FC3 as dns server, fully patched running bind-chroot 9.2.5.

When configure an XP SP2 box (with or without FW running) to use the FC3 as DNS, can't resolve anything, gets error:


"DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 10.11.0.3: Timed out
*** Default servers are not available
Server: UnKnown
Address: 10.11.0.3

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out"


If XP is set to use ISP DNS, works no problem.


Named.conf uses internal and external "view" sections with different sets of zone files, depending on whether dns queries come from internal nat'd or external nets.

Host/ping commands on server works for any hosts in zone files, and any external domains/ip's. All resolution is via named, not /etc/hosts.

Iptables blocks all except 21,53,80,443.

Ps shows "/usr/sbin/named -u named -t /var/named/chroot".

/var/log/messages shows named start and load all the zone files with no errors.

Netstat -an shows 127.0.0.1 and 10.11.0.3 listening on port 53.

Nmap scan of the FC3 dns server from the XP box shows port 53 open.

I imagine it's got to be something obvious in my named.conf file, but I can't figure out what it is. Here is the file:



//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};


view "internal" {
match-clients { localnets; localhost; };

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

zone "0.11.10.in-addr.arpa" IN {
type master;
file "10.11.0.zone";
allow-update { none; };
};

zone "domain.net" {
type master;
notify no;
file "domain.home.zone";
allow-query { any; };
};
};

view "external" {
match-clients { any; };
recursion no;

zone "domain.net" {
type master;
notify no;
allow-query { any; };
file "domain.zone";
};

zone "0.11.10.in-addr.arpa" {
type master;
notify no;
file "10.11.0.zone";
};
};

logging {
category lame-servers { null; };
};

include "/etc/rndc.key";

on winxp
nslookup google.com

post that o/p

Ok, after reading "Red Hat SELinux BIND Security Profile" at http://www.die.net/doc/linux/man/man8/named.8.html, I thought I would do as it recommended, which was to remove bind-chroot, and let SElinux make named more secure. Now I can't get named to run at all.

Before trying to run named (not bind-chroot) I put my zone files (644, owned by named) in /var/named and my conf file back to /etc/named.conf (644, owned by root). I also made sure /etc/sysconfig/named was set to "ROOTDIR=/var/named". I tried to "service named start" and got no response. Then I ran “rndc status” and got:

“rndc: connect failed: connection refused”

In messages it shows:

Nov 9 12:43:13 tarsus kernel: audit(1131651793.279:10): avc: denied { read } for pid=4622 comm="rndc" name="hosts" dev=dm-0 ino=99029 scontext=root:system_r:ndc_t tcontext=system_ubject_r:file_t tclass=file
Nov 9 12:43:13 tarsus kernel: audit(1131651793.280:11): avc: denied { getattr } for pid=4622 comm="rndc" name="hosts" dev=dm-0 ino=99029 scontext=root:system_r:ndc_t tcontext=system_ubject_r:file_t tclass=file

So SElinux is blocking access. The man page made it appear that it was mainly to block Ddns and zone transfers to /var/named.
Any idea why it’s blocking rndc access to hosts?

At least when I was using bind-chroot I could get named to run and load zone files and get host/ping to work.

Ok, there was never anything wrong with my .conf or zone files.
The problem was with the fw on the Linux box.

Netstat showed localhost and my static ip's listening for UDP/53 queries, but until I completely blew away my FW settings and recreated, it didn't work.

Thanks to Ethereal for all the help.