LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-26-2011, 12:53 AM   #1
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Rep: Reputation: 0
BIND works internally, refused externally, on VPS name server


I am trying to set up BIND service on a VPS server. I have got it working internally, but cannot access it from external machines. I have been searching this and other sites, but none of the suggested solutions seems to work.

When dig from the name server, I get a "Query status NOERROR" reply, but when I dig from a different server, I get a "Query status REFUSED" reply.

It does not appear to be a firewall/iptables problem - I can telnet into the server from outside on port 53. So I figure it must be a BIND configuration problem.

Relevant snippets from my named.conf file:

options {
allow-recursion {
localnets;
};
allow-query { any; };
listen-on {74.208.234.121; };
directory "/var";
auth-nxdomain no;
pid-file "/var/run/named/named.pid";
};

...

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};

...

zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
allow-transfer {
common-allow-transfer;
};
};

zone "mydomain.com" {
type master;
file "/var/named/db.mydomain.com";
allow-query { any; };
};

...

Any advice?
 
Old 06-26-2011, 03:07 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

Quote:
When dig from the name server, I get a "Query status NOERROR" reply, but when I dig from a different server, I get a "Query status REFUSED" reply.
I guess you're trying to query the dns for a domain that it's not authoritative for. If that's the case, then this is the correct answer since recursion is off.
If you run dig you'll see:
Quote:
; <<>> DiG 9.8.0-P2 <<>> google.com @x.x.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21023
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com. IN A

;; Query time: 25 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Sun Jun 26 11:01:52 2011
;; MSG SIZE rcvd: 28
 
Old 06-27-2011, 12:40 AM   #3
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for your response, bathory. I edited the named.conf file to say

allow-recursion { any; };

and restarted named. It did not change the response from dig:

[steve@qa ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> yoursportsleague.com @ns2.yourortsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20384
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 75 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Sun Jun 26 22:32:19 2011
;; MSG SIZE rcvd: 38

The actual server is ns2.yoursportsleague.com. It is the second Name Server specified for this domain, but not the SOA server.
 
Old 06-27-2011, 02:13 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

Quote:
; <<>> DiG 9.8.0-P2 <<>> yoursportsleague.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9725
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; ANSWER SECTION:
yoursportsleague.com. 10800 IN A 66.117.151.102

;; AUTHORITY SECTION:
yoursportsleague.com. 10800 IN NS ns1.initcomp.net.
yoursportsleague.com. 10800 IN NS ns1.yoursportsleague.com.
yoursportsleague.com. 10800 IN NS ns2.yoursportsleague.com.yoursportsleague.com.

;; Query time: 766 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 27 10:04:21 2011
;; MSG SIZE rcvd: 141
1st of all, it looks like you missed the trailing dot in the NS RR above.
Now for the "REFUSED" error, I guess that ns2.yoursportsleague.com still thinks it's not authoritative for that domain, because of the error above.

Regards
 
Old 06-27-2011, 11:19 PM   #5
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks, bathory, for spotting the missing period. I fixed this and restarted named with no change in behavior.

The results of a dig using the other name server:

[steve@www ~]$ dig yoursportsleague.com @ns1.yoursportsleague.com

; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns1.yoursportsleague.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62279
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;yoursportsleaague.com. IN A

;; ANSWER SECTION:
yoursportsleague.com. 10800 IN A 66.117.151.102

;; AUTHORITY SECTION:
yoursportsleague.com. 10800 IN NS ns1.yoursportsleague.com.
yoursportsleague.com. 10800 IN NS ns2.yoursportsleague.com.

;; ADDITIONAL SECTION:
ns1.yoursportsleague.com. 10800 IN A 66.117.151.102
ns2.yoursportsleague.com. 10800 IN A 74.208.234.121

;; Query time: 14 msec
;; SERVER: 66.117.151.102#53(66.117.151.102)
;; WHEN: Mon Jun 27 20:46:04 2011
;; MSG SIZE rcvd: 137

The results using the offending server:

[steve@www ~]$ dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.2.4 <<>> yoursportsleague.com @ns2.yoursportsleague.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44325
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 74 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Mon Jun 27 21:15:36 2011
;; MSG SIZE rcvd: 36


Still getting the REFUSED response. Any other ideas?
 
Old 06-27-2011, 11:23 PM   #6
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
By the way, to check that ns2.yoursportsleague.com is listening on port 53:

[steve@www ~]$ telnet ns2.yoursportsleague.com 53
Trying 74.208.234.121...
Connected to ns2.yoursportsleague.com (74.208.234.121).
Escape character is '^]'.

As you can see, I was able to connect.
 
Old 06-28-2011, 12:31 AM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

Quote:
; <<>> DiG 9.8.0-P2 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 11464
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
Still there is no aa flag (authoritative) in the response and due to this the query is refused. Of course it shouldn't happen as you allow recursion (which btw is not a wise thing to do). So could you post the new named.conf?

Quote:
By the way, to check that ns2.yoursportsleague.com is listening on port 53:

[steve@www ~]$ telnet ns2.yoursportsleague.com 53
Trying 74.208.234.121...
Connected to ns2.yoursportsleague.com (74.208.234.121).
Escape character is '^]'.

As you can see, I was able to connect.
Note that dns uses udp primarily, so being able to connect to it through telnet (tcp) does not mean much.

Regards
 
Old 06-29-2011, 12:28 AM   #8
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Here is the latest named.conf, with comments stripped out to save space:

// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $
//

options {
allow-recursion {
any;
};
allow-query { any; };
listen-on {74.208.234.121; };
directory "/var";
auth-nxdomain no;
pid-file "/var/run/named/named.pid";

// forward only;

/*
forwarders {
127.0.0.1;
};
*/
// query-source address * port 53;

// dump-file "s/named_dump.db";
};


key "rndc-key" {
algorithm hmac-md5;
secret "CeMgS23y0oWE20nyv0x40Q==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};


zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};


zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
allow-transfer {
common-allow-transfer;
};
};

... // many other zones deleted here

zone "yoursportsleague.com" {
type master;
file "/var/named/db.yoursportsleague.com";
allow-query { any; };
};

acl common-allow-transfer {
none;
};
 
Old 06-29-2011, 12:53 AM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

Quote:
... // many other zones deleted here
Do these zones work? I.e. can you use this dns server to resolve any of them?

For the zone in question, turn "auth-nxdomain" to yes, to see if the server starts to answer authoritatively.
Also run:
Code:
named-checkconf -z /etc/named.conf
and see if the zone is loaded
 
Old 06-29-2011, 12:06 PM   #10
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
I set auth-nxdomain to yes and verified that all the zones were loaded. None of them resolve externally. iptables reports that port 53 is allowed for udp as well as tcp. No change:

C:\dig>dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.5.0-P2 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1868
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; Query time: 94 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Wed Jun 29 09:14:58 2011
;; MSG SIZE rcvd: 38

I am not clear why I still get the recursion warning. At this point my frustration level is rather severe...
 
Old 06-29-2011, 01:58 PM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

It's not a firewall problem, or else you'd get a "connection timed out; no servers could be reached"
The problem is either the "recursion" or the "allow-query", that according to the config you posted are correct!!!! Anyway, can you remove all comments and the allow-recursion, allow-query, listen-on, auth-nxdomain and the acl directives, stop named and start it again. I'm also baffled why it does not respond authoritatively and denies recursion.
Also what do you mean that it's working internally?
BTW do you see something in the logs under /var/log? You may setup bind logging for more detailed logs, or use tcpdump to view packets

Regards
 
Old 07-01-2011, 05:24 PM   #12
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Works internally means that if I run dig on the server itself, it works:

[root@s15495435 ~]# dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;yoursportsleague.com. IN A

;; ANSWER SECTION:
yoursportsleague.com. 10485 IN A 66.117.151.102

;; AUTHORITY SECTION:
yoursportsleague.com. 10485 IN NS ns2.yoursportsleague.com.
yoursportsleague.com. 10485 IN NS ns1.yoursportsleague.com.

;; Query time: 1 msec
;; SERVER: 74.208.234.121#53(74.208.234.121)
;; WHEN: Fri Jul 1 17:22:52 2011
;; MSG SIZE rcvd: 90

So here is the latest (complete) named.conf:


options {
directory "/var";
pid-file "/var/run/named/named.pid";
};

zone "." {
type hint;
file "named.root";
};

zone "mybaseballleague.com" {
type master;
file "/var/named/db.mybaseballleague.com";
allow-query { any; };
};

zone "mybasketballleague.com" {
type master;
file "/var/named/db.mybasketballleague.com";
allow-query { any; };
};

zone "myfieldhockeyleague.com" {
type master;
file "/var/named/db.myfieldhockeyleague.com";
allow-query { any; };
};

zone "myfootballleague.com" {
type master;
file "/var/named/db.myfootballleague.com";
allow-query { any; };
};

zone "myfutsalleague.com" {
type master;
file "/var/named/db.myfutsalleague.com";
allow-query { any; };
};

zone "mylacrosseleague.com" {
type master;
file "/var/named/db.mylacrosseleague.com";
allow-query { any; };
};

zone "myponyleague.com" {
type master;
file "/var/named/db.myponyleague.com";
allow-query { any; };
};

zone "mysoccerleague.com" {
type master;
file "/var/named/db.mysoccerleague.com";
allow-query { any; };
};

zone "mysoftballleague.com" {
type master;
file "/var/named/db.mysoftballleague.com";
allow-query { any; };
};

zone "myvolleyballleague.com" {
type master;
file "/var/named/db.myvolleyballleague.com";
allow-query { any; };
};

zone "yoursportsleague.com" {
type master;
file "/var/named/db.yoursportsleague.com";
allow-query { any; };
};
 
Old 07-04-2011, 10:28 AM   #13
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,
Quote:
Works internally means that if I run dig on the server itself, it works:

[root@s15495435 ~]# dig yoursportsleague.com @ns2.yoursportsleague.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> yoursportsleague.com @ns2.yoursportsleague.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
...
It works, but it's not responding authoritatively (still no aa flag).
Remove or comment out and the allow-query directive(s) and check logs, because your config is correct and it should work for anyone.
Are you sure this is the correct named.conf file? What is the output of
Code:
ps -ef|grep named
Regards
 
Old 07-05-2011, 12:58 AM   #14
steve willett
LQ Newbie
 
Registered: Sep 2010
Posts: 11

Original Poster
Rep: Reputation: 0
[root@s15495435 ~]# ps -ef|grep named
root 18262 18214 0 23:46 pts/0 00:00:00 grep named
named 20365 1 0 Jul01 ? 00:00:05 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root

So apparently it is using this named.conf file.

The /var/log/messages file is not very helpful - here is the very tail of the file:

Jul 5 00:52:05 s15495435 named[20365]: client 161.53.160.3#34842: query (cache) 'server1.mybaseballleague.com/A/IN' denied
Jul 5 00:52:06 s15495435 named[20365]: client 161.53.123.3#42581: query (cache) 'server1.mybaseballleague.com/A/IN' denied
Jul 5 00:52:11 s15495435 named[20365]: client 207.69.195.67#53: query (cache) 'mysoccerleague.com/MX/IN' denied
Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#11442: query (cache) 'mysoccerleague.com/A/IN' denied
Jul 5 00:53:08 s15495435 named[20365]: client 202.7.166.178#16412: query (cache) 'mysoccerleague.com/A/IN' denied
Jul 5 00:53:17 s15495435 named[20365]: client 69.252.96.7#22567: query (cache) 'www.mysoccerleague.com/A/IN' denied
Jul 5 00:53:20 s15495435 named[20365]: client 207.46.200.44#62494: query (cache) 'my-hockey-league.com/A/IN' denied
Jul 5 00:55:35 s15495435 named[20365]: client 74.125.38.82#48519: query (cache) 'server1.mysoccerleague.com/A/IN' denied

The server is getting hit a lot, since it is one of two authoritative DNS servers for these domains.
 
Old 07-05-2011, 04:19 AM   #15
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
root 18262 18214 0 23:46 pts/0 00:00:00 grep named
named 20365 1 0 Jul01 ? 00:00:05 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root
Since you're running named chrooted, /etc/named.conf should be a symlink to /var/named/run-root/etc/named.conf.
How did you install bind and what distro are you using? There are 2 "-u named" options above and the chroot directory is not a default one, so I guess you didn't use your distro's package manager to install it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
addressing internally and externally with a /30 ? CmdoColin Linux - Networking 7 01-28-2011 10:57 AM
[SOLVED] Bonded ethernet interface can ping internally but not externally asuderma Linux - Networking 4 10-14-2009 09:51 PM
Accessing web app externally throws 403, internally works. gillyd Linux - Server 5 04-21-2008 06:36 PM
LXer: Resolving Domains Internally And Externally With Bind9 And Caching Nameserver LXer Syndicated Linux News 0 02-11-2007 08:33 AM
DNS - Works Internally - Bizarre Externally - Almost 100% fed007 Linux - Networking 9 08-24-2001 04:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration