LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-28-2008, 01:52 PM   #1
rpeiffer
LQ Newbie
 
Registered: Oct 2003
Posts: 10

Rep: Reputation: 0
DNS(named) - Fedora 9 - Answers Queries on Local Host Only


I have a small LAN that I have set up a DNS server for the internal machines. I've had the server set up under Fedora 8, working fine. Long story short, hard disk failure, moved to Fedora 9, configured and am encountering the following problem:

Dig and nslookup respond as expected from the machine running the server. Every other end point cannot access the server.

Gory details:

For purposes of simplification I have removed all my local zone info out from named.conf. My internal net is 192.168.2.0/24. The interface connection on my machine running named is 192.168.2.2. I have disabled all firewalls. All machines can ping each other.

named.conf
---------------------------------------------------

options {
listen-on port 53 { 127.0.0.1; 192.168.2.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 127.0.0.1; 192.168.2.0/24; };
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

----------------------------------------------------


Results of a "netstat -np --listen | grep :53"
(Clearly this shows the server is listening on the proper ports)
---------------------------------------------------------------
tcp 0 0 192.168.2.2:53 0.0.0.0:* LISTEN 5175/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5175/named
tcp 0 0 ::1:53 :::* LISTEN 5175/named
udp 0 0 192.168.2.2:53 0.0.0.0:* 5175/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 5175/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2704/avahi-daemon:
udp 0 0 ::1:53 :::* 5175/named
----------------------------------------------------------------

Results of a "tcpdump -nn -v udp port 53" on server while doing a "dig"
from a remote client on the LAN
(Clearly this shows that the "client" machine is attempting to
talk to the server, with no response from the server)
---------------------------------------------------------------------
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:44:41.418619 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 45) 192.168.2.5.47256 > 192.168.2.2.53: 52967+ NS? . (17)
12:44:46.418559 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 45) 192.168.2.5.47256 > 192.168.2.2.53: 52967+ NS? . (17)
12:44:51.418956 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 45) 192.168.2.5.47256 > 192.168.2.2.53: 52967+ NS? . (17)
----------------------------------------------------------------------

Results of "dig" command on client machine:
----------------------------------------------------------------------
; <<>> DiG 9.5.0b1 <<>> @192.168.2.2
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
----------------------------------------------------------------------


Summary:

A query of the DNS server from the local machine works fine. I believe that the named.conf is properly configured to allow and respond to the query. The server is running and listening on the proper interface and port. The client machines can communicate with the server machine as verified by ping and the tcpdumps. Although I didn't post them here, I have gone through the syslog messages on startup and everything looks fine. **** I'm stumped! ****

Any help out there would be greatly appreciated!!

Thanks in advance.
 
Old 06-28-2008, 07:42 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
cerainly looks OK. Have you trid telnetting ing from the lan?

Edit - you don't have something silly like allow-query expressions in the zone files do you?

Have you tried with SELinux off (setenforce 0 - setenforce 1 to put it back on)

Last edited by billymayday; 06-28-2008 at 07:46 PM.
 
Old 06-29-2008, 02:06 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Code:
$ sudo rndc querylog
$ sudo rndc trace
<do some queries from another host>
$ sudo less /var/named/data/named.run
That should give you some clues. If you don't get enough data, you can continue issuing the rndc trace command to increase the logging level. rndc notrace turns it off, and a second rndc querylog will disable query logging again (if you leave it on, your logs will get quite full in a hurry).
 
Old 06-29-2008, 11:26 AM   #4
rpeiffer
LQ Newbie
 
Registered: Oct 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post
cerainly looks OK. Have you trid telnetting ing from the lan?

Edit - you don't have something silly like allow-query expressions in the zone files do you?

Have you tried with SELinux off (setenforce 0 - setenforce 1 to put it back on)

I did try telnetting, here are the results:

telnet 192.168.2.2 53
Trying 192.168.2.2...
telnet: connect to address 192.168.2.2: No route to host

Now there (of course) is a route to the host. I can ssh to it, ping it, etc.

As far as the zone files go, I simplified the configuration and except for the "root" zone and the rfc1912 zones that are included, there are no other zone defs on the config I'm testing. I checked the included zones, no "allow-query" defs.

Using "system-config-selinux" utility, I set the default enforcing mode to permissive (which will log errors, but not enforce), rebooted, and verified the current enforce mode is permissive. No change
 
Old 06-29-2008, 11:39 AM   #5
rpeiffer
LQ Newbie
 
Registered: Oct 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chort View Post
Code:
$ sudo rndc querylog
$ sudo rndc trace
<do some queries from another host>
$ sudo less /var/named/data/named.run
That should give you some clues. If you don't get enough data, you can continue issuing the rndc trace command to increase the logging level. rndc notrace turns it off, and a second rndc querylog will disable query logging again (if you leave it on, your logs will get quite full in a hurry).
Wow, this is strange. See results below from /var/named/chroot/var/named/data/named.run (I am using chroot package which is pretty standard at least on Fedora 9):

received control channel command 'querylog'
query logging is now on
received control channel command 'trace'
debug level is now 1
received control channel command 'null'
received control channel command 'trace'
debug level is now 2
received control channel command 'null'
received control channel command 'trace'
debug level is now 3
received control channel command 'null'
received control channel command 'trace'
debug level is now 4
received control channel command 'null'
received control channel command 'trace'
debug level is now 5
received control channel command 'null'
received control channel command 'notrace'
received control channel command 'querylog'
query logging is now off


After I set each debug level, I attempted a query off the lan (which of course failed). The strange thing is I see no indication that the server is getting the request. Now (as documented in my original post) a netstat shows that it is listening on the proper ports and a tcpdump shows that the packets are getting there from the client. Hmmm...., this just doesn't make any sense.
 
Old 06-29-2008, 02:35 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Code:
$ sudo service iptables stop
$ sudo iptables -L
What's the output?

Then try your query (from the other machine) again.
 
Old 06-29-2008, 03:00 PM   #7
rpeiffer
LQ Newbie
 
Registered: Oct 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thumbs up

Quote:
Originally Posted by chort View Post
Code:
$ sudo service iptables stop
$ sudo iptables -L
What's the output?

Then try your query (from the other machine) again.
That worked (much to my embarrassment). Here's the story:

I checked the firewall status from the gui admin tool. It showed the status of the firewall was *disabled* so I didn't bother looking physically at the iptables definitions. Actually, the firewall configuration tool was one of the first things I checked as the symptoms seemed to fit a firewall based issue. I also could SSH from a client machine to the dns server machine.

I'm not sure where it was getting it's definitions from. I'll have to investigate. Obviously ssh has a piercing, and dns does not.

Shoot, sorry to waste everyone's time. THANKS TO ALL WHO REPLIED!!!
 
Old 06-29-2008, 05:47 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
At least you know a bit more about BIND logging
 
Old 06-29-2008, 05:51 PM   #9
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Hmm - I've found some odd things going on wit hF9 gui tools, so I'm afraid I'm not totally surprised, but glad it's sorted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS /var/named/named.hosts Richtown Linux - Networking 3 04-23-2007 03:04 PM
A practical knowledge base - queries / answers on linux knindumathy Linux - Newbie 6 09-01-2005 11:48 AM
how does dns/host names work on local lan gman_O0O0 Linux - Networking 1 04-11-2005 01:22 AM
Virtual Host type, named or IP via SSL? Named VH is not possible? piratebiter Linux - Security 3 08-20-2003 06:27 PM
DNS and named.local file Breezwell Linux - Networking 0 04-23-2001 08:05 PM


All times are GMT -5. The time now is 05:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration