UDP and got some useful hints but still feel compelled to go on and ask for personal help.


I hope someone has some time to guide me through the process.

Cheers and TIA,
*.str
 
Old 03-15-2005, 10:48 PM   #2
clacour
Member
 
Registered: Sep 2003
Location: Dallas, Tx, USA
Distribution: Red Hat, Gentoo, Libranet
Posts: 98

Rep: Reputation: 16
One word of warning: I've only dipped my toes in Debian, so I don't know all of it's little quirks. Some of this may be off in the fine detail because of that.

To keep from writing a small novel saying "if you have such-and-such, and THIS is true, then..." for every case I can think of, I'm going to describe the basic idea, and ask for more info.

Figure out whether you're running ipchains or iptables. Then figure out where your ip[chains|tables] config file is. Try /etc/init.d/iptables (or ipchains) for clues.

Look at the file. If it says it was created by a firewall script/application, and not to edit the file, believe it. Run the application, and change it that way (it should be pretty obvious in the app - not much point to writing said app, otherwise).

Find a line that says something about either dns or 53. If it's iptables (more likely) it will say something like --sport 53 or --sport dns (or --dport 53..., if it's talking about the destination). It should also have a field that says "-p tcp". That's where it tells iptables which protocol the rule is for.

Simply duplicate that line, and change the tcp to udp. You may want to add a source address (if it doesn't already have one) to limit it to just your secondary DNS server. (If the line you're duplicating is one that specifies that server, all you need to change is the protocol line.

If this isn't enough info, I need some from you:

What OS are you running? (Stock Debian, Mepis, Libranet, Xandros, Knoppix....)
Are you running ipchains or iptables?
What are the lines that pertain to DNS that you have now? (You can post the whole iptables file if it's short.)

I'd recommend visiting some used bookstores and see if you can find a book on firewalls. (If you're running iptables, make sure it covers that - it's the newer protocol, and not in the older books.) They have lots of precanned script configurations, as well as explanations of how they got them. Good for getting you something set up while you're still learning, and gives you something to learn with .

Hope this helps,

Charles Lacour
 
Old 03-16-2005, 12:02 AM   #3
stardotstar
Member
 
Registered: Nov 2002
Location: /au/qld/bne/4157
Distribution: Gentoo mactel-linux
Posts: 238

Original Poster
Rep: Reputation: 30
Great Advice, thanks well though out - I will get stuck into it and report back for more help
 
Old 03-16-2005, 12:52 AM   #4
angrybeaver
Member
 
Registered: Aug 2004
Location: .au
Distribution: debian, BSD
Posts: 104

Rep: Reputation: 16
it might be a permissions problem on the filesystem, ie: the destination 'file' directive for your slave zone may not have correct permissions. 'su' to 'named' or 'bind' or whaterver your name daemon is running as and try to touch the destination file - this'll give you your answer pretty quick.

Doesn't sound like a firewall issue - sarge debian has a default ACCEPT rule on the iptables policies (if you've installed iptables). You won't get a permission denied error if its a firewall issue as firewalls don't know about permissions generally. (although.. there is an iptables module to do this

cheers

Last edited by angrybeaver; 03-17-2005 at 12:38 AM.
 
Old 03-16-2005, 03:59 AM   #5
stardotstar
Member
 
Registered: Nov 2002
Location: /au/qld/bne/4157
Distribution: Gentoo mactel-linux
Posts: 238

Original Poster
Rep: Reputation: 30
OK Guys, thanks for the pointers...

I have taken all that on board and managed to sus out the following:

Using nmap -sU I determined that UDP 53 was open|filtered and followed that up with nmap -sU -sV and confirmed it to be open:

Code:
53/udp open ISC Bind 8.4.4-NOESW
So I started to follow up on the permissions idea and found that named is running as root (which I guess is a very bad thing in the greater scheme of things but I intend to get jaild going eventually as part of the hardening) by doing a ps -aux so I would think that filesystem permissions are not the cause.

I couldn't find the iptables/ipchains confs at all. There is no config systems running that I know of since it is a clean debian 3.1 Kernel 2.6 install
 
Old 03-16-2005, 04:14 AM   #6
stardotstar
Member
 
Registered: Nov 2002
Location: /au/qld/bne/4157
Distribution: Gentoo mactel-linux
Posts: 238

Original Poster
Rep: Reputation: 30
Just found something interesting in the syslog:
Code:
Mar 16 03:53:20 localhost named[10361]: approved AXFR from [203.XXX.YYY.200].56363 for "mydomainname.com.au"
Mar 16 03:53:20 localhost named[10361]: zone transfer (AXFR) of "mydomainname.com.au" (IN) to [203.XXX.YYY.200].56363 serial 2005030105
Mar 16 03:53:57 localhost kernel: ip_tables: (C) 2000-2002 Netfilter core team
So I guess some kind of transfer is being attempted so where is it all going wrong??!! This also tells me that I am using IPTABLES:
so...
Code:
helios:/var/log# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Any other pointers??

Last edited by stardotstar; 03-16-2005 at 04:15 AM.
 
Old 03-16-2005, 04:49 AM   #7
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Based on the fact that your logfiles show that the zone file transfer was approved (verus DENIED) from the secondary, then I would focus my efforts on the permissions problem pointed out by angrybeaver.

Hint: Are you sure the directory exists where the copy of the zone file is being stored on the secondary?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up router with IP based or TCP/UDP port rules raakjoer Linux - Networking 1 10-24-2005 08:51 AM
799 udp port open ddaas Linux - Security 4 07-13-2005 05:33 PM
how to stop a connection to a specific UDP/TCP port? aromes Linux - Networking 2 03-04-2004 07:37 PM
how to open TCP/UDP ports RH9 franky Linux - Networking 3 07-18-2003 10:03 PM
How do I open up a UDP port? Dirt Linux - Networking 9 06-06-2003 05:50 PM


All times are GMT -5. The time now is 09:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration