DNS- No servers could be reached
Hi, I've tried to do extensive searching on the web, including this site but I haven't found anything quite related to what I am experiencing. Here is the situation:
What I have: Windows XP on PC workstation Windows XP on Laptop workstation VM Centos 5.1 on Laptop (As my DNS server - ns1) VM Centos 5.1 on Laptop I have set up my zone files and am able to connect to internet, ping, and nslookup both local hosts as well as google.com etc. I am only able to accomplish this on ns1. Once I try to configure /etc/resolv.conf on my centos host, I cannot reach ns1. I have set ns1 as my DNS server and cannot, therefore connect to the internet. /var/log/messages tells me that my host is trying to find /etc/named.conf when booting named. From what I understand, my hosts should not need named.conf or any of the other zone files to query ns1. 1) Is this correct? 2) How do I configure my host to bypass searching for /etc/named.conf when booting named? Or is this even necessary? Now I also have the same issue when trying to set up ns1 as the DNS server for either one of my Windows workstations. I cannot ping and nslookup gives me the error "cannot find server name for address...DNS request timed out." I have disabled selinux on both centos machines and set my firewalls on my windows workstations to allow these ips. All machines can ping each other so I am pretty sure this issue is not a firewall issue. What do you gurus suggest? |
What does /etc/resolv.conf look like on ns1. What does it look like on the other CentOS VM? What does /etc/hosts look like on ns1? Where are you storing your zone files and how does named know where to find them? You should probably have an /etc/named.conf file that contains your zone and which file to use for hosts in that zone.
|
If you are starting the named service, of course it needs its config file. named.conf is not a zone file - it's a config for named (aka bind). named.conf will then tell named what zone filed you have and where they are.
IF you used the default package for named on CentOS, it's probably the chrooted version, so in fact, named will be looking in /var/named/chroot/etc for named.conf. |
billy...the reason I know that it is looking for /etc/named.conf is through the syslog in /var/log/messages that tells me the error when I run named. I also get the same "connection timed out; no servers could be reached.
centos: this is resolv.conf on ns1: [edgambite@ns1 ~]$ cat /etc/resolv.conf ; generated by /sbin/dhclient-script search makmar.org nameserver 192.168.2.172 [edgambite@ns1 ~]$ /etc/hosts: [root@ns1 ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. ::1 localhost.localdomain localhost ns1 /etc/resolv.conf on my centos host is: search makmar.org nameserver 192.168.2.172 My zone files are stored in the right place because ns1 functions properly in DNS nslookup, ping, internet, etc. |
Named thinks it looking in /etc if it's chrooted, but will actually be looking in /var/named/chroot/etc
Can you post # cat /etc/sysconfig/named |
[root@ns1 ~]# cat /etc/sysconfig/named
# BIND named process options # ~~~~~~~~~~~~~~~~~~~~~~~~~~ # Currently, you can use the following options: # # ROOTDIR="/some/where" -- will run named in a chroot environment. # you must set up the chroot environment # (install the bind-chroot package) before # doing this. # # OPTIONS="whatever" -- These additional options will be passed to named # at startup. Don't add -t here, use ROOTDIR instead. # # ENABLE_ZONE_WRITE=yes -- If SELinux is disabled, then allow named to write # its zone files and create files in its $ROOTDIR/var/named # directory, necessary for DDNS and slave zone transfers. # Slave zones should reside in the $ROOTDIR/var/named/slaves # directory, in which case you would not need to enable zone # writes. If SELinux is enabled, you must use only the # 'named_write_master_zones' variable to enable zone writes. # # ENABLE_SDB=yes -- This enables use of 'named_sdb', which has support # -- for the ldap, pgsql and dir zone database backends # -- compiled in, to be used instead of named. # # DISABLE_NAMED_DBUS=[1y]-- If NetworkManager is enabled in any runlevel, then # the initscript will by default enable named's D-BUS # support with the named -D option. This setting disables # this behavior. # ROOTDIR=/var/named/chroot This is on the host. Should I even need named.conf for a resolver? |
A sample of what your named.conf file should look like is this:
options { directory "/var/named"; heartbeat-interval 1440; }; zone "makmar.org" { type master; file "private.hosts"; }; Where you replace private.hosts with whatever file you are using for that zone. And it would have to be located in /var/named as bind sees it. Billy is right about the chroot thing so probablu your named.conf file will be in /var/named/chroot/etc/named.conf and your private.hosts file will need to be in /var/named/chroot/var/named/private.hosts. |
So it's chrooted. You may want to create a link to /etc/named.conf in /var/named/chroot/etc/named.conf
Yes if you want named to run otherwise no. What exactly do you mean by a resolver? Edit - took too long to post. |
This is my /etc/named.conf on ns1:
// Bind configuration file options { directory"/var/named"; // Place additional options here. }; zone "makmar.org" in { type master; file "db.makmar.org"; }; zone "2.168.192.in-addr.arpa" in { type master; file "db.192.168.2"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "." in { type hint; file "db.cache"; }; |
How do I run my hosts to query ns1 without running named on centos workstation?
|
Resolver is the host that is trying to query my nameserver for DNS.
|
Quote:
|
Yes, exactly. My client cannot reach ns1. Nor can my windows machines.
ns1 works with recursion and all others by itself, but is unreachable for clients. |
Can you ping it? Have you opened port 53 on its firewall?
Try # telnet whatever.the.ip.is 53 and see what happens. I'll bet on the firewall blocking requests. |
Unable to connect to remote host: No route to host
|
And yes I can ping it. Also SElinux is permissive.
|
I'm in support of billy on the potential firewall issue. I'm a little confused on the
Quote:
Are all of your machines in the same subnet? 192.168.2.0/24 I'm assuming? |
By host I mean client. Yes all of my machines are on the same subnett. I thought named needed to be running on my client, but I'm assuming by your statement that it should not be running. I don't have to boot named, I just thought I needed to.
As far as the firewall goes. I have turned off all firewalls, including switching SElinux to permissive, and still same outcome. ns1 is unreachable. |
Can you post the command and outcome of your ping results? It sounds like you canīt resolv *hostname* ns1
but can reach the machine by ip with ping. Also: does the win client know to query ns1 for dns information? Post the result of ipconfig /all Edit the tcp/ip config tab in win to point to your dns server: ip of ns1 |
I think you may be right. I will post those results in a few hours at lunch.
|
Can you also post the contents of /etc/hosts a,d /etc/resolv.conf for one of your client machines, named.conf from the nameserver, and the output of
# netstat -nalp | grep :53 |
ping from slave (a client) to ns1
[root@slave ~]# ping 192.168.2.172 PING 192.168.2.172 (192.168.2.172) 56(84) bytes of data. 64 bytes from 192.168.2.173: icmp_seq=1 ttl=64 time=3.57 ms 64 bytes from 192.168.2.173: icmp_seq=2 ttl=64 time=1.96 ms 64 bytes from 192.168.2.173: icmp_seq=3 ttl=64 time=2.86 ms 64 bytes from 192.168.2.173: icmp_seq=4 ttl=64 time=1.39 ms --- 192.168.2.173 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 1.395/2.448/3.571/0.835 ms named.conf from ns1 [root@ns1 ~]# cat /etc/named.conf // Bind configuration file options { directory"/var/named"; // Place additional options here. }; zone "makmar.org" in { type master; file "db.makmar.org"; }; zone "2.168.192.in-addr.arpa" in { type master; file "db.192.168.2"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "." in { type hint; file "db.cache"; }; |
ipconfig/all for windows machine:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Owner>ipconfig/all Windows IP Configuration Host Name . . . . . . . . . . . . : homepc Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : makmar.org Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : makmar.org Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection Physical Address. . . . . . . . . : 00-07-E9-DC-CF-53 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.150 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.172 Lease Obtained. . . . . . . . . . : Wednesday, November 05, 2008 12:18:49 PM Lease Expires . . . . . . . . . . : Wednesday, November 12, 2008 12:18:49 PM C:\Documents and Settings\Owner> |
[root@ns1 ~]# netstat -nalp | grep :53
tcp 0 0 192.168.2.172:53 0.0.0.0:* LISTEN 3340/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3340/named udp 0 0 192.168.2.172:53 0.0.0.0:* 3340/named udp 0 0 127.0.0.1:53 0.0.0.0:* 3340/named udp 0 0 0.0.0.0:5353 0.0.0.0:* 2809/avahi-daemon: udp 0 0 :::5353 :::* 2809/avahi-daemon: [root@ns1 ~]# |
/etc/resolv.conf from client
search makmar.org nameserver 192.168.2.172 /etc/hosts ::1 localhost6.localdomain6 localhost6 127.0.0.1 localhost.localdomain localhost slave |
Looks OK, although it may pay to add
Code:
acl mynet { 127.0.0.1; 192.168.2.0/24; }; Try # dig @192.168.2.172 www.google.com Are you getting any messages in your logs? |
When I perform your dig command on ns1 I receive a response with what has questions section, answer section and authority section all filled with google servers. When I perform the same command on my client I get "(1 server found) connection timed out; no servers could be reached."
What other logs are there besides /var/log/messages? |
I would guess it's in messages.
Are you sure your firewall isn't the issue? What does "iptables -L" show? |
Here is the output from iptables -L
[root@ns1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
I found the GUI firewall on ns1..turned it off, and I now have a working DNS network on all workstations.
Thank you for all of your help!! |
I've always been hopeless at interpreting this output, but it doesn't look too open with that REJECT all at the end of RH-Firewall-1-INPUT
If you are able to safely disable your firewall, flush the rules out (you can use the following script if you want)http://iptables-tutorial.frozentux.n...SH-IPTABLESTXT Otherwise, insert a rule into RH-Firewall-1-INPUT to permit port 53. See how that goes. |
All times are GMT -5. The time now is 07:54 PM. |