BIND works internally, refused externally, on VPS name server
 

I am trying to set up BIND service on a VPS server. I have got it working internally, but cannot access it from external machines. I have been searching this and other sites, but none of the suggested solutions seems to work.

When dig from the name server, I get a "Query status NOERROR" reply, but when I dig from a different server, I get a "Query status REFUSED" reply.

It does not appear to be a firewall/iptables problem - I can telnet into the server from outside on port 53. So I figure it must be a BIND configuration problem.

Relevant snippets from my named.conf file:

options {
allow-recursion {
localnets;
};
allow-query { any; };
listen-on {74.208.234.121; };
directory "/var";
auth-nxdomain no;
pid-file "/var/run/named/named.pid";
};

...

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};

...

zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
allow-transfer {
common-allow-transfer;
};
};

zone "mydomain.com" {
type master;
file "/var/named/db.mydomain.com";
allow-query { any; };
};

...

Any advice?

Hi,

I guess you're trying to query the dns for a domain that it's not authoritative for. If that's the case, then this is the correct answer since recursion is off.
If you run dig you'll see:

Thanks for your response, bathory. I edited the named.conf file to say

allow-recursion { any; };

and restarted named. It did not change the response from dig:

[steve@qa ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> yoursportsleague.com @ns2.yourortsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20384
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 75 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Sun Jun 26 22:32:19 2011
;; MSG SIZE rcvd: 38

The actual server is ns2.yoursportsleague.com. It is the second Name Server specified for this domain, but not the SOA server.

Hi,

1st of all, it looks like you missed the trailing dot in the NS RR above.
Now for the "REFUSED" error, I guess that ns2.yoursportsleague.com still thinks it's not authoritative for that domain, because of the error above.

Regards

Thanks, bathory, for spotting the missing period. I fixed this and restarted named with no change in behavior.

The results of a dig using the other name server:

[steve@www ~]$ dig yoursportsleague.com @ns1.yoursportsleague.com

; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns1.yoursportsleague.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62279
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;yoursportsleaague.com. IN A

;; ANSWER SECTION:
yoursportsleague.com. 10800 IN A 66.117.151.102

;; AUTHORITY SECTION:
yoursportsleague.com. 10800 IN NS ns1.yoursportsleague.com.
yoursportsleague.com. 10800 IN NS ns2.yoursportsleague.com.

;; ADDITIONAL SECTION:
ns1.yoursportsleague.com. 10800 IN A 66.117.151.102
ns2.yoursportsleague.com. 10800 IN A 74.208.234.121

;; Query time: 14 msec
;; SERVER: 66.117.151.102#53(66.117.151.102)
;; WHEN: Mon Jun 27 20:46:04 2011
;; MSG SIZE rcvd: 137

The results using the offending server:

[steve@www ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns2.yoursportsleague.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44325
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 74 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Mon Jun 27 21:15:36 2011
;; MSG SIZE rcvd: 36


Still getting the REFUSED response. Any other ideas?

By the way, to check that ns2.yoursportsleague.com is listening on port 53:

[steve@www ~]$ telnet ns2.yoursportsleague.com 53
Trying 74.208.234.121...
Connected to ns2.yoursportsleague.com (74.208.234.121).
Escape character is '^]'.

As you can see, I was able to connect.

Hi,

Still there is no aa flag (authoritative) in the response and due to this the query is refused. Of course it shouldn't happen as you allow recursion (which btw is not a wise thing to do). So could you post the new named.conf?

Note that dns uses udp primarily, so being able to connect to it through telnet (tcp) does not mean much.

Regards

Here is the latest named.conf, with comments stripped out to save space:

// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $
//

options {
allow-recursion {
any;
};
allow-query { any; };
listen-on {74.208.234.121; };
directory "/var";
auth-nxdomain no;
pid-file "/var/run/named/named.pid";

// forward only;

/*
forwarders {
127.0.0.1;
};
*/
// query-source address * port 53;

// dump-file "s/named_dump.db";
};


key "rndc-key" {
algorithm hmac-md5;
secret "CeMgS23y0oWE20nyv0x40Q==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};


zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};


zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
allow-transfer {
common-allow-transfer;
};
};

... // many other zones deleted here

zone "yoursportsleague.com" {
type master;
file "/var/named/db.yoursportsleague.com";
allow-query { any; };
};

acl common-allow-transfer {
none;
};

Hi,

Do these zones work? I.e. can you use this dns server to resolve any of them?

For the zone in question, turn "auth-nxdomain" to yes, to see if the server starts to answer authoritatively.
Also run:
and see if the zone is loaded

I set auth-nxdomain to yes and verified that all the zones were loaded. None of them resolve externally. iptables reports that port 53 is allowed for udp as well as tcp. No change:

C:\dig>dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.5.0-P2 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1868
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 94 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Wed Jun 29 09:14:58 2011
;; MSG SIZE rcvd: 38

I am not clear why I still get the recursion warning. At this point my frustration level is rather severe...

Hi,

It's not a firewall problem, or else you'd get a "connection timed out; no servers could be reached"
The problem is either the "recursion" or the "allow-query", that according to the config you posted are correct!!!! Anyway, can you remove all comments and the allow-recursion, allow-query, listen-on, auth-nxdomain and the acl directives, stop named and start it again. I'm also baffled why it does not respond authoritatively and denies recursion.
Also what do you mean that it's working internally?
BTW do you see something in the logs under /var/log? You may setup bind logging for more detailed logs, or use tcpdump to view packets

Regards

Works internally means that if I run dig on the server itself, it works:

[root@s15495435 ~]# dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; ANSWER SECTION:
yoursportsleague.com. 10485 IN A 66.117.151.102

;; AUTHORITY SECTION:
yoursportsleague.com. 10485 IN NS ns2.yoursportsleague.com.
yoursportsleague.com. 10485 IN NS ns1.yoursportsleague.com.

;; Query time: 1 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Fri Jul 1 17:22:52 2011
;; MSG SIZE rcvd: 90

So here is the latest (complete) named.conf:


options {
directory "/var";
pid-file "/var/run/named/named.pid";
};

zone "." {
type hint;
file "named.root";
};

zone "mybaseballleague.com" {
type master;
file "/var/named/db.mybaseballleague.com";
allow-query { any; };
};

zone "mybasketballleague.com" {
type master;
file "/var/named/db.mybasketballleague.com";
allow-query { any; };
};

zone "myfieldhockeyleague.com" {
type master;
file "/var/named/db.myfieldhockeyleague.com";
allow-query { any; };
};

zone "myfootballleague.com" {
type master;
file "/var/named/db.myfootballleague.com";
allow-query { any; };
};

zone "myfutsalleague.com" {
type master;
file "/var/named/db.myfutsalleague.com";
allow-query { any; };
};

zone "mylacrosseleague.com" {
type master;
file "/var/named/db.mylacrosseleague.com";
allow-query { any; };
};

zone "myponyleague.com" {
type master;
file "/var/named/db.myponyleague.com";
allow-query { any; };
};

zone "mysoccerleague.com" {
type master;
file "/var/named/db.mysoccerleague.com";
allow-query { any; };
};

zone "mysoftballleague.com" {
type master;
file "/var/named/db.mysoftballleague.com";
allow-query { any; };
};

zone "myvolleyballleague.com" {
type master;
file "/var/named/db.myvolleyballleague.com";
allow-query { any; };
};

zone "yoursportsleague.com" {
type master;
file "/var/named/db.yoursportsleague.com";
allow-query { any; };
};

Hi,
It works, but it's not responding authoritatively (still no aa flag).
Remove or comment out and the allow-query directive(s) and check logs, because your config is correct and it should work for anyone.
Are you sure this is the correct named.conf file? What is the output of
Regards

[root@s15495435 ~]# ps -ef|grep named
root 18262 18214 0 23:46 pts/0 00:00:00 grep named
named 20365 1 0 Jul01 ? 00:00:05 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root

So apparently it is using this named.conf file.

The /var/log/messages file is not very helpful - here is the very tail of the file:

Jul 5 00:52:05 s15495435 named[20365]: client 161.53.160.3#34842: query (cache) 'server1.mybaseballleague.com/A/IN' denied
Jul 5 00:52:06 s15495435 named[20365]: client 161.53.123.3#42581: query (cache) 'server1.mybaseballleague.com/A/IN' denied
Jul 5 00:52:11 s15495435 named[20365]: client 207.69.195.67#53: query (cache) 'mysoccerleague.com/MX/IN' denied
Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#11442: query (cache) 'mysoccerleague.com/A/IN' denied
Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#16412: query (cache) 'mysoccerleague.com/A/IN' denied
Jul 5 00:53:17 s15495435 named[20365]: client 69.252.96.7#22567: query (cache) 'www.mysoccerleague.com/A/IN' denied
Jul 5 00:53:20 s15495435 named[20365]: client 207.46.200.44#62494: query (cache) 'my-hockey-league.com/A/IN' denied
Jul 5 00:55:35 s15495435 named[20365]: client 74.125.38.82#48519: query (cache) 'server1.mysoccerleague.com/A/IN' denied

The server is getting hit a lot, since it is one of two authoritative DNS servers for these domains.

Since you're running named chrooted, /etc/named.conf should be a symlink to /var/named/run-root/etc/named.conf.
How did you install bind and what distro are you using? There are 2 "-u named" options above and the chroot directory is not a default one, so I guess you didn't use your distro's package manager to install it.