LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-21-2010, 02:12 PM   #1
debloxie
Member
 
Registered: Jul 2003
Posts: 153

Rep: Reputation: 30
Question BIND 9.5 on Fedora Core 9 not resolving dns queries


Hi there,

I have this ISP grade Nameserver running on BIND 9.5 on Fedora Core 9 64 Bit.

Its been pretty working well for sometime until a last week when we noticed it stopped resolving for our clients using on our service.

It gives correct authouritative answers for our own ISP domain with the A, PTR and MX intact but does not return resolving queries back to clients.

Below are my files

My named.conf file

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursion yes;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};




include "/etc/rndc.key";
zone "65.223.41.in-addr.arpa" {
type master;
file "/var/named/41.223.65.rev";
};
zone "64.223.41.in-addr.arpa" {
type master;
file "/var/named/41.223.64.rev";
};
zone "66.223.41.in-addr.arpa" {
type master;
file "/var/named/41.223.66.rev";
};
zone "67.223.41.in-addr.arpa" {
type master;
file "/var/named/41.223.67.rev";
};
zone "kkontech.com" {
type master;
file "/var/named/kkontech.com.hosts";
};
zone "molaandassociates.com" {
type master;
file "/var/named/molaandassociates.com.hosts";
};
zone "k-konnect.com" {
type master;
file "/var/named/k-konnect.com.hosts";
};
zone "carawaynigeria.com" {
type master;
file "/var/named/carawaynigeria.com.hosts";
};
zone "rfplus.biz" {
type master;
file "/var/named/rfplus.biz.hosts";
};
zone "kkonmail.com" {
type master;
file "/var/named/kkonmail.com.hosts";
};
zone "olamnigeria.com" {
type master;
file "/var/named/olamnigeria.com.hosts";
};
zone "smarttek.biz" {
type master;
file "/var/named/smarttek.biz.hosts";
};
zone "microfeednigeria.com" {
type master;
file "/var/named/microfeednigeria.com.hosts";
};
zone "lanfordltd.com" {
type master;
file "/var/named/lanfordltd.com.hosts";
};
zone "rfplusltd.com" {
type master;
file "/var/named/rfplusltd.com.hosts";
};
zone "246.215.41.in-addr.arpa" {
type master;
file "/var/named/41.215.246.rev";
};
zone "thegloriouslifeoftolaore.com" {
type master;
file "/var/named/thegloriouslifeoftolaore.com.hosts";
};


My rndc.conf file


key "rndckey" {
algorithm hmac-md5;
secret "QqkHybDQmb9ssz9tPEFle7elzugCkkIFzlXxZJmdOWdliojj3Hu0Iojvr2vl";
};


My Firewall IPtables script


#!/bin/sh
# Global variables
IPTABLES=/sbin/iptables




#########################EXECUTABLE SCRIPTS############################################

#firewall Firewall startup/shutdown script

#
#
#description: Starts shell processes for Kernel Services
#

########### Enable ip forwarding and check against ip spoofing##############
#echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
#echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter
#echo 1 > /proc/sys/net/ipv4/conf/eth1/arp_filter

echo "Starting firewall on Linuxbox"
echo "....."
echo "..........."
echo "......................"
echo "........................................."

############ Flush Chains#############

$IPTABLES -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F

############Send Traffic to IMQ device###############

#$IPTABLES -A PREROUTING -t mangle -i ${INTERNAL_INTERFACE} -j IMQ --todev 0
#ip link set imq0 up
#$IPTABLES -A POSTROUTING -t mangle -o ${INTERNAL_INTERFACE} -j IMQ --todev 1
#ip link set imq1 up

############## Configure routing and firewall rules###############

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

########### Enable internal connections to this box###################
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT

echo "Linuxbox is now secure!"
echo
echo
echo
echo
echo


This is the message from /var/log/messages



Apr 21 20:04:46 ns2 named[20263]: client 62.173.33.130#15812: query (cache) 'xartbb.cc/A/IN' denied
Apr 21 20:04:46 ns2 named[20263]: client 62.173.33.130#15887: query (cache) 'wnmgxtd.net/A/IN' denied
Apr 21 20:04:47 ns2 named[20263]: client 41.215.246.38#1031: query (cache) 'content.yieldmanager.edgesuite.net/A/IN' denied
Apr 21 20:04:47 ns2 named[20263]: client 41.215.246.38#1024: query (cache) 'ads.bluelithium.com/A/IN' denied
Apr 21 20:04:47 ns2 named[20263]: client 41.223.66.5#58694: query (cache) 'socialapi.zune.net/A/IN' denied
Apr 21 20:04:48 ns2 named[20263]: client 41.215.246.38#54790: query (cache) 'wpad/ANY/IN' denied
Apr 21 20:04:48 ns2 named[20263]: client 41.215.246.38#1031: query (cache) 'ad.yieldmanager.com/A/IN' denied
Apr 21 20:04:49 ns2 named[20263]: client 41.223.66.5#54164: query (cache) 'sphotos.ak.fbcdn.net/A/IN' denied
Apr 21 20:04:51 ns2 named[20263]: client 41.223.66.5#63940: query (cache) 'au.download.windowsupdate.com/A/IN' denied
Apr 21 20:04:51 ns2 named[20263]: client 80.88.133.235#61373: query (cache) '167.220.107.209.in-addr.arpa/PTR/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 41.215.247.37#32772: query (cache) 'login.yahoo.com/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15814: query (cache) 'mazzmsuyh.org/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15813: query (cache) 'bapjmv.net/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15811: query (cache) 'obsdcbfqqcd.org/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15816: query (cache) 'crycd.ws/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15818: query (cache) 'jkosj.info/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15815: query (cache) 'wmrecswya.org/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15812: query (cache) 'yczoami.ws/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15829: query (cache) 'wddlkk.biz/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15887: query (cache) 'btghzwgu.ws/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 62.173.33.130#15935: query (cache) 'fzuemvs.biz/A/IN' denied
Apr 21 20:04:54 ns2 named[20263]: client 41.215.246.38#1364: query (cache) 'mx2.yandex.ru/A/IN' denied
Apr 21 20:04:55 ns2 named[20263]: client 41.215.246.38#1377: query (cache) 'us.ard.yahoo.com/A/IN' denied
Apr 21 20:04:55 ns2 named[20263]: client 41.215.246.38#1744: query (cache) 'webslice.mail.yahoo.com/A/IN' denied
Apr 21 20:04:55 ns2 named[20263]: client 41.215.246.38#1365: query (cache) 'a.l.yimg.com/A/IN' denied
Apr 21 20:04:58 ns2 named[20263]: client 41.215.246.38#1364: query (cache) 'us.lrd.yahoo.com/A/IN' denied
Apr 21 20:04:58 ns2 named[20263]: client 41.215.246.38#1377: query (cache) 'new.mail.yahoo.com/A/IN' denied
Apr 21 20:04:58 ns2 named[20263]: client 41.215.246.38#1744: query (cache) 'mobile.yahoo.com/A/IN' denied
Apr 21 20:04:58 ns2 named[20263]: client 41.223.66.5#61948: query (cache) 'us.bc.yahoo.com/A/IN' denied
Apr 21 20:04:58 ns2 named[20263]: client 41.215.247.5#62592: query (cache) 'www.facebook.com/A/IN' denied
Apr 21 20:05:01 ns2 named[20263]: client 62.173.33.130#15814: query (cache) 'picdqd.biz/A/IN' denied
Apr 21 20:05:01 ns2 named[20263]: client 62.173.33.130#15815: query (cache) 'elqze.ws/A/IN' denied
Apr 21 20:05:01 ns2 named[20263]: client 62.173.33.130#15829: query (cache) 'tagtctpvztq.com/A/IN' denied


--------------------------------------------------------------------

NOTES

The 41.223.x.x and 41.215.x.x ip address are from our ISP subnet and so are our own clients being denied.

The box is also hosting our traffic graph server which is on a LAMP but listens on another IP/ethernet card.

So far the load on the server is minimal as is a Dell R200 rack server

Pls any ideas on what can be wrong?

Thanks
 
Old 04-21-2010, 03:07 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,953

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
Hi,

It looks like your name server does not allow recursive queries, even though you have
Quote:
recursion yes;
(BTW it's a bad idea to allow recursion to anyone)
Remove it (or comment it out) and allow recursion only for your trusted clients:
Code:
allow-recursion { localnets; localhost; 41.223.x.x/24; 41.215.x.x/24};
Make sure you use the correct subnet mask for your networks

Regards
 
Old 04-21-2010, 05:39 PM   #3
John VV
Guru
 
Registered: Aug 2005
Posts: 13,231

Rep: Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774Reputation: 1774
also fedora 9 is AND HAS been PAST it's End Of Life
there is no support for it !!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS not resolving using bind draxan Linux - Networking 2 08-12-2009 10:59 AM
Fedora Core 4 DHCPD and BIND, cannot get Dynamic DNS to work trainpic Linux - Networking 2 02-25-2006 05:27 PM
Configure BIND DNS to Answer Active Directory Queries Astro Linux - Networking 1 02-01-2006 04:50 PM
Resolving DNS Queries, HTTP Server Configuration ASP Mandriva 2 12-23-2003 09:14 AM
Some queries related to DNS(bind) coolamit78 Linux - Networking 1 12-19-2003 04:05 AM


All times are GMT -5. The time now is 05:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration