I followed this example to get BIND up and running on CentOS.
http://www.wains.be/index.php/2007/1...dns-with-bind/

Problem is I can't get my domains to resolve.
Even locally, dns names I add to my zones aren't resolving.
Here is my named.conf:
################################## RNDC SETTINGS ######################################

// we include the rndckey (copy-paste from rndc.key created earlier)
key "rndckey" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxx";
};

controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; };
#inet xxx.xxx.xxx.xxx allow { any; } keys { "rndckey"; };
};

################################## OPTIONS ####################################
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";

recursion yes;

allow-recursion {
127.0.0.1;
xxx.xxx.xxx.xxx;
};

// these are the opendns servers (optional)
forwarders {
208.67.222.222;
208.67.220.220;
};

listen-on {
127.0.0.1;
xxx.xxx.xxx.xxx;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
#query-source address * port 53;

// so people can't try to guess what version you're running
version "REFUSED";

allow-query {
any;
#127.0.0.1;
#xxx.xxx.xxx.xxx;
};
};

server xxx.xxx.xxx.xxx {
keys { rndckey; };
};

######################################## ZONES ########################################

zone "." IN {
type hint;
file "named.ca";
};

zone "domain1.com" IN {
type master;
file "data/domain1.com.zone";
};


zone "domain2.com" IN {
type master;
file "data/domain2.com.zone";
};

One of my zone files:
$ttl 38400
domain2.com. IN SOA ns.domain2.com. admin.domain2.com. (
20090429 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

domain2.com. IN NS ns1.domain2.com.

domain2.com. IN MX 1 mx.domain2.com.

www.domain2.com. IN A xxx.xxx.xxx.xxx
ns1.domain2.com. IN A xxx.xxx.xxx.xxx
ns2.domain2.com. IN A xxx.xxx.xxx.xxx
mx.domain2.com. IN A xxx.xxx.xxx.xxx
node1.domain2.com. IN A xxx.xxx.xxx.xxx
webmail.domain2.com IN A xxx.xxx.xxx.xxx
mailadmin.domain2.com IN A xxx.xxx.xxx.xxx
mail.domain2.com. IN CNAME mx.domain2.com.


The problem is some of the domains are resolving, but most aren't. When I try to do nslookup www.google.com 127.0.0.1 It's not resolving locally. Because of this when I do nslookup www.domain2.com 127.0.0.1 I'm not getting the correct response. I was wondering if IPTables has anything to do with it. I have this in my ruleset:
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

Can anyone help me? I really need to get this up. ANy heop is appreciated.

I would say this sounds like a problem with recursion if google isn't working. It is probably one of two things:

1.You have iptables rules blocking your lookups.

2. Although you have modified config, the service is not started.

To check ALL of your filter table rules in iptables, run the following:

iptables -L -nv

You MIGHT have to pipe it to less if you have a ton. If so, there is your problem. Try inserting instead of appending your rules, like so:

iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I OUTPUT -p udp --sport 53 -j ACCEPT

Also, try uncommenting the "#query-source address * port 53;" line.

To check if the service is running, try /etc/init.d/named status. If that gives you nothing, as root run "lsof -nPi udp:53". If you have something listening of 53, that will tell you.

To start the server, it should be /etc/init.d/named start.

EDIT: Make sure you save your iptables rules with the following: /etc/init.d/iptables save. Failure to do so will totally confuse you if you reboot .

------------------------------------
Michael Piekarski
Network Engineer
mpiekarski@hostmysite.com
www.hostmysite.com

Can you show what actually happens with lookups? make sure you use dig ofr this

dig domain2.com

and

dig www.google.com

for example.

Thanks for your help.
The only problem is now entries in my zone file aren't resolving. I have a webmail.domain2.com and mailadmin.domain2.com and they're not resolving properly.

This is the output of dig.google.com
; <<>> DiG 9.3.4-P1 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33568
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.217.230
google.navigation.opendns.com. 30 IN A 208.67.217.231

;; AUTHORITY SECTION:
. 516864 IN NS M.ROOT-SERVERS.NET.
. 516864 IN NS A.ROOT-SERVERS.NET.
. 516864 IN NS B.ROOT-SERVERS.NET.
. 516864 IN NS C.ROOT-SERVERS.NET.
. 516864 IN NS D.ROOT-SERVERS.NET.
. 516864 IN NS E.ROOT-SERVERS.NET.
. 516864 IN NS F.ROOT-SERVERS.NET.
. 516864 IN NS G.ROOT-SERVERS.NET.
. 516864 IN NS H.ROOT-SERVERS.NET.
. 516864 IN NS I.ROOT-SERVERS.NET.
. 516864 IN NS J.ROOT-SERVERS.NET.
. 516864 IN NS K.ROOT-SERVERS.NET.
. 516864 IN NS L.ROOT-SERVERS.NET.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 6 11:53:34 2009
;; MSG SIZE rcvd: 315

and my domain:
; <<>> DiG 9.3.4-P1 <<>> domain2.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23182
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;domain2.com. IN A

;; AUTHORITY SECTION:
domain2.com. 38400 IN SOA ns1.domain2.com. admin.domain2.com. 20090429 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 6 11:57:56 2009
;; MSG SIZE rcvd: 82

[root@localhost data]# nslookup webmail.domain2.com
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find webmail.domain2.com: NXDOMAIN

[root@localhost data]# cat zone.*
$ttl 38400
domain2.com. IN SOA ns1.domain2.com. admin.domain2.com. (
20090429 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

domain2.com. IN NS ns1.domain2.com.

domain2.com. IN MX 1 mx.domain2.com.

www.domain2.com. IN A xxx.xxx.xxx.xxx
ns1.domain2.com. IN A xxx.xxx.xxx.xxx
ns2.domain2.com. IN A xxx.xxx.xxx.xxx
mx.domain2.com. IN A xxx.xxx.xxx.xxx
node1.domain2.com. IN A xxx.xxx.xxx.xxx
webmail.domain2.com IN A xxx.xxx.xxx.xxx
mailadmin.domain2.com IN A xxx.xxx.xxx.xxx
mail.domain2.com. IN CNAME mx.domain2.com.

Do I see some missing dots after the .com?

you have to be kidding me. I've looked at this thousands of times how could I have missed it?

Who hasn't?

I'm having an issue with iptables, here is a script I"m using to input my rules:
#!/bin/sh
#
# A shell script used to setup rules for iptables. Rules gleened from
# various websites.
#
# References:
# »www.newartisans.com/blog_files/t···bles.php

# Wipe the tables clean
iptables -F

# INPUT SIDE
# Accept all loopback input
iptables -A INPUT -i lo -p all -j ACCEPT

# Allow the three way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside
# smtp
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# http
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# pop3
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# imap
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# https
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# imaps
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# pop3s
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# ssh & sftp
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# DNS
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
# Allow pings through
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Kill all other input
iptables -A INPUT -j REJECT

# Output side
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the following ports through from outside
# smtp
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
# DNS requests
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
# DHCP/Bootstrap Protocol Server
iptables -A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
# http
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
# pop3
iptables -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
# imap
iptables -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
# https
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
# imaps
iptables -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
# pop3s
iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
# ssh & sftp
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allout pings out
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Kill all other output
iptables -A OUTPUT -j REJECT

The problem is when I use IPTables all DNS requests are blocked to my box. I've also researched what the rules should be for allowing DNS into the server and came across this:
»www.cyberciti.biz/tips/linux-ipt···-53.html but to no avail. Does anyone see what I'm doing wrong here? Every time I disable iptables everything works fine. Thanks in advance for your help

Where did you get
from?

Tty

or similar. I think you need to allow both udp and tcp for DNS.

Hey again,

Your records need to end with a ".". For example:

All of your other records are terminated with a . except the two you are having issues with. This is a thing that bind/named is a pain about.

------------------------------------
Michael Piekarski
Network Engineer
mpiekarski@hostmysite.com
www.hostmysite.com

Hi,


For your iptables rules, I think you are trying to go a little over-the-top with it. Or you are just copying verbatim someone else's rules. (Like smurf attacks... c'mon...). Perhaps you want something a little simpler. You can change the default action of a chain from ACCEPT to REJECT and then just allow whatever you want from there. Its much simpler:

This is just a quick example but you get the point. Add your rules, then set the default action to DROP. Much easier. Just make sure you don't block stuff you need, cause they you have to go to console to change the rules. Much better than walking to a compromised box tho

iptables never has a one-size-fits-all solution and thats why it might benefit you to read up on it a bit more. hashlimits are pretty cool, but not necessary unless you are under some serious load / attack.

Be careful changing output rules, as they can also be a pain to have to fix. And unless you know for a fact you are using ip_forward, forward can just be set to DROP as well.

Thanks.

------------------------------------
Michael Piekarski
Network Engineer
mpiekarski@hostmysite.com
www.hostmysite.com