Firewall problem?
 

Hi,

I think I've got something configured incorrectly with iptables. Digging on my domain brings me "ServFail," and that's it. My ip from the outside world resolves to the page it should, I can ssh in, etc.....I just can't get my nameservers happy. Ideas?

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I'm operating on a Fedora 9 box and all the bits and pieces(Bind and Apache) are running smoothly(at least from what I can tell). My nameservers are specified in resolv.conf and ipv4 forwarding is enabled. Something tells me my firewall is preventing me from communicating with the DNS servers as "intoDNS" is reporting a few errors(NS records).

Any help would be greatly appreciated.

Thanks

Since I can't pry an answer out of someone, I'm innocently following up to state two things:

1) I want to learn.
2) I want to learn more.

The information I provided may not have narrowed my potential issues much, but I was hoping someone could point me in the right direction.

Here's some additional stuff

#nmap -v
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https

# nslookup domain
;; Got SERVFAIL reply from 68.105.x.x, trying next server
;; Got SERVFAIL reply from 68.105.x.x, trying next server
Server: 68.105.x.x
Address: 68.105.x.x#53

I've called both my isp and domain registrar and all is well. Nothing on their end.

#netstat -tap
tcp 0 0 *:38275 *:* LISTEN 1825/rpc.statd
tcp 0 0 *:sunrpc *:* LISTEN 1806/rpcbind
tcp 0 0 domain.com:domain *:* LISTEN 6665/named
tcp 0 0 localhost.localdomai:domain *:* LISTEN 6665/named
tcp 0 0 *:ssh *:* LISTEN 2110/sshd
tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2168/cupsd
tcp 0 0 localhost.localdomain:rndc *:* LISTEN 6665/named
tcp 1 0 domain.com:41999 ip-72-167-18-239.ip.se:http CLOSE_WAIT 5614/npviewer.bin
tcp 1 0 domain.com:55830 proxy4.fedoraproject.o:http CLOSE_WAIT 5614/npviewer.bin
tcp 1 0 domain.com:41680 yx-in-f100.google.com:http CLOSE_WAIT 5614/npviewer.bin
tcp 0 0 *:http *:* LISTEN 32729/httpd
tcp 0 0 *:ssh *:* LISTEN 2110/sshd
tcp 0 0 localhost6.localdomain:rndc *:* LISTEN 6665/named
tcp 0 0 *:https *:* LISTEN 32729/httpd

From what I can gather, their is a communication breakdown between my machine and the nameservers.

Any help would be greatly appreciated.

Thank you.

When logged into your server that is running BIND type:
service named status
That should let you know if it is running and listening.

On that server try running "dig @localhost <name>" where name is site you're trying to lookup. That should at least let you know if you're getting an answer in box. If you're not then your BIND setup is likely the issue and you should focus on that.

Also the registrar needs to have an entry for your primary DNS server which would be the above box. The IP they should have for it is the one the world sees.

Try running "whois <name>" to see what the record is. This should show who it is registered to (you presumably) as well as let you know what DNS server(s) should answer the query.

If you'd post your domain name we'd be able to test dig and whois against it to let you know if there are any obvious issues.

Ahh......apologies for the duplicate posts. Just wasn't sure if being in the wrong area was the reason for no reply. Thank you very much for taking the time to help.

Here is the results of your inquiries:

#service named status
version: 9.5.1-P1
number of zones: 15
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid 21198) is running...

Then a dig:

#dig @localhost coleayres.com
; <<>> DiG 9.5.1-P1 <<>> @localhost coleayres.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 555
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;coleayres.com. IN A

;; Query time: 104 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 18 15:12:58 2009
;; MSG SIZE rcvd: 31

So with that, can we can say Bind is the issue? My registrar has both the DNS servers I was given applied to the account. A whois provides the following:

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: COLEAYRES.COM
Created on: 27-Feb-09
Expires on: 27-Feb-10
Last Updated on: 06-Mar-09

Domain servers in listed order:
NS1.COXMAIL.COM
NS2.COXMAIL.COM

Thoughts? What confuses me is if I go directly to the static ip, I get my page. Argh!

There is an option with go Daddy to add a host which could allow me to point the nameserver ip towards ns1.coxmail.com........could this be the cause of the problem? I spoke to a customer rep, and he said I've done what I need to do.

Let me know what you think.

Thanks!

Your dig at localhost didn't give you an answer. It could be you're not allowing localhost in BIND (localhost = 127.0.0.1) but I'm guessing the problem is BIND as it didn't sound like you'd done any security tightening of the named.conf. Also its unlikely you did any firewall restrictions for 127.0.0.1.

You can always rule out firewall issues by temporarily disabling the firewall. But I wouldn't do that until I'd looked at the BIND configuration (named.conf and the zone file for coleayres.com).

I'm assuming coleayres.com your domain? Coxmail.com is Cox Communications DNS servers rather than your own. The whois is telling you any search for coleayres.com should be answered by Coxmail.com rather than by your own DNS server. That means that either you should be having Cox update their records to include your IP or you should update your registration at GoDaddy to show your DNS server and its IP. Neither is "wrong" - just different ways of going about it. I fear you may have confused your outbound lookups that use the Cox servers in /etc/resolv.conf with inbound lookups that probably don't use that. If its supposed to be using your DNS server you might want to address that first because some changes at Registrar can take a day or three to propagate through the internet due to the way different people cache lookups.

I doubt it is your firewall considering you have a default policy of allow.

Ayayay.

Yeah, I have tried disabling the firewall previously with no luck. Coleayres is my domain, yes. I'm just unbelievably confused, which is what I get for attempting to replicate a completely different server I had at work on a Red hat box.

I have the static ip and was assigned nameserver ips from cox, which I had assumed(bad idea) would translate into ns1.coxmail.com....so those are what are in my resolv.conf file. Fire up my network, Apache, named, and those nameserver ips would resolve coleayres.com. Easy, right?

I do have BIND set up with the zone for coleayres. I had it disabled previously as I was trying to keep it simple.

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};

};

zone "." IN {
type hint;
file "named.ca";
};

zone "coleayres.com" IN {
type master;
file "coleayres.zone";
notify yes;
};

include "/etc/named.rfc1912.zones";


Zone file

$ttl 38400
@ IN SOA coleayres.com. root.coleayres.com. (
2009031201 ; Serial
10800 ; Refresh 3 hours
3600 ; Retry 1 hour
3600000 ; Expire 1000 hours
7200 ; Minimum 2 hours
)
IN NS ns1.coxmail.com.
IN NS ns2.coxmail.com.


coleayres.com. IN A xx.xxx.xxx.xxx
www IN A xx.xxx.xxx.xxx

So, at this point I have the feeling I'm missing something entirely.

Can either of you recommend a book?

Let's see, fireall accepting all connections from around the world? Check.

Nameservers setup for incoming instead of outgoing? Check.

Holy moly.

There's actually some really good Online documentation for DNS (as well as a plug there for the book) at:
http://www.zytrax.com/books/dns/

The confusion comes because there are different ways of doing things. You get the IP from your ISP and the Domain Name from your Registrar.

You can get web service and mail hosting from some companies and many of the ISPs and Registrars offer those services as well. However, you do NOT have to do so. If you do use their hosting service you don't even need a server of any sort as it will all be on their servers. If they are not doing the hosting then of course you need your own server.

For forward lookups (by name) your Registrar has to either have the records for your site (e.g. www.coolayres.com) in their DNS servers -OR- they must know what YOUR DNS server's name (e.g. ns1.coolayres.com) are so they can forward requests for your domain (coolayres.com) to you.

If you do the former you do not need a DNS server of your own. If you do the latter you do need a DNS server (actually you should have 2 for redundancy).

For reverse lookups (by IP address rather than name) your ISP has to delegate the IP to you. You must tell the ISP which DNS server to (the Registrar's or your own) to use for reverse lookups.

The point in DNS is the same as that of a local /etc/hosts file. Simply to allow you to address a site by name rather than IP by having the computer associate the name with the IP. (This is why it is called a "naming service".)

For a small internal network setting up DNS is usually not worth the hassle as you can do what you need in /etc/hosts of each system (or in the Windows hosts file under system32). The benefit to DNS is you don't have to update multiple hosts files. Also if you're letting the outside world ask you where to go then DNS helps.

In your named.conf you are restricting queries to localhost meaning only those inside the box would work - you'd have to allow query to "any" to make it available outside the box.

In your zone file you are telling it to use Cox's DNS servers which is incorrect because:
1) It is unlikely Cox is the one that would serve your records unless they'd agreed to do so because they're your ISP not your Registrar.
2) If they were hosting your records you'd have no need for your own DNS setup as noted above.
Your zone file should provide YOUR server name as the DNS host.

You also noted you'd stopped BIND (named). With it down the dig I told you of before would fail.