LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-01-2012, 12:45 PM   #1
vincix
Member
 
Registered: Feb 2011
Posts: 44

Rep: Reputation: 0
port 53 blocked?


Hello,

I'm experimenting with a DNS server at home which I can seem to make use of remotely and I am not sure if port 53 is actually blocked by my ISP. My DNS server works on localhost, I've created a zone and everything, but when I try to ping the zone from the outside, it doesn't respond. Obviously, I've added the DNS ip on my windows client computer. So what I'm trying to find out, as I've said before, is to understand if the port is really blocked. I've checked the ports the computer is listening to and it was there attached to my public address.

Any suggestions?

Thanks
 
Old 07-01-2012, 03:12 PM   #2
bhaslinux
Member
 
Registered: Oct 2003
Location: UnitedKingdom
Distribution: Debian Lenny
Posts: 351

Rep: Reputation: 47
do you have an outside IP where you can login to ? so that you can try out

a) Enable debug mode in bind and check if the requests are reaching your server
b) Do a tcpdump on udp port 53 to check if the packets are reaching.

Even before these, have you setup your domain host server NS records correctly to the IP which is being queried ?
 
Old 07-01-2012, 04:27 PM   #3
vincix
Member
 
Registered: Feb 2011
Posts: 44

Original Poster
Rep: Reputation: 0
R:

Yes, I have a routable IP. Actually I'm connecting through ssh from a remote location (from a windows client on which I changed my dns settings with the server's ip)

I've only started bind with #named -g command and no, as far I as could see, there was no response to any queries that I've tried.

This is how the zone file looks. It's really rudimentary:

$ORIGIN zonamea.ro.
$TTL 3600
@ SOA ns.zonamea.com. vinci.zonamea.com. (
2012070107;
1d;
2h;
4w;
1h;
)

zonamea.com. NS ns
zonamea.com. MX 10 mail.zonamea.com.
zonamea.com. A 95.164.52.197
ns A 95.164.52.197
www CNAME zonamea.com.
mail A 95.164.52.197

As you can see from "ns A 95...", the association is made... correctly, I suppose.

I've run a tcpdump, but there's no output to my ping zonamea.com from my windows computer.
 
Old 07-05-2012, 11:46 AM   #4
RobertEachus
Member
 
Registered: Dec 2011
Posts: 32

Rep: Reputation: 8
Well the zone is delegated to some older BIND servers, that don't have the zone. (They are referring back to root, doesn't follow current standards.)
However I would suspect there may be a problem with the remote site you are coming from blocking connections to port 53. On the remote box try
Code:
nslookup -debug www.google.com. 8.8.8.8
from the windows box to see if the remote network is blocking outbound DNS requests.


If you want this to resolve on the internet you will need to have the GTLD servers add the GLUE records delegating to your server ns.zonamea.com and providing the A record for the NS server as well. If you purchased the domain you would do this with whoever you bought the domain from. Hope this points you in the right direction.
I shorted this up a bit but here is some of the output I got from "dig +trace zonamea.com."

Code:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 287 ms

zonamea.com.            172800  IN      NS      ns10.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns11.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns12.hostzilla.ro.
;; Received 98 bytes from 192.42.93.30#53(192.42.93.30) in 132 ms

.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.

;; BAD REFERRAL
;; Received 240 bytes from 92.55.144.207#53(92.55.144.207) in 241 ms
 
Old 07-06-2012, 09:54 AM   #5
vincix
Member
 
Registered: Feb 2011
Posts: 44

Original Poster
Rep: Reputation: 0
re

I don't think you understand. I didn't byy any domain. I'm just experimenting with a dns server. You'd have to know my public ip (the one I wrote isn't the real one) etc, etc.
I don't know how I can make it easier: I created a dns server on linux and I'm trying to use it (to use the domain on which it's authoritative) by changing my windows dns settings using the server's ip. That is all. And I simply want to it respond to the respective domain. And the problem is that it doesn't. I'm not sure ifport 53 is blocked. I'll try to phone up my ISP and get to the bottom of this.
Anyway, I hope you understand from what I'm saying here that what you've done, looking for zonamea.com makes no sense in this context, because the domain is not public. It was just a connection referring to two computers - the linux server and the windows server. That is all.


Quote:
Originally Posted by RobertEachus View Post
Well the zone is delegated to some older BIND servers, that don't have the zone. (They are referring back to root, doesn't follow current standards.)
However I would suspect there may be a problem with the remote site you are coming from blocking connections to port 53. On the remote box try
Code:
nslookup -debug www.google.com. 8.8.8.8
from the windows box to see if the remote network is blocking outbound DNS requests.


If you want this to resolve on the internet you will need to have the GTLD servers add the GLUE records delegating to your server ns.zonamea.com and providing the A record for the NS server as well. If you purchased the domain you would do this with whoever you bought the domain from. Hope this points you in the right direction.
I shorted this up a bit but here is some of the output I got from "dig +trace zonamea.com."

Code:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 287 ms

zonamea.com.            172800  IN      NS      ns10.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns11.hostzilla.ro.
zonamea.com.            172800  IN      NS      ns12.hostzilla.ro.
;; Received 98 bytes from 192.42.93.30#53(192.42.93.30) in 132 ms

.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.

;; BAD REFERRAL
;; Received 240 bytes from 92.55.144.207#53(92.55.144.207) in 241 ms
 
Old 07-06-2012, 12:42 PM   #6
RobertEachus
Member
 
Registered: Dec 2011
Posts: 32

Rep: Reputation: 8
Sorry I'll try to turn off -verbose I was just trying to give you as much information as possible, with the information you provided.

I doubt your ISP is blocking incoming requests requests on port 53. I know the common ports for blocking and the reasons behind them. As I mentioned before its more likely that the private network, your remote linux box is on, is blocking direct connections to DNS servers on the internet, as this is much more common than ISPs blocking your use of port 53. (Not saying they aren't just that it would be unusual.)

Sadly DSL reports may be a better source of a port blocking list for your ISP than the Tier 1 tech support. Tier 1 tends to fail badly when it comes to uncommon technical questions.

If you would like a tool for determining where/if port 53 is blocked you can do a TCP syn packet traceroute from linux with;

Code:
 traceroute -T -p  53 [DNS SERVER IP]
To do the same from your windows box you will need something like tracetcp

Code:
 tcping.exe [DNS SERVER IP] 53
Yes, DNS is normally UDP port 53 however it fails over to TCP as a back up, so if UDP port 53 is blocked then TCP would also be blocked.

You could also try to telnet from the windows box to the DNS server on port 53, it should connect then hang.

Code:
telnet [DNS SERVER IP] 53

Last edited by RobertEachus; 07-06-2012 at 12:54 PM. Reason: Had client and server OSs backwards
 
Old 07-17-2012, 01:49 PM   #7
vincix
Member
 
Registered: Feb 2011
Posts: 44

Original Poster
Rep: Reputation: 0
I'll get back to you after I experiment again with my DNS server. I only want to say that there's no private network (except the one the windows client is on from which I try to reach the dns server), my Linux has a public IP. I only told you that the one I put down for you was not the real one, but it's still public
 
Old 07-17-2012, 03:11 PM   #8
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi vincix

you can setup your server like "resolving caching name server" or you can have any of the DNS server types.
Which one did you set up ?

By what I understand your posts is that you want "resolving caching DNS" in which you can add an "authoritative" for your domain "example-domain.net".

good luck
 
  


Reply

Tags
dns, port blocking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP server port blocked on Uni network, need to change the listening port. sammyboy161 Linux - Newbie 2 10-21-2010 12:03 PM
Iptables - port forwarding to blocked port? spangberg Linux - Networking 2 03-26-2010 04:48 AM
Why is my port 25 still blocked jfaberna Linux - Security 8 02-21-2006 10:46 PM
blocked port 80 squi Linux - Newbie 1 09-19-2003 09:57 AM


All times are GMT -5. The time now is 09:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration