Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all, I am setting up a new web server (a first time experience for me with a dedicated clean install) and I have my bind configs sorted - name resolution working internally and for external lookups. But domain transfer has not worked.
I suspected port 53 blocked but with nmap found it open - but that was only TCP as I eventually found after some hunting and noticing this in my secondary and external DNS server (a trusted friendly server)
Code:
[myip]#53: failed while receiving responses: permission denied
It seems that bidirectional UDP port 53 and unidirectional TCP port 53
from secondary to primary is needed to effect domain transfer and get things really running...
So how do I enable UDP port 53 on my Debian Sarge server?
I am guessing it is default closed on the firewall and being new to these security measures and configurations I don't know where to start..
I have done a bit of a search on firewalls and 53 and UDP and got some useful hints but still feel compelled to go on and ask for personal help.
I hope someone has some time to guide me through the process.
One word of warning: I've only dipped my toes in Debian, so I don't know all of it's little quirks. Some of this may be off in the fine detail because of that.
To keep from writing a small novel saying "if you have such-and-such, and THIS is true, then..." for every case I can think of, I'm going to describe the basic idea, and ask for more info.
Figure out whether you're running ipchains or iptables. Then figure out where your ip[chains|tables] config file is. Try /etc/init.d/iptables (or ipchains) for clues.
Look at the file. If it says it was created by a firewall script/application, and not to edit the file, believe it. Run the application, and change it that way (it should be pretty obvious in the app - not much point to writing said app, otherwise).
Find a line that says something about either dns or 53. If it's iptables (more likely) it will say something like --sport 53 or --sport dns (or --dport 53..., if it's talking about the destination). It should also have a field that says "-p tcp". That's where it tells iptables which protocol the rule is for.
Simply duplicate that line, and change the tcp to udp. You may want to add a source address (if it doesn't already have one) to limit it to just your secondary DNS server. (If the line you're duplicating is one that specifies that server, all you need to change is the protocol line.
If this isn't enough info, I need some from you:
What OS are you running? (Stock Debian, Mepis, Libranet, Xandros, Knoppix....)
Are you running ipchains or iptables?
What are the lines that pertain to DNS that you have now? (You can post the whole iptables file if it's short.)
I'd recommend visiting some used bookstores and see if you can find a book on firewalls. (If you're running iptables, make sure it covers that - it's the newer protocol, and not in the older books.) They have lots of precanned script configurations, as well as explanations of how they got them. Good for getting you something set up while you're still learning, and gives you something to learn with .
it might be a permissions problem on the filesystem, ie: the destination 'file' directive for your slave zone may not have correct permissions. 'su' to 'named' or 'bind' or whaterver your name daemon is running as and try to touch the destination file - this'll give you your answer pretty quick.
Doesn't sound like a firewall issue - sarge debian has a default ACCEPT rule on the iptables policies (if you've installed iptables). You won't get a permission denied error if its a firewall issue as firewalls don't know about permissions generally. (although.. there is an iptables module to do this
cheers
Last edited by angrybeaver; 03-17-2005 at 12:38 AM.
I have taken all that on board and managed to sus out the following:
Using nmap -sU I determined that UDP 53 was open|filtered and followed that up with nmap -sU -sV and confirmed it to be open:
Code:
53/udp open ISC Bind 8.4.4-NOESW
So I started to follow up on the permissions idea and found that named is running as root (which I guess is a very bad thing in the greater scheme of things but I intend to get jaild going eventually as part of the hardening) by doing a ps -aux so I would think that filesystem permissions are not the cause.
I couldn't find the iptables/ipchains confs at all. There is no config systems running that I know of since it is a clean debian 3.1 Kernel 2.6 install
Mar 16 03:53:20 localhost named[10361]: approved AXFR from [203.XXX.YYY.200].56363 for "mydomainname.com.au"
Mar 16 03:53:20 localhost named[10361]: zone transfer (AXFR) of "mydomainname.com.au" (IN) to [203.XXX.YYY.200].56363 serial 2005030105
Mar 16 03:53:57 localhost kernel: ip_tables: (C) 2000-2002 Netfilter core team
So I guess some kind of transfer is being attempted so where is it all going wrong??!! This also tells me that I am using IPTABLES:
so...
Based on the fact that your logfiles show that the zone file transfer was approved (verus DENIED) from the secondary, then I would focus my efforts on the permissions problem pointed out by angrybeaver.
Hint: Are you sure the directory exists where the copy of the zone file is being stored on the secondary?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.