BIND works internally, refused externally, on VPS name server
I am trying to set up BIND service on a VPS server. I have got it working internally, but cannot access it from external machines. I have been searching this and other sites, but none of the suggested solutions seems to work.
When dig from the name server, I get a "Query status NOERROR" reply, but when I dig from a different server, I get a "Query status REFUSED" reply. It does not appear to be a firewall/iptables problem - I can telnet into the server from outside on port 53. So I figure it must be a BIND configuration problem. Relevant snippets from my named.conf file: options { allow-recursion { localnets; }; allow-query { any; }; listen-on {74.208.234.121; }; directory "/var"; auth-nxdomain no; pid-file "/var/run/named/named.pid"; }; ... zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; ... zone "0.168.192.in-addr.arpa" { type master; file "0.168.192.in-addr.arpa"; allow-transfer { common-allow-transfer; }; }; zone "mydomain.com" { type master; file "/var/named/db.mydomain.com"; allow-query { any; }; }; ... Any advice? |
Hi,
Quote:
If you run dig you'll see: Quote:
|
Thanks for your response, bathory. I edited the named.conf file to say
allow-recursion { any; }; and restarted named. It did not change the response from dig: [steve@qa ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> yoursportsleague.com @ns2.yourortsleague.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20384 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yoursportsleague.com. IN A ;; Query time: 75 msec ;; SERVER: 74.208.234.121#53(74.208.234.121) ;; WHEN: Sun Jun 26 22:32:19 2011 ;; MSG SIZE rcvd: 38 The actual server is ns2.yoursportsleague.com. It is the second Name Server specified for this domain, but not the SOA server. |
Hi,
Quote:
Now for the "REFUSED" error, I guess that ns2.yoursportsleague.com still thinks it's not authoritative for that domain, because of the error above. Regards |
Thanks, bathory, for spotting the missing period. I fixed this and restarted named with no change in behavior.
The results of a dig using the other name server: [steve@www ~]$ dig yoursportsleague.com @ns1.yoursportsleague.com ; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns1.yoursportsleague.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62279 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;yoursportsleaague.com. IN A ;; ANSWER SECTION: yoursportsleague.com. 10800 IN A 66.117.151.102 ;; AUTHORITY SECTION: yoursportsleague.com. 10800 IN NS ns1.yoursportsleague.com. yoursportsleague.com. 10800 IN NS ns2.yoursportsleague.com. ;; ADDITIONAL SECTION: ns1.yoursportsleague.com. 10800 IN A 66.117.151.102 ns2.yoursportsleague.com. 10800 IN A 74.208.234.121 ;; Query time: 14 msec ;; SERVER: 66.117.151.102#53(66.117.151.102) ;; WHEN: Mon Jun 27 20:46:04 2011 ;; MSG SIZE rcvd: 137 The results using the offending server: [steve@www ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com ; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns2.yoursportsleague.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44325 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yoursportsleague.com. IN A ;; Query time: 74 msec ;; SERVER: 74.208.234.121#53(74.208.234.121) ;; WHEN: Mon Jun 27 21:15:36 2011 ;; MSG SIZE rcvd: 36 Still getting the REFUSED response. Any other ideas? |
By the way, to check that ns2.yoursportsleague.com is listening on port 53:
[steve@www ~]$ telnet ns2.yoursportsleague.com 53 Trying 74.208.234.121... Connected to ns2.yoursportsleague.com (74.208.234.121). Escape character is '^]'. As you can see, I was able to connect. |
Hi,
Quote:
Quote:
Regards |
Here is the latest named.conf, with comments stripped out to save space:
// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $ // options { allow-recursion { any; }; allow-query { any; }; listen-on {74.208.234.121; }; directory "/var"; auth-nxdomain no; pid-file "/var/run/named/named.pid"; // forward only; /* forwarders { 127.0.0.1; }; */ // query-source address * port 53; // dump-file "s/named_dump.db"; }; key "rndc-key" { algorithm hmac-md5; secret "CeMgS23y0oWE20nyv0x40Q=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "0.168.192.in-addr.arpa" { type master; file "0.168.192.in-addr.arpa"; allow-transfer { common-allow-transfer; }; }; ... // many other zones deleted here zone "yoursportsleague.com" { type master; file "/var/named/db.yoursportsleague.com"; allow-query { any; }; }; acl common-allow-transfer { none; }; |
Hi,
Quote:
For the zone in question, turn "auth-nxdomain" to yes, to see if the server starts to answer authoritatively. Also run: Code:
named-checkconf -z /etc/named.conf |
I set auth-nxdomain to yes and verified that all the zones were loaded. None of them resolve externally. iptables reports that port 53 is allowed for udp as well as tcp. No change:
C:\dig>dig yoursportsleague.com @ns2.yoursportsleague.com ; <<>> DiG 9.5.0-P2 <<>> yoursportsleague.com @ns2.yoursportsleague.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;yoursportsleague.com. IN A ;; Query time: 94 msec ;; SERVER: 74.208.234.121#53(74.208.234.121) ;; WHEN: Wed Jun 29 09:14:58 2011 ;; MSG SIZE rcvd: 38 I am not clear why I still get the recursion warning. At this point my frustration level is rather severe... |
Hi,
It's not a firewall problem, or else you'd get a "connection timed out; no servers could be reached" The problem is either the "recursion" or the "allow-query", that according to the config you posted are correct!!!! Anyway, can you remove all comments and the allow-recursion, allow-query, listen-on, auth-nxdomain and the acl directives, stop named and start it again. I'm also baffled why it does not respond authoritatively and denies recursion. Also what do you mean that it's working internally? BTW do you see something in the logs under /var/log? You may setup bind logging for more detailed logs, or use tcpdump to view packets Regards |
Works internally means that if I run dig on the server itself, it works:
[root@s15495435 ~]# dig yoursportsleague.com @ns2.yoursportsleague.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> yoursportsleague.com @ns2.yoursportsleague.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;yoursportsleague.com. IN A ;; ANSWER SECTION: yoursportsleague.com. 10485 IN A 66.117.151.102 ;; AUTHORITY SECTION: yoursportsleague.com. 10485 IN NS ns2.yoursportsleague.com. yoursportsleague.com. 10485 IN NS ns1.yoursportsleague.com. ;; Query time: 1 msec ;; SERVER: 74.208.234.121#53(74.208.234.121) ;; WHEN: Fri Jul 1 17:22:52 2011 ;; MSG SIZE rcvd: 90 So here is the latest (complete) named.conf: options { directory "/var"; pid-file "/var/run/named/named.pid"; }; zone "." { type hint; file "named.root"; }; zone "mybaseballleague.com" { type master; file "/var/named/db.mybaseballleague.com"; allow-query { any; }; }; zone "mybasketballleague.com" { type master; file "/var/named/db.mybasketballleague.com"; allow-query { any; }; }; zone "myfieldhockeyleague.com" { type master; file "/var/named/db.myfieldhockeyleague.com"; allow-query { any; }; }; zone "myfootballleague.com" { type master; file "/var/named/db.myfootballleague.com"; allow-query { any; }; }; zone "myfutsalleague.com" { type master; file "/var/named/db.myfutsalleague.com"; allow-query { any; }; }; zone "mylacrosseleague.com" { type master; file "/var/named/db.mylacrosseleague.com"; allow-query { any; }; }; zone "myponyleague.com" { type master; file "/var/named/db.myponyleague.com"; allow-query { any; }; }; zone "mysoccerleague.com" { type master; file "/var/named/db.mysoccerleague.com"; allow-query { any; }; }; zone "mysoftballleague.com" { type master; file "/var/named/db.mysoftballleague.com"; allow-query { any; }; }; zone "myvolleyballleague.com" { type master; file "/var/named/db.myvolleyballleague.com"; allow-query { any; }; }; zone "yoursportsleague.com" { type master; file "/var/named/db.yoursportsleague.com"; allow-query { any; }; }; |
Hi,
Quote:
Remove or comment out and the allow-query directive(s) and check logs, because your config is correct and it should work for anyone. Are you sure this is the correct named.conf file? What is the output of Code:
ps -ef|grep named |
[root@s15495435 ~]# ps -ef|grep named
root 18262 18214 0 23:46 pts/0 00:00:00 grep named named 20365 1 0 Jul01 ? 00:00:05 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root So apparently it is using this named.conf file. The /var/log/messages file is not very helpful - here is the very tail of the file: Jul 5 00:52:05 s15495435 named[20365]: client 161.53.160.3#34842: query (cache) 'server1.mybaseballleague.com/A/IN' denied Jul 5 00:52:06 s15495435 named[20365]: client 161.53.123.3#42581: query (cache) 'server1.mybaseballleague.com/A/IN' denied Jul 5 00:52:11 s15495435 named[20365]: client 207.69.195.67#53: query (cache) 'mysoccerleague.com/MX/IN' denied Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#11442: query (cache) 'mysoccerleague.com/A/IN' denied Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#16412: query (cache) 'mysoccerleague.com/A/IN' denied Jul 5 00:53:17 s15495435 named[20365]: client 69.252.96.7#22567: query (cache) 'www.mysoccerleague.com/A/IN' denied Jul 5 00:53:20 s15495435 named[20365]: client 207.46.200.44#62494: query (cache) 'my-hockey-league.com/A/IN' denied Jul 5 00:55:35 s15495435 named[20365]: client 74.125.38.82#48519: query (cache) 'server1.mysoccerleague.com/A/IN' denied The server is getting hit a lot, since it is one of two authoritative DNS servers for these domains. |
Quote:
How did you install bind and what distro are you using? There are 2 "-u named" options above and the chroot directory is not a default one, so I guess you didn't use your distro's package manager to install it. |
I did not install bind - this is a VPS server and it was already installed. All I did was to request that the service be activated through the Container Management Panel. I am not familiar with running "chrooted", but I moved my named.conf file to the path specified and reloaded named. Now it no longer works internally:
[root@s15495435 etc]# dig yoursportsleague.com @ns2.yoursportsleague.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> yoursportsleague.com @ns2.yoursportsleague.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61319 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yoursportsleague.com. IN A ;; Query time: 18 msec ;; SERVER: 74.208.234.121#53(74.208.234.121) ;; WHEN: Tue Jul 5 19:27:05 2011 ;; MSG SIZE rcvd: 38 Is this progress? |
Hi,
Code:
I am not familiar with running "chrooted", but I moved my named.conf file to the path specified and reloaded named. Now it no longer works internally: |
All times are GMT -5. The time now is 12:42 PM. |