LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   BIND Server in Ubuntu - not doing query from WAN side (http://www.linuxquestions.org/questions/linux-server-73/bind-server-in-ubuntu-not-doing-query-from-wan-side-4175434005/)

subakaran 10-25-2012 06:46 AM

BIND Server in Ubuntu - not doing query from WAN side
 
Hi Friends,

I setup a DNS server using BIND in Ubuntu through webmin, it's all working fine internally. Basically I need to setup and let to work from external - I want to register a domain name and want to setup the master zone in my internal DNS server.

When I do nslookup from internal - all working fine.
when I do nslookup from external - only it resolve the IPs of available zones in my dns server, and I get error message in the server for all other domains such as,

... xxxxxxxxx/A/IN denied
... xxxxxxxxx/AAAA/IN' denied

somewhere it has been denied for external zones queries in my dns server when I do from WAN side. what could be the problem?

I have enabled port forwarding for TCP and UDP at 53, do I need to do for both protocols?

bathory 10-25-2012 09:49 AM

Quote:

when I do nslookup from external - only it resolve the IPs of available zones in my dns server, and I get error message in the server for all other domains such as,

... xxxxxx/A/IN denied
... xxxxxx/AAAA/IN' denied

somewhere it has been denied for external zones queries in my dns server when I do from WAN side. what could be the problem?
This is normal behavior. Your dns server should not reply to queries from the internet for zones it's not authorized for. Else it's an open resolver and can be abused from anyone.



Quote:

I have enabled port forwarding for TCP and UDP at 53, do I need to do for both protocols?
Yes yo do.

subakaran 10-26-2012 12:08 AM

Let's say, I registered a domain name - mycompany.com in namecheap domain register, then I can setup a A record myip.mycompany.com for my IP A.B.C.D ( assume, this is my public IP)

Then I create a NS record, myip.mycompany.com which links to A record ns.mycompany.com

In this case, can I run my own DNS server and do the hosting of name records?

bathory 10-26-2012 02:12 AM

Quote:

In this case, can I run my own DNS server and do the hosting of name records?
Sure you can run a nameserver authoritative for the domain you've registered.
You just need to register your dns server with your registrar for the first time you're going to do that. Once your dns is registered, you can use it as authoritative for whatever domains you own.

Regards

subakaran 10-27-2012 03:54 PM

Hi Bathory, Thanks for your reply, from your reply I searched and understood that I can do the job and did the job as they mentioned in the below step:
http://www.namecheap.com/support/kno...-for-my-domain

When I do nslookup or when I assign my server as DNS server for my PC, all working fine from LAN side.

Now I have only one problem, when I do nslookup from external - It only resolves the IPs of available zones in my DNS server, and I get error message in the server as below,


Oct 28 07:49:06 ubuntu named[19405]: client 123.123.123.123#54560: query (cache) 'yahoo.com/NS/IN' denied
Oct 28 07:49:06 ubuntu named[19405]: client 123.123.123.123#54561: query (cache) 'yahoo.com/NS/IN' denied

I do the test as below;

Let's say - my DNS server ns1.mycompany.com,

root@ubuntu:~$ nslookup
> server 69.16.244.25
Default server: 69.16.244.25
Address: 69.16.244.25#53
>
> server ns1.mycompany.com
Default server: ns1.mycompany.com
Address: 123.123.123.123#53
>
> set type=a
> yahoo.com
Server: ns1.mycompnay.com
Address: 123.123.123.123#53

** server can't find yahoo.com: NXDOMAIN
>

Is there any settings blocking to send to root DNS servers or forwards to find more details?

subakaran 11-05-2012 11:10 PM

I fixed all and my dns server is running from public.

I missed these lines in the file - named.config.options

allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };

david1941 11-05-2012 11:47 PM

I doubt you will find it helpful to host an open resolver. You are opening yourself up to abuse.

Noway2 11-06-2012 08:13 AM

Quote:

Originally Posted by david1941 (Post 4823129)
I doubt you will find it helpful to host an open resolver. You are opening yourself up to abuse.

Agree 100%. Unfortunately, I don't think that the OP is going to understand this, at least until they learn the hard way.

@subakaran, what you have done with those rules is allow ANYBODY in the world to use your DNS server to perform lookups for ANY site. You should NOT do this. If you leave your DNS server this way, you will soon find your server being abused and likely so busy performing public DNS actions that it is incapable of anything else. I understand the desire to have your DNS be authoritative for your zones as well as act as a resolver for your local networks. This is a legitimate function. What you do not want to do is allow the general public to look up any information except for your zones.

To better protect yourself, create what is called an access control list and use this in the rules you posted instead of ANY. An example of an ACL is shown below.

Code:

acl mynet { 192.168.0.0/24; };
allow-recursion { mynet; };
allow-query { any; };
allow-query-cache { mynet; };

Here is a link that explains the various control options for bind: http://www.zytrax.com/books/dns/ch7/queries.html


All times are GMT -5. The time now is 01:37 PM.