-   Linux - Networking (
-   -   TCP Port 53 Open - How to enable UDP 53? (

stardotstar 03-15-2005 05:32 PM

TCP Port 53 Open - How to enable UDP 53?
Hi all, I am setting up a new web server (a first time experience for me with a dedicated clean install) and I have my bind configs sorted - name resolution working internally and for external lookups. But domain transfer has not worked.

I suspected port 53 blocked but with nmap found it open - but that was only TCP as I eventually found after some hunting and noticing this in my secondary and external DNS server (a trusted friendly server)


[myip]#53: failed while receiving responses: permission denied

It seems that bidirectional UDP port 53 and unidirectional TCP port 53
from secondary to primary is needed to effect domain transfer and get things really running...

So how do I enable UDP port 53 on my Debian Sarge server?

I am guessing it is default closed on the firewall and being new to these security measures and configurations I don't know where to start..

I have done a bit of a search on firewalls and 53 and UDP and got some useful hints but still feel compelled to go on and ask for personal help.

I hope someone has some time to guide me through the process.

Cheers and TIA,

clacour 03-15-2005 11:48 PM

One word of warning: I've only dipped my toes in Debian, so I don't know all of it's little quirks. Some of this may be off in the fine detail because of that.

To keep from writing a small novel saying "if you have such-and-such, and THIS is true, then..." for every case I can think of, I'm going to describe the basic idea, and ask for more info.

Figure out whether you're running ipchains or iptables. Then figure out where your ip[chains|tables] config file is. Try /etc/init.d/iptables (or ipchains) for clues.

Look at the file. If it says it was created by a firewall script/application, and not to edit the file, believe it. Run the application, and change it that way (it should be pretty obvious in the app - not much point to writing said app, otherwise).

Find a line that says something about either dns or 53. If it's iptables (more likely) it will say something like --sport 53 or --sport dns (or --dport 53..., if it's talking about the destination). It should also have a field that says "-p tcp". That's where it tells iptables which protocol the rule is for.

Simply duplicate that line, and change the tcp to udp. You may want to add a source address (if it doesn't already have one) to limit it to just your secondary DNS server. (If the line you're duplicating is one that specifies that server, all you need to change is the protocol line.

If this isn't enough info, I need some from you:

What OS are you running? (Stock Debian, Mepis, Libranet, Xandros, Knoppix....)
Are you running ipchains or iptables?
What are the lines that pertain to DNS that you have now? (You can post the whole iptables file if it's short.)

I'd recommend visiting some used bookstores and see if you can find a book on firewalls. (If you're running iptables, make sure it covers that - it's the newer protocol, and not in the older books.) They have lots of precanned script configurations, as well as explanations of how they got them. Good for getting you something set up while you're still learning, and gives you something to learn with .

Hope this helps,

Charles Lacour

stardotstar 03-16-2005 01:02 AM

Great Advice, thanks well though out - I will get stuck into it and report back for more help :)

angrybeaver 03-16-2005 01:52 AM

it might be a permissions problem on the filesystem, ie: the destination 'file' directive for your slave zone may not have correct permissions. 'su' to 'named' or 'bind' or whaterver your name daemon is running as and try to touch the destination file - this'll give you your answer pretty quick.

Doesn't sound like a firewall issue - sarge debian has a default ACCEPT rule on the iptables policies (if you've installed iptables). You won't get a permission denied error if its a firewall issue as firewalls don't know about permissions generally. (although.. there is an iptables module to do this ;)


stardotstar 03-16-2005 04:59 AM

OK Guys, thanks for the pointers...

I have taken all that on board and managed to sus out the following:

Using nmap -sU I determined that UDP 53 was open|filtered and followed that up with nmap -sU -sV and confirmed it to be open:


53/udp open ISC Bind 8.4.4-NOESW
So I started to follow up on the permissions idea and found that named is running as root (which I guess is a very bad thing in the greater scheme of things but I intend to get jaild going eventually as part of the hardening) by doing a ps -aux so I would think that filesystem permissions are not the cause.

I couldn't find the iptables/ipchains confs at all. There is no config systems running that I know of since it is a clean debian 3.1 Kernel 2.6 install

stardotstar 03-16-2005 05:14 AM

Just found something interesting in the syslog:

Mar 16 03:53:20 localhost named[10361]: approved AXFR from [203.XXX.YYY.200].56363 for ""
Mar 16 03:53:20 localhost named[10361]: zone transfer (AXFR) of "" (IN) to [203.XXX.YYY.200].56363 serial 2005030105
Mar 16 03:53:57 localhost kernel: ip_tables: (C) 2000-2002 Netfilter core team

So I guess some kind of transfer is being attempted so where is it all going wrong??!! This also tells me that I am using IPTABLES:

helios:/var/log# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Any other pointers??

scowles 03-16-2005 05:49 AM

Based on the fact that your logfiles show that the zone file transfer was approved (verus DENIED) from the secondary, then I would focus my efforts on the permissions problem pointed out by angrybeaver.

Hint: Are you sure the directory exists where the copy of the zone file is being stored on the secondary?

All times are GMT -5. The time now is 01:57 AM.