New Fedora DNS install, but no port 53 access from the outside

linux_tyro · 12-13-2010, 04:59 AM

Hey Guys, first post here but I've solved many of life's problems here so I'm hopeful there's a wise one out there that's seen this.

I have installed Bind 9 on a new Fedora machine:

Code:

[root@***]# rpm -q bind
bind-9.7.2-1.P3.fc13.i686

It was yum installed and all went well without error but I'm not able to access bind on port 53. Selinux is disabled for this test, and the iptables have been saved to the below config in the INPUT chain:

Code:

target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain state NEW
REJECT     all  --  anywhere             anywhere            reject-with icmp-net-unreachable

I have just added other items in the iptables and gained/blocked access with those rules effectively, so I know iptables is operational. Just for grins I turned off the iptables service and no difference either.

I have used a port scanner by Solarwinds on a PC outside this servers network and on port 53 it shows no reply. Get this, when I disabled iptables service and scanned it showed "Blocked". I turned on iptables and "No Reply" again.

My nmap shows this:

Code:

[root@***]# nmap -sU localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-13 03:28 MST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
rDNS record for 127.0.0.1: ***********.com
Not shown: 994 closed ports
PORT      STATE         SERVICE
53/udp    open          domain
111/udp   open          rpcbind
123/udp   open          ntp
631/udp   open|filtered ipp
5353/udp  open|filtered zeroconf

I'm not sure what else to look at. Any ideas?

prodev05 · 12-13-2010, 05:20 AM

Also try the below commands, before trying this commands shutdown your IPTables for a while.

dig -x <ip> // Check's the DNS record for the given IP
dig (FQDN) // Check's the DNS record for the given FQDN (Fully qualified Domain Name)
nslookup <ip> // Resolve your IP with the name record and give's you the DNS details
nslookup <FQDN> // Resolve your FQDN with the name record and give's you the IP details
netstat -a | grep 53 // Look for the available open port from your network

Once all the output is verified and DNS is working fine then you can assume, the problem is from your firewall. Else try the next test by enabling the IPTables.

Note: Check dig output line by line to resolve your issue.

Regards,

bathory · 12-13-2010, 05:47 AM

Hi,

Could be that your name server is listening only on local loopback interface. To verify, check if you have

Quote:

listen-on { 127.0.0.1;};

in named.conf, or run:

Code:

netstat -tunapl|grep 53

If that's the case, then edit named.conf and use:

Code:

listen-on { any;};

Regards

linux_tyro · 12-13-2010, 08:53 AM

Quote:

Could be that your name server is listening only on local loopback interface. To verify, check if you have
Quote:
listen-on { 127.0.0.1;};

Thanks for the help!!! I looked and it was 127.0.0.1 only, so I changed it to any and I'm getting a response. First hurdle has been sailed over thanks to you. Now... I'm on the hunt for answers on the next riddle.

nslookup to my new DNS for yahoo.com returns:

Code:

C:\Users\TCI>nslookup yahoo.com x.x.x.x
Server:  UnKnown
Address:  x.x.x.x

*** UnKnown can't find yahoo.com: Query refused

I'll start hunting this one down in the forum. Thanks again!

linux_tyro · 12-13-2010, 09:07 AM

Bathory, you were on the right track for this one too!

Quote:

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;

allow-query was localhost. Why would the default setup give you defaults like these? Oh well, I hope the security is the same this way. It's giving answers now and that's what I needed. Thanks again!

bathory · 12-13-2010, 09:08 AM

Hi,

The "Query refused" could mean that you have a "Allow-query ..." statement in named.conf and your IP is listed in the allowed addresses.
Or post named.conf, so we can take a look

Regards

bathory · 12-13-2010, 09:19 AM

Cool!

Quote:

recursion yes;

This should better be:

Code:

allow-recursion { 127.0.0.; 192.168.0.0/24;}:

assuming that you LAN is 192.168.0.0/24. If not change it accordingly

Regards