bind-9.3.3-7.el5

yash singh · 10-20-2008, 04:32 AM

unable to connect 127.0.0.1#953 connection refused.

I have installed the bind-9.3.3-7.el5 package, the BIND service will run in the /var/named/chroot environment.

This is my named.conf1 file for primary domain name server

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
acl "private"{
157.13.0.0/25;
};
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//

view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { 157.13.0.0/25; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";

// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

zone "example.com" IN{
type master;
file "example.com.db";
};
zone "0.13.157.in-addr.arpa" IN{
type master;
file "0.13.157.in-addr.arpa.db";

};

};
key ddns_key
{
algorithm hmac-md5;
secret " 2sSfr6TOVVR+xdx5d87sMw==";
};

This is my named.conf2 file

// Boot file for example.com name server
acl "private"{
157.13.0.0/24;
};
options {
directory "/var/named";
query-source port 53;
listen-on { 157.13.0.1; };

};

key ddns_key
{
algorithm hmac-md5;
secret " 2sSfr6TOVVR+xdx5d87sMw==";
};
view "private"
{
include "/etc/named.root.hints";

zone "example.com" IN {
type master;
file "example.com.db";
allow-update { none; };
};

zone "0.13.157.in-addr.arpa" IN {
type master;
file "0.13.157.in-addr.arpa.db";
allow-update { none; };
};

};

File- example.com.db
$TTL 86400
@ IN SOA phoenix.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day

IN NS phoenix.example.com.

IN MX 10 mail.example.com.

phoenix IN A 157.13.0.1

dito1 IN A 157.13.0.2
dito2 IN A 157.13.0.3

mail IN CNAME phoenix

File-0.13.157.in-addr.arpa.db";

$TTL 86400
@ IN SOA phoenix.example.com. root.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day

IN NS phoenix.example.com.

1 IN PTR phoenix.example.com.

2 IN PTR dito1.example.com.
3 IN PTR dito2.example.com.

;EOF

This is my rndc.conf file

key "rndckey" {
algorithm hmac-md5;
secret " 2sSfr6TOVVR+xdx5d87sMw==";

};

options {
default-key "rndckey";
default-server 157.13.0.1;
default-port 953;
};

This is my rndc.key file

key "rndckey" {
algorithm hmac-md5;
secret " 2sSfr6TOVVR+xdx5d87sMw==";
};

This is my /etc/resolv.conf file

search 157.13.0.1
nameserver phoenix.example.com

This is my /etc/hosts file

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
157.13.0.1 phoenix.example.com phoenix
157.13.0.2 dito1.example.com dito1
157.13.0.3 dito2.example.com dito2

I have installed the bind-chroot package, the BIND service will run in the /var/named/chroot environment.

$[root@phoenix ~]# nslookup dito1.example.com
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find dito1.example.com: REFUSED
[root@phoenix ~]# host -l example.com
Host example.com not found: 5(REFUSED)
; Transfer failed.
$[root@phoenix ~]# dig example.com

; <<>> DiG 9.3.3rc2 <<>> example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5009
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com. IN A

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:03:42 2006
;; MSG SIZE rcvd: 29

$[root@phoenix ~]# dig phoenix.example.com

; <<>> DiG 9.3.3rc2 <<>> phoenix.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 36022
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;phoenix.example.com. IN A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 13 13:04:17 2006
;; MSG SIZE rcvd: 37

(this is the error coming when using named.conf1 file)

NOTE- [my server name is phoenix.example.com and its ip is 157.13.0.1 but it showing server ip as 127.0.0.1.]

when i am using named.conf2 file without changing any other file configuration the following error is showing.
$host -l example.com
;; Connection to 127.0.0.1#53(127.0.0.1) for example.com failed: connection refused.
;; Connection to ::1#53(::1) for example.com failed: connection refused.
$[root@phoenix ~]# dig dito1.example.com

; <<>> DiG 9.3.3rc2 <<>> dito1.example.com
;; global options: printcmd
;; connection timed out; no servers could be reached

NOTE- I have generated dns-keygen by following command and pasted the secret key no in named.conf,rndc.conf and rndc-key file.

$[root@phoenix ~]#dns=keygen -a hmac-md5 -b 128 -n user rndc
$[root@phoenix ~]#cat Krndc.+157+14529.private

Also some time I get error host 157.13.0.1#53 not reachable and you might be using older version of bind
pls help me

bathory · 10-20-2008, 12:01 PM

Welcome to LQ
First of all I would suggest you to use a more recent bind version due to security problems.
Now, about your problem I don't think that named is running at all, because there are various errors in both your config files. Looking at /var/log/messages should give you useful info.
Trying to identify some of them:
1. Are you absolutely sure that 157.13.0.0/25; is correct?
2. Remove or comment out "match-destinations { localnets; };"
3.

Quote:

key ddns_key
{
algorithm hmac-md5;
secret " 2sSfr6TOVVR+xdx5d87sMw==";
};

Change the above to:

Code:

key rndckey {
algorithm hmac-md5 ;
secret "2sSfr6TOVVR+xdx5d87sMw==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc; };
};

4. In rndc.conf change "default-server 157.13.0.1;" to "default-server localhost;"
5. /etc/resolv.conf should look like this:

Code:

search example.com
nameserver localhost
nameserver 157.13.0.1

Regards

chort · 10-20-2008, 12:57 PM

Code:

query-source port 53;
query-source-v6 port 53;

You need to remove that. It causes your resolver to be vulnerable to cache poisoning. It's not the reason why BIND isn't working for you, but it's a huge security hole.

PS What tutorial did you follow that told you to do that? I'd like to contact the author so they can correct their site.