DNS server meet random ports problem?

wegadnie · 11-23-2008, 02:09 AM

I set up a DNS server for my home networking. The named service start successful but i still can not make query to Internet. Using nslookup command i got message:

[root@dns named]# nslookup
> google.com
;; Got SERVFAIL reply from 127.0.0.1, trying next server

Take a look at /var/log/messages i found that bind is working on random port but SELinux is preventing it.

Nov 23 14:56:23 dns setroubleshoot: SELinux is preventing the /usr/sbin/named (named_t) from binding to port 18006. For complete SELinux messages. run sealert -l 6d8ab655-f1f3-4b64-84c9-034621107115

I absolutely don't want bind to run on random port so in /etc/named.conf at options statement i give

options {
query-source port 53;
directory "/var/named";
};

Note that i put my DNS server behind my Router (Apple Extreme Base Station) so i forward port 53 for both TCP/UDP to my DNS server.

Please, what can i do now? Does any one has the same problem or just me.

billymayday · 11-23-2008, 02:53 AM

What distro are you using, and can you post the config?

wegadnie · 11-23-2008, 04:29 AM

I run RedHat Enterprise 5EL. The bind's version is bind-9.3.4-6.0.2.P1.el5_2. There're 4 config file so what file should i post? named.conf or named.boot. Thank for your reply on this post.

billymayday · 11-23-2008, 04:46 AM

Named.conf I expect

wegadnie · 11-23-2008, 07:02 AM

It's very simple:

options {
query-source port 53;
directory "/var/named";
};

zone "." {
type hint;
file "named.ca";
};

zone "mydomain.com" {
type master;
file "aldergood.com";
};

zone "1.168.192.in-addr.arpa" {
type master;
file "192.168.1";
};

In /etc/resolv.conf

search mydomain.com
nameserver 127.0.0.1

I hope you can help me out.

billymayday · 11-23-2008, 02:17 PM

I'm assuming that you probably don't have a supported version of RHRL5 running, so I'd make the assumption that your SELinux policies are out of date.

You can either fix these (the right way), or disable SELinux for bind (probably the wrong way, but way simpler).

First, I'd do a test without SELinix on. Run "setenforce 0" (that's zero) and try starting named.

If that works, turn it back on ("setenforce 1")

Then, follow http://www.redhat.com/docs/en-US/Red...cy-module.html, or turn off SELinux for named ("setsebool -P named_disable_trans on").

wegadnie · 11-29-2008, 01:27 AM

Thank you a lot. It works now. i can use my DNS server to query another website. BTW, how can i check whether my DNS server is an authoritative DNS server for my domain or not?

billymayday · 11-29-2008, 01:42 AM

type master makes it authoritative, as opposed to type hint.