LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 10-25-2012, 06:46 AM   #1
subakaran
LQ Newbie
 
Registered: Apr 2008
Location: Melbourne
Distribution: Linux (Ubuntu & Fedora/RHEL)
Posts: 13
Blog Entries: 2

Rep: Reputation: 0
BIND Server in Ubuntu - not doing query from WAN side


Hi Friends,

I setup a DNS server using BIND in Ubuntu through webmin, it's all working fine internally. Basically I need to setup and let to work from external - I want to register a domain name and want to setup the master zone in my internal DNS server.

When I do nslookup from internal - all working fine.
when I do nslookup from external - only it resolve the IPs of available zones in my dns server, and I get error message in the server for all other domains such as,

... xxxxxxxxx/A/IN denied
... xxxxxxxxx/AAAA/IN' denied

somewhere it has been denied for external zones queries in my dns server when I do from WAN side. what could be the problem?

I have enabled port forwarding for TCP and UDP at 53, do I need to do for both protocols?

Last edited by subakaran; 10-27-2012 at 03:59 PM.
 
Old 10-25-2012, 09:49 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,771

Rep: Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283
Quote:
when I do nslookup from external - only it resolve the IPs of available zones in my dns server, and I get error message in the server for all other domains such as,

... xxxxxx/A/IN denied
... xxxxxx/AAAA/IN' denied

somewhere it has been denied for external zones queries in my dns server when I do from WAN side. what could be the problem?
This is normal behavior. Your dns server should not reply to queries from the internet for zones it's not authorized for. Else it's an open resolver and can be abused from anyone.



Quote:
I have enabled port forwarding for TCP and UDP at 53, do I need to do for both protocols?
Yes yo do.
 
Old 10-26-2012, 12:08 AM   #3
subakaran
LQ Newbie
 
Registered: Apr 2008
Location: Melbourne
Distribution: Linux (Ubuntu & Fedora/RHEL)
Posts: 13
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Let's say, I registered a domain name - mycompany.com in namecheap domain register, then I can setup a A record myip.mycompany.com for my IP A.B.C.D ( assume, this is my public IP)

Then I create a NS record, myip.mycompany.com which links to A record ns.mycompany.com

In this case, can I run my own DNS server and do the hosting of name records?

Last edited by subakaran; 10-26-2012 at 12:10 AM.
 
Old 10-26-2012, 02:12 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,771

Rep: Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283Reputation: 1283
Quote:
In this case, can I run my own DNS server and do the hosting of name records?
Sure you can run a nameserver authoritative for the domain you've registered.
You just need to register your dns server with your registrar for the first time you're going to do that. Once your dns is registered, you can use it as authoritative for whatever domains you own.

Regards
 
Old 10-27-2012, 03:54 PM   #5
subakaran
LQ Newbie
 
Registered: Apr 2008
Location: Melbourne
Distribution: Linux (Ubuntu & Fedora/RHEL)
Posts: 13
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Hi Bathory, Thanks for your reply, from your reply I searched and understood that I can do the job and did the job as they mentioned in the below step:
http://www.namecheap.com/support/kno...-for-my-domain

When I do nslookup or when I assign my server as DNS server for my PC, all working fine from LAN side.

Now I have only one problem, when I do nslookup from external - It only resolves the IPs of available zones in my DNS server, and I get error message in the server as below,


Oct 28 07:49:06 ubuntu named[19405]: client 123.123.123.123#54560: query (cache) 'yahoo.com/NS/IN' denied
Oct 28 07:49:06 ubuntu named[19405]: client 123.123.123.123#54561: query (cache) 'yahoo.com/NS/IN' denied

I do the test as below;

Let's say - my DNS server ns1.mycompany.com,

root@ubuntu:~$ nslookup
> server 69.16.244.25
Default server: 69.16.244.25
Address: 69.16.244.25#53
>
> server ns1.mycompany.com
Default server: ns1.mycompany.com
Address: 123.123.123.123#53
>
> set type=a
> yahoo.com
Server: ns1.mycompnay.com
Address: 123.123.123.123#53

** server can't find yahoo.com: NXDOMAIN
>

Is there any settings blocking to send to root DNS servers or forwards to find more details?

Last edited by subakaran; 10-27-2012 at 04:04 PM.
 
Old 11-05-2012, 11:10 PM   #6
subakaran
LQ Newbie
 
Registered: Apr 2008
Location: Melbourne
Distribution: Linux (Ubuntu & Fedora/RHEL)
Posts: 13
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Thumbs up

I fixed all and my dns server is running from public.

I missed these lines in the file - named.config.options

allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
 
Old 11-05-2012, 11:47 PM   #7
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 266

Rep: Reputation: 57
I doubt you will find it helpful to host an open resolver. You are opening yourself up to abuse.
 
Old 11-06-2012, 08:13 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by david1941 View Post
I doubt you will find it helpful to host an open resolver. You are opening yourself up to abuse.
Agree 100%. Unfortunately, I don't think that the OP is going to understand this, at least until they learn the hard way.

@subakaran, what you have done with those rules is allow ANYBODY in the world to use your DNS server to perform lookups for ANY site. You should NOT do this. If you leave your DNS server this way, you will soon find your server being abused and likely so busy performing public DNS actions that it is incapable of anything else. I understand the desire to have your DNS be authoritative for your zones as well as act as a resolver for your local networks. This is a legitimate function. What you do not want to do is allow the general public to look up any information except for your zones.

To better protect yourself, create what is called an access control list and use this in the rules you posted instead of ANY. An example of an ACL is shown below.

Code:
 acl mynet { 192.168.0.0/24; }; 
allow-recursion { mynet; };
allow-query { any; };
allow-query-cache { mynet; };
Here is a link that explains the various control options for bind: http://www.zytrax.com/books/dns/ch7/queries.html
 
  


Reply

Tags
bind, denied


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
server side file system replication over WAN kuntergunt Linux - Server 5 05-09-2011 02:04 PM
[SOLVED] Cannot access Apache from WAN side rezwan Linux - Server 6 09-01-2010 11:43 AM
Query related to Ubuntu WAN Ip? your_shadow03 Linux - Newbie 7 07-23-2009 07:48 AM
Trying to run ftp server on Suse 10: Problem with WAN side access cornfusedlinuxuser Linux - Networking 1 03-07-2006 05:34 PM
Cant get WAN side ip...... hkl8324 Linux - Wireless Networking 1 06-08-2005 06:03 AM


All times are GMT -5. The time now is 01:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration