LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-06-2016, 05:25 PM   #1
MikeinSA77
LQ Newbie
 
Registered: Apr 2015
Posts: 5

Rep: Reputation: Disabled
nslookup / dig error - new RHEL 7 bind config


Hi All,
I have a new RHEL 7 installation, and I'm configuring it as a DNS server. I can get local name resolution to work, but any attempts by other systems on the same subnet fail.
-
This is a local network - 192.168.5.0/24.
RHEL/DNS is 192.168.5.51.
-
Here is an example of the error from a vCenter appliance:
vcenter:~ # nslookup rhns1
;; connection timed out; no servers could be reached

vcenter:~ # nslookup rhns1
;; connection timed out; no servers could be reached

vcenter:~ # cat /etc/resolv.conf
nameserver 192.168.5.51
vcenter:~ # ping 192.168.5.51
PING 192.168.5.51 (192.168.5.51) 56(84) bytes of data.
64 bytes from 192.168.5.51: icmp_seq=1 ttl=64 time=0.440 ms
64 bytes from 192.168.5.51: icmp_seq=2 ttl=64 time=0.636 ms
^C
--- 192.168.5.51 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.440/0.538/0.636/0.098 ms
-
And here is what it looks like from a Win 2k8 system:
C:\Users\Administrator>nslookup rhns1.wood.org
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.5.51

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\Administrator>ping 192.168.5.51

Pinging 192.168.5.51 with 32 bytes of data:
Reply from 192.168.5.51: bytes=32 time<1ms TTL=64
Reply from 192.168.5.51: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.5.51:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
-
But it works fine from localhost.
-
[root@rhns1 named]# nslookup rhns1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: rhns1.wood.org
Address: 192.168.5.51

[root@rhns1 named]# hostname
rhns1
[root@rhns1 named]# netstat -tanpl|grep named
tcp 0 0 192.168.5.51:53 0.0.0.0:* LISTEN 28463/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 28463/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 28463/named
tcp6 0 0 ::1:53 :::* LISTEN 28463/named
tcp6 0 0 ::1:953 :::* LISTEN 28463/named
[root@rhns1 named]# ifconfig -a
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.51 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 fe80::219:d1ff:fee0:ce37 prefixlen 64 scopeid 0x20<link>
ether 00:19:d1:e0:ce:37 txqueuelen 1000 (Ethernet)
RX packets 22131 bytes 2893813 (2.7 MiB)
RX errors 0 dropped 20 overruns 0 frame 0
TX packets 6461 bytes 1025190 (1001.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 21 memory 0xdffe0000-e0000000
-
Here are my config files:
/etc/named.conf:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 192.168.5.51; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
/* allow-query { localhost; 192.168.5.0/24; }; */

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "wood.org" IN {
type master;
file "forward.zone";
/* allow-update { none; }; */
};

zone "5.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

And the forward and reverse zone files (in /var/named):
[root@rhns1 named]# cat forward.zone
; BIND data file for wood.org
$TTL 86400
@ IN SOA rhns1.wood.org. admin.wood.org. (
6 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
;
IN NS rhns1.wood.org.
rhns1 IN A 192.168.5.51
[root@rhns1 named]# cat reverse.zone
; BIND data file for wood.org reverse lookups.
$TTL 86400
@ IN SOA rhns1.wood.org. admin.wood.org. (
5 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
;
NS rhns1.wood.org.
51 PTR rhns1.wood.org.
[root@rhns1 named]#

Thoughts?
Any more information I should gather?
Thanks in advance!
Mike
 
Old 03-06-2016, 06:00 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
Is named also listening on UDP 192.168.5.51:53?
Is your firewall set to allow incoming TCP and UDP traffic on port 53?
 
Old 03-06-2016, 06:09 PM   #3
MikeinSA77
LQ Newbie
 
Registered: Apr 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks for the reply.
UDP listener is good.
iptables is off on RHEL.

[root@rhns1 named]# netstat -uanpl|grep named
udp 0 0 192.168.5.51:53 0.0.0.0:* 28463/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 28463/named
udp6 0 0 ::1:53 :::* 28463/named
[root@rhns1 named]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

And the windows firewall is off on the Wintel box (which is also running VMware workstation, which has the virtual vCenter appliance).
-
I've also checked my router (192.168.5.1) - and no special access rules are defined.
-
[root@rhns1 named]# netstat -uanpl|grep named
udp 0 0 192.168.5.51:53 0.0.0.0:* 28463/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 28463/named
udp6 0 0 ::1:53 :::* 28463/named
[root@rhns1 named]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
[root@rhns1 named]#
 
Old 03-09-2016, 12:17 PM   #4
elalexluna83
Member
 
Registered: Mar 2012
Posts: 55

Rep: Reputation: Disabled
this might by a dummy suggestion, but did you turn off firewalld ??

systemctl list-unit-files | grep firewalld
systemctl list-unit-files | grep iptables

iptables -L -nv
 
Old 03-09-2016, 12:26 PM   #5
MikeinSA77
LQ Newbie
 
Registered: Apr 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
So I decided to run a port scanner from every other computer in my house, and came to the conclusion that my RHEL 7 box was only listening on port 22.
A google search on RHEL 7 blocked ports yielded a hit on firewalld - which is new to me, but I'm no Linux expert (yet.. ). After turning it off, the problem was resolved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dig, host, nslookup? gsibble Arch 2 01-25-2015 03:36 AM
How to install dig or nslookup in Debian without BIND? amirgol Linux - Newbie 7 12-09-2011 07:10 AM
[SOLVED] What is Required to do a NSLookup or Dig? ECRocker Linux - Networking 5 10-16-2009 11:35 AM
(nslookup) vs (dig and host) emailssent Linux - Networking 7 10-06-2004 08:38 AM
DIG / NSLOOKUP message? matrx88 Linux - Networking 1 08-20-2003 12:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration