I have Fedora 8. Iptables is up and running, working correctly for http, imap, pop, ssh and ftp.

I need to get dns up and running so I opened 53 (tcp and udp).

My dns is authoritative only, and if I access the dns server from localhost, it seems to work correctly (for a primary domain, I get appropriate answers from dig, for www_hp_com, I get pointers to the root servers).

However, if I try to use dig @ipaddress, I get:
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

If I try to telnet into the box from within, and use localhost, I get a connection, if I use the IP address or domain name, I get "connection refused".

I've tried this also from another computer on my LAN and from outside my upstream ISP.

Here's the kicker - I turn off iptables, and no change.

I'm obviously stumped. Anyone have any ideas?

Thank you (in advance)

What addresses are you listening to in you bind config?

Perhaps post your config here. What distro are you using?

Port 53.

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10025
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Top of named.conf:

key "rndc-key" {
algorithm hmac-md5;
secret "xxx";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
channel default_debug {
file "/var/log/named.run";
severity dynamic;
};
};


options {
query-source port 53;
query-source-v6 port 53;
listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1
listen-on-v6 port 53 { ::1; }; #was ::1
directory "/var/named/";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };#was localhost
recursion no; #was yes
allow-recursion { 127/8; 192.168/16; 10/8; 172.16/12; };

query-source address * port 53;
notify-source * port 53;
transfer-source * port 53;
};

zone "." IN {
type hint;

Not what port, what address

Post

netstat -np --listen | grep :53

I think you've restricted yourself to 127.0.0.1 (listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1)

Edit - you may need a form more like "listen-on { 127.0.0.1; 192.168.1.1/24; };" replacing 192.168.1.1 with the relevant internal IP range

Thank you, that was the trick - I'm now working from within and without my LAN.

Thanks again!!!!

Wayne