BIND DNS recursion now working?

vonedaddy · 01-23-2012, 08:41 AM

tcp 0 0 x.x.x.x:53 0.0.0.0:* LISTEN 20235/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 20235/named
udp 0 0 x.x.x.x:53 0.0.0.0:* 20235/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 20235/named

@bathory
Your right, its not listening on UDP 53, why is it listening on TCP not UDP? What do I need to do to get it to listen on UDP?

Or is it just not saying LISTEN because it's UDP?

bathory · 01-23-2012, 09:17 AM

Quote:

udp 0 0 x.x.x.x:53 0.0.0.0:* 20235/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 20235/named

It listens fine.
Try using debugging, or perhaps tcpdump and see what you get

vonedaddy · 01-23-2012, 09:44 AM

tcp 0 0 x.x.x.x:53 0.0.0.0:* LISTEN 9675/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9675/named
udp 0 0 x.x.x.x:53 0.0.0.0:* 9675/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 9675/named
udp 0 0 x.x.x.x:64211 192.31.80.30:53 ESTABLISHED 9675/named
udp 0 0 x.x.x.x:43861 192.33.14.30:53 ESTABLISHED 9675/named

I ran rndc trace 3, then tailed named.run:

# tail -f named.run
clientmgr @0x7f5c842de2b5: clientmgr_destroy
exiting
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
managed-keys-zone ./IN: loading from master file dynamic/managed-keys.bind failed: file not found
managed-keys-zone ./IN: loaded serial 0
running

It does not even show the query, like its not getting here. iptables allows 53 and its listening...

vonedaddy · 01-23-2012, 09:49 AM

I tried tcpdump, and did some queries from another machine. Although I am not sure what any of this means, here is a snippet.

0:44:23.244073 IP m.gtld-servers.net.domain > ns1.mydomain.local.39411: Flags [R.], seq 0, ack 514012226, win 5840, length 0
10:44:23.244313 IP ns1.mydomain.local.as-debug > g.gtld-servers.net.domain: 28348 [1au] AAAA? news.yahoo.com. (43)
10:44:23.272603 IP m.gtld-servers.net.domain > ns1.mydomain.local.re101: 191-| 0/5/1 (405)
10:44:23.272813 IP ns1.mydomain.local.35484 > m.gtld-servers.net.domain: Flags [S], seq 520941895, win 5840, options [mss 1460,sackOK,TS val 8366897 ecr 0,nop,wscale 7], length 0
10:44:23.273068 IP m.gtld-servers.net.domain > ns1.mydomain.local.35484: Flags [R.], seq 0, ack 520941896, win 5840, length 0
10:44:23.273226 IP ns1.mydomain.local.45619 > f.gtld-servers.net.domain: 28369 [1au] A? msgme.com. (38)
10:44:23.278559 IP b.gtld-servers.net.domain > ns1.mydomain.local.63066: 26089-| 0/5/1 (405)
10:44:23.278736 IP ns1.mydomain.local.48926 > b.gtld-servers.net.domain: Flags [S], seq 521353269, win 5840, options [mss 1460,sackOK,TS val 8366903 ecr 0,nop,wscale 7], length 0
10:44:23.278895 IP b.gtld-servers.net.domain > ns1.mydomain.local.48926: Flags [R.], seq 0, ack 521353270, win 5840, length 0
10:44:23.279011 IP ns1.mydomain.local.domain > INTERNALDNS1.mydomain.local.56886: 54874 ServFail 0/0/1 (38)
10:44:23.279026 IP ns1.mydomain.local.domain > INTERNALDNS1.mydomain.local.22905: 49563 ServFail 0/0/1 (38)
10:44:23.326185 IP g.gtld-servers.net.domain > ns1.mydomain.local.as-debug: 28348-| 0/8/1 (455)
10:44:23.326408 IP ns1.mydomain.local.46613 > g.gtld-servers.net.domain: Flags [S], seq 525309528, win 5840, options [mss 1460,sackOK,TS val 8366950 ecr 0,nop,wscale 7], length 0
10:44:23.326638 IP g.gtld-servers.net.domain > ns1.mydomain.local.46613: Flags [R.], seq 0, ack 525309529, win 5840, length 0
10:44:23.326849 IP ns1.mydomain.local.56387 > k.gtld-servers.net.domain: 59576 [1au] AAAA? news.yahoo.com. (43)
10:44:23.347168 IP f.gtld-servers.net.domain > ns1.mydomain.local.45619: 28369-| 0/5/1 (405)
10:44:23.347410 IP ns1.mydomain.local.34171 > f.gtld-servers.net.domain: Flags [S], seq 514907537, win 5840, options [mss 1460,sackOK,TS val 8366971 ecr 0,nop,wscale 7], length 0
10:44:23.347570 IP f.gtld-servers.net.domain > ns1.mydomain.local.34171: Flags [R.], seq 0, ack 514907538, win 5840, length 0
10:44:23.347772 IP ns1.mydomain.local.18885 > l.gtld-servers.net.domain: 34233 [1au] A? msgme.com. (38)
10:44:23.354989 IP l.gtld-servers.net.domain > ns1.mydomain.local.18885: 34233-| 0/5/1 (405)
10:44:23.355216 IP ns1.mydomain.local.56209 > l.gtld-servers.net.domain: Flags [S], seq 523240441, win 5840, options [mss 1460,sackOK,TS val 8366979 ecr 0,nop,wscale 7], length 0
10:44:23.355448 IP l.gtld-servers.net.domain > ns1.mydomain.local.56209: Flags [R.], seq 0, ack 523240442, win 5840, length 0
10:44:23.355558 IP ns1.mydomain.local.51536 > c.gtld-servers.net.domain: 9409 [1au] A? msgme.com. (38)
10:44:23.366626 IP c.gtld-servers.net.domain > ns1.mydomain.local.51536: 9409-| 0/5/1 (405)
10:44:23.366926 IP ns1.mydomain.local.57378 > c.gtld-servers.net.domain: Flags [S], seq 516788939, win 5840, options [mss 1460,sackOK,TS val 8366991 ecr 0,nop,wscale 7], length 0
10:44:23.367146 IP c.gtld-servers.net.domain > ns1.mydomain.local.57378: Flags [R.], seq 0, ack 516788940, win 5840, length 0
10:44:23.367331 IP ns1.mydomain.local.18778 > e.gtld-servers.net.domain: 11771 [1au] A? msgme.com. (38)
10:44:23.426059 IP k.gtld-servers.net.domain > ns1.mydomain.local.56387: 59576-| 0/8/1 (455)
10:44:23.426287 IP ns1.mydomain.local.47250 > k.gtld-servers.net.domain: Flags [S], seq 526316605, win 5840, options [mss 1460,sackOK,TS val 8367050 ecr 0,nop,wscale 7], length 0
10:44:23.426515 IP k.gtld-servers.net.domain > ns1.mydomain.local.47250: Flags [R.], seq 0, ack 526316606, win 5840, length 0
10:44:23.426619 IP ns1.mydomain.local.49865 > b.gtld-servers.net.domain: 23943 [1au] AAAA? news.yahoo.com. (43)
10:44:23.457960 IP e.gtld-servers.net.domain > ns1.mydomain.local.18778: 11771-| 0/5/1 (405)
10:44:23.458280 IP ns1.mydomain.local.57933 > e.gtld-servers.net.domain: Flags [S], seq 526319483, win 5840, options [mss 1460,sackOK,TS val 8367082 ecr 0,nop,wscale 7], length 0

vonedaddy · 01-23-2012, 09:51 AM

Here is some more debugging info from trace 2:

client 192.168.16.6#22732: query failed (SERVFAIL) for reporting.eu-survey.com/IN/A at query.c:4648
client 192.168.16.6#56810: query failed (SERVFAIL) for reporting.eu-survey.com/IN/A at query.c:4648
fetch completed at resolver.c:3087 for reporting.eu-survey.com/A in 11.494339: SERVFAIL/success [domain:com,referral:1,restart:11,qrysent:208,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0 ,valfail:0]
createfetch: www.hollywood.com A
client 192.168.16.6#63336: query failed (SERVFAIL) for www.wikihow.com/IN/A at query.c:4648
fetch completed at resolver.c:3087 for www.wikihow.com/A in 11.948703: SERVFAIL/success [domain:com,referral:0,restart:11,qrysent:220,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0 ,valfail:0]
client 192.168.16.6#50127: query failed (SERVFAIL) for www.wikihow.com/IN/A at query.c:4648
client 192.168.16.6#15294: query failed (SERVFAIL) for www.hollywood.com/IN/A at query.c:4648
fetch completed at resolver.c:3087 for www.hollywood.com/A in 11.704249: SERVFAIL/success [domain:com,referral:0,restart:11,qrysent:220,timeout:0,lame:0,neterr:0,badresp:0,adberr:7,findfail:0 ,valfail:0]
client 192.168.16.6#47813: query failed (SERVFAIL) for www.hollywood.com/IN/A at query.c:4648
createfetch: www.thestatecolumn.com A

bathory · 01-23-2012, 10:42 AM

What's in /etc/resolv.conf?
Check if running queries like:

Code:

dig @127.0.0.1 google.com

works?

vonedaddy · 01-23-2012, 10:47 AM

First off I need to say thanks for your continued help on this.

No it still doesnt work.

in /etc/resolv.conf is another DNS server we have running RHEL4.

[root@ns1 data]# dig @127.0.0.1 google.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @127.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

But if I add +trace it works...

[root@ns1 data]# dig @127.0.0.1 google.com +trace

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @127.0.0.1 google.com +trace
; (1 server found)
;; global options: +cmd
. 517244 IN NS k.root-servers.net.
. 517244 IN NS l.root-servers.net.
. 517244 IN NS a.root-servers.net.
. 517244 IN NS b.root-servers.net.
. 517244 IN NS e.root-servers.net.
. 517244 IN NS c.root-servers.net.
. 517244 IN NS m.root-servers.net.
. 517244 IN NS f.root-servers.net.
. 517244 IN NS d.root-servers.net.
. 517244 IN NS j.root-servers.net.
. 517244 IN NS h.root-servers.net.
. 517244 IN NS g.root-servers.net.
. 517244 IN NS i.root-servers.net.
;; Received 340 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
;; Received 488 bytes from 192.228.79.201#53(b.root-servers.net) in 88 ms

google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 164 bytes from 192.26.92.30#53(c.gtld-servers.net) in 10 ms

google.com. 300 IN A 74.125.115.147
google.com. 300 IN A 74.125.115.105
google.com. 300 IN A 74.125.115.103
google.com. 300 IN A 74.125.115.106
google.com. 300 IN A 74.125.115.104
google.com. 300 IN A 74.125.115.99
;; Received 124 bytes from 216.239.32.10#53(ns1.google.com) in 31 ms

bathory · 01-23-2012, 11:19 AM

Well I'm really out of ideas.
bind behaves like there is a firewall (even for localhost) preventing access to port 53. Try to stop iptables and see what happens

vonedaddy · 01-23-2012, 11:27 AM

Quote:

Originally Posted by bathory

Well I'm really out of ideas.
bind behaves like there is a firewall (even for localhost) preventing access to port 53. Try to stop iptables and see what happens

I tried it with no iptables rules. (iptables -F) still nothing.

I even re-installed the OS from scratch, same thing. There has to be something I am missing.

Nomad-71 · 01-23-2012, 11:40 AM

what about SELinux policy's?

vonedaddy · 01-23-2012, 11:48 AM

Quote:

Originally Posted by Nomad-71

what about SELinux policy's?

Nothing is showing up in /var/log/audit/audit.log

I even tried setenforce 0

bathory · 01-23-2012, 11:55 AM

Quote:

There has to be something I am missing.

No your config is ok. I've tested on my slackware bind installation and it works as expected.
Could be SELinux, even though I doubt.
Try setup a forwarder and see what you get. Add in the options part of named.conf

Code:

forward only;
forwarders { x.x.x.x; };

where x.x.x.x is the nameserver that is present in /etc/resolv.conf

vonedaddy · 01-23-2012, 12:03 PM

It works with the forwarders. But that defeats the point. We have 2 external name servers, ns1 and ns2. Right now I am just forwarding all the queries from ns1 to ns2.

Thanks for you help, if you have any more ideas I would love to hear them.

Nomad-71 · 01-23-2012, 12:15 PM

Small question: are you using bind-chroot to run it in a chroot environment?

bathory · 01-23-2012, 12:38 PM

Quote:

It works with the forwarders. But that defeats the point

It shouldn't work as you still access port 53 to query your dns. That is the strange thing.
It answers on port 53 when it's forwarding queries or doing a trace, but does not answer when used as a caching dns!!!!
Looking at named.conf for rhel/centos, I notice there is a

Code:

include "/etc/named.rfc1912.zones";

that you're not using. Maybe you need to include that file too in named.conf