LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   port 53 blocked? (http://www.linuxquestions.org/questions/linux-newbie-8/port-53-blocked-4175414311/)

vincix 07-01-2012 12:45 PM

port 53 blocked?
 
Hello,

I'm experimenting with a DNS server at home which I can seem to make use of remotely and I am not sure if port 53 is actually blocked by my ISP. My DNS server works on localhost, I've created a zone and everything, but when I try to ping the zone from the outside, it doesn't respond. Obviously, I've added the DNS ip on my windows client computer. So what I'm trying to find out, as I've said before, is to understand if the port is really blocked. I've checked the ports the computer is listening to and it was there attached to my public address.

Any suggestions?

Thanks

bhaslinux 07-01-2012 03:12 PM

do you have an outside IP where you can login to ? so that you can try out

a) Enable debug mode in bind and check if the requests are reaching your server
b) Do a tcpdump on udp port 53 to check if the packets are reaching.

Even before these, have you setup your domain host server NS records correctly to the IP which is being queried ?

vincix 07-01-2012 04:27 PM

R:
 
Yes, I have a routable IP. Actually I'm connecting through ssh from a remote location (from a windows client on which I changed my dns settings with the server's ip)

I've only started bind with #named -g command and no, as far I as could see, there was no response to any queries that I've tried.

This is how the zone file looks. It's really rudimentary:

$ORIGIN zonamea.ro.
$TTL 3600
@ SOA ns.zonamea.com. vinci.zonamea.com. (
2012070107;
1d;
2h;
4w;
1h;
)

zonamea.com. NS ns
zonamea.com. MX 10 mail.zonamea.com.
zonamea.com. A 95.164.52.197
ns A 95.164.52.197
www CNAME zonamea.com.
mail A 95.164.52.197

As you can see from "ns A 95...", the association is made... correctly, I suppose.

I've run a tcpdump, but there's no output to my ping zonamea.com from my windows computer.

RobertEachus 07-05-2012 11:46 AM

Well the zone is delegated to some older BIND servers, that don't have the zone. (They are referring back to root, doesn't follow current standards.)
However I would suspect there may be a problem with the remote site you are coming from blocking connections to port 53. On the remote box try
Code:

nslookup -debug www.google.com. 8.8.8.8
from the windows box to see if the remote network is blocking outbound DNS requests.


If you want this to resolve on the internet you will need to have the GTLD servers add the GLUE records delegating to your server ns.zonamea.com and providing the A record for the NS server as well. If you purchased the domain you would do this with whoever you bought the domain from. Hope this points you in the right direction.
I shorted this up a bit but here is some of the output I got from "dig +trace zonamea.com."

Code:

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 287 ms

zonamea.com.            172800  IN      NS      ns10.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns11.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns12.hostzilla.ro.
;; Received 98 bytes from 192.42.93.30#53(192.42.93.30) in 132 ms

.                      518400  IN      NS      A.ROOT-SERVERS.NET.
.                      518400  IN      NS      B.ROOT-SERVERS.NET.
.                      518400  IN      NS      C.ROOT-SERVERS.NET.

;; BAD REFERRAL
;; Received 240 bytes from 92.55.144.207#53(92.55.144.207) in 241 ms


vincix 07-06-2012 09:54 AM

re
 
I don't think you understand. I didn't byy any domain. I'm just experimenting with a dns server. You'd have to know my public ip (the one I wrote isn't the real one) etc, etc.
I don't know how I can make it easier: I created a dns server on linux and I'm trying to use it (to use the domain on which it's authoritative) by changing my windows dns settings using the server's ip. That is all. And I simply want to it respond to the respective domain. And the problem is that it doesn't. I'm not sure ifport 53 is blocked. I'll try to phone up my ISP and get to the bottom of this.
Anyway, I hope you understand from what I'm saying here that what you've done, looking for zonamea.com makes no sense in this context, because the domain is not public. It was just a connection referring to two computers - the linux server and the windows server. That is all.


Quote:

Originally Posted by RobertEachus (Post 4720048)
Well the zone is delegated to some older BIND servers, that don't have the zone. (They are referring back to root, doesn't follow current standards.)
However I would suspect there may be a problem with the remote site you are coming from blocking connections to port 53. On the remote box try
Code:

nslookup -debug www.google.com. 8.8.8.8
from the windows box to see if the remote network is blocking outbound DNS requests.


If you want this to resolve on the internet you will need to have the GTLD servers add the GLUE records delegating to your server ns.zonamea.com and providing the A record for the NS server as well. If you purchased the domain you would do this with whoever you bought the domain from. Hope this points you in the right direction.
I shorted this up a bit but here is some of the output I got from "dig +trace zonamea.com."

Code:

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 287 ms

zonamea.com.            172800  IN      NS      ns10.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns11.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns12.hostzilla.ro.
;; Received 98 bytes from 192.42.93.30#53(192.42.93.30) in 132 ms

.                      518400  IN      NS      A.ROOT-SERVERS.NET.
.                      518400  IN      NS      B.ROOT-SERVERS.NET.
.                      518400  IN      NS      C.ROOT-SERVERS.NET.

;; BAD REFERRAL
;; Received 240 bytes from 92.55.144.207#53(92.55.144.207) in 241 ms



RobertEachus 07-06-2012 12:42 PM

Sorry I'll try to turn off -verbose ;) I was just trying to give you as much information as possible, with the information you provided.

I doubt your ISP is blocking incoming requests requests on port 53. I know the common ports for blocking and the reasons behind them. As I mentioned before its more likely that the private network, your remote linux box is on, is blocking direct connections to DNS servers on the internet, as this is much more common than ISPs blocking your use of port 53. (Not saying they aren't just that it would be unusual.)

Sadly DSL reports may be a better source of a port blocking list for your ISP than the Tier 1 tech support. Tier 1 tends to fail badly when it comes to uncommon technical questions.

If you would like a tool for determining where/if port 53 is blocked you can do a TCP syn packet traceroute from linux with;

Code:

traceroute -T -p  53 [DNS SERVER IP]
To do the same from your windows box you will need something like tracetcp

Code:

tcping.exe [DNS SERVER IP] 53
Yes, DNS is normally UDP port 53 however it fails over to TCP as a back up, so if UDP port 53 is blocked then TCP would also be blocked.

You could also try to telnet from the windows box to the DNS server on port 53, it should connect then hang.

Code:

telnet [DNS SERVER IP] 53

vincix 07-17-2012 01:49 PM

I'll get back to you after I experiment again with my DNS server. I only want to say that there's no private network (except the one the windows client is on from which I try to reach the dns server), my Linux has a public IP. I only told you that the one I put down for you was not the real one, but it's still public :)

lithos 07-17-2012 03:11 PM

Hi vincix

you can setup your server like "resolving caching name server" or you can have any of the DNS server types.
Which one did you set up ?

By what I understand your posts is that you want "resolving caching DNS" in which you can add an "authoritative" for your domain "example-domain.net".

good luck


All times are GMT -5. The time now is 11:58 AM.