LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-30-2015, 12:03 PM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
configure basic forward dns for local computer


Hi,

I have two computers, one running Centos 6.7 and the other windows 7. I've already configured linux as a router, so the PC has internet connection. Now I'm trying to configure my dns server, so that the PC can access the web. On the PC I typed in 10.0.0.1 in the DNS field, which is the ip of the computer running linux.

I already have a public dns name, so my dns server can be accessed from the internet. So the iptables configuration should be fine.

But now I need it to act as a forward dns server for the PC. What I did was change recursion to yes and set allow-recursion appropriately with an acl, so that recursion can only be used from the LAN.

Quote:
acl "trusted" {
10.0.0.0/24;
};

options {
listen-on port 53 { 127.0.0.1; trusted; public ip; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-recursion { trusted; };
allow-query { any; };
recursion yes;
[...]
};
Any suggestions?

I skipped some of the default options, as they don't seem important. But if there's anything important that I've missed, just let me know.



P.S.
Some of the output of tcpdump -i eth1:
Quote:
20:12:25.802811 IP 10.0.0.50.56842 > 10.0.0.1.domain: 8428+ A? ping3.teamviewer.com. (38)
20:12:25.802825 IP 10.0.0.1 > 10.0.0.50: ICMP 10.0.0.1 udp port domain unreachable, length 74
(I have teamviewer installed on the computer running Windows)

Last edited by vincix; 11-30-2015 at 12:54 PM.
 
Old 11-30-2015, 12:28 PM   #2
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Ok, I realised I had forgotten to insert the forwarders directive. Which I did. I tried using the google public DNS.
Quote:
forwarders {
8.8.8.8;
8.8.4.4;
};
But to no avail. Shouldn't it work with the google dns servers?
 
Old 11-30-2015, 12:47 PM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
Quote:
20:12:25.802825 IP 10.0.0.1 > 10.0.0.50: ICMP 10.0.0.1 udp port domain unreachable, length 74
You need to open port 53 UDP (and TCP) on iptables

Btw you can comment out the
Quote:
listen-on port 53 { 127.0.0.1; trusted; public ip; };
Regards
 
1 members found this post helpful.
Old 11-30-2015, 12:53 PM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Quote:
Originally Posted by bathory View Post
You need to open port 53 UDP (and TCP) on iptables

Btw you can comment out the


Regards
As I've already said in my post, the iptables configuration is fine, since I have access to my dns server from the outside (from the internet). For the sake of argument, I'll post the relevant iptables lines from the INPUT chain:
Code:
1    10966  822K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3     4582  304K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate NEW udp dpt:53 
4        1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate NEW tcp dpt:53
So I don't think that's the problem. The OUTPUT chain's policy is ACCEPT and there's no rule there.

Why should I comment out the listen-on line? What difference does it make?

[later edit:]
I have just turned off iptables just to check if that's the problem and it still doesn't work.

Last edited by vincix; 11-30-2015 at 12:59 PM.
 
Old 11-30-2015, 01:18 PM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
What is the exact problem you have, i.e. what you get when resolving a host from client?
Code:
dig www.linuxquestions.org @10.0.0.1

Quote:
Why should I comment out the listen-on line? What difference does it make?
Without he listen-on directive, named listens on all available interfaces, so if there is no special reason to restrict them, you don't need it.
Besides, using trusted there, you actually mean to listen on 10.0.0.0/24 port 53, that is not correct in terms of networking
 
Old 11-30-2015, 01:40 PM   #6
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Sorry, I interpreted it wrongly. I thought you meant to say to comment out the listen-on sentence from the post, not from the named.conf Stupid of me.

I commented it out. That error isn't showing anymore. Now I have this in tcpdump:
Quote:
10.0.0.50.63642 > 10.0.0.1.domain: 40458+ A? ping3.teamviewer.com. [several times](38)
10.0.0.1.domain > 10.0.0.50.61532: 28614 ServFail 0/0/0
10.0.0.1.domain > 10.0.0.50.63642: 40458 ServFail 0/0/0
10.0.0.1.domain > 10.0.0.50.51454: 5762 ServFail 0/0/0
I'm afraid I don't have access at the moment to the windows desktop, so in the mean time I'm trying to figure it out what is going on without direct access.

I also realised that I had made another mistake. I wrote allow-recursion { 10.0.0.50; } instead of {10.0.0.1;}.

So I did that and now I have yet another error!
Quote:
10.0.0.50.64372 > 10.0.0.1.domain: 56363+ A? ping3.teamviewer.com. (38)
IP 10.0.0.1.domain > 10.0.0.50.64372: 56363 Refused- 0/0/0 (38)
Sorry, I'm just stupid. Allow-recursion should be { 10.0.0.50; }, because I'm allowing .50 the make recursive queries, not the server itself. I changed it back. So the first error stands.

Last edited by vincix; 11-30-2015 at 01:46 PM.
 
Old 11-30-2015, 01:57 PM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
Quote:
I'm afraid I don't have access at the moment to the windows desktop, so in the mean time I'm trying to figure it out what is going on without direct access.
How about trying the query from the dns itself, like
Code:
dig www.linuxquestions.org @10.0.0.1
or dig www.linuxquestions.org @localhost
I see you get a SERVFAIL response in the tcpdump output, so it could be a wrong config file among others

You can run
Code:
named-checkconf  /etc/named.conf
to see if that's the reason
 
Old 11-30-2015, 04:03 PM   #8
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Quote:
Originally Posted by bathory View Post
How about trying the query from the dns itself, like
Code:
dig www.linuxquestions.org @10.0.0.1
or dig www.linuxquestions.org @localhost
I see you get a SERVFAIL response in the tcpdump output, so it could be a wrong config file among others

You can run
Code:
named-checkconf  /etc/named.conf
to see if that's the reason
There's no response to dig from the dns itself. Connection timed out.
I did check the named.conf with named-checkconf and it seems to be fine.
 
Old 11-30-2015, 04:43 PM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
Quote:
There's no response to dig from the dns itself. Connection timed out.
I've to go, but in the meantime check if named is running
Code:
ps -ef|grep named
and listening on the intended interfaces
Code:
netstat -tunapl|grep named
Cheers
 
1 members found this post helpful.
Old 12-01-2015, 01:44 AM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Quote:
Originally Posted by bathory View Post
I've to go, but in the meantime check if named is running
Code:
ps -ef|grep named
and listening on the intended interfaces
Code:
netstat -tunapl|grep named
Cheers

ps -ef | grep named
Quote:
named 9373 1 0 09:38 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot
netstat -tunapl | grep named
Quote:
tcp 0 0 10.0.0.1:53 0.0.0.0:* LISTEN 9373/named
tcp 0 0 publicip:53 0.0.0.0:* LISTEN 9373/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9373/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9373/named
udp 0 0 10.0.0.1:53 0.0.0.0:* 9373/named
udp 0 0 publicip:53 0.0.0.0:* 9373/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 9373/named
Just wanted to remind you that the server still resolves a public name, which works perfectly from the internet. I've inserted new prefixes (subdomains), just to make sure I wasn't pinging the dns cache, and it works.

I have also commented the zone, just to make sure it wouldn't interfere, but I can't see the connection, anyway. Then I commented it out again.

Last edited by vincix; 12-01-2015 at 01:58 AM.
 
Old 12-01-2015, 04:09 AM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
Quote:
Just wanted to remind you that the server still resolves a public name, which works perfectly from the internet. I've inserted new prefixes (subdomains), just to make sure I wasn't pinging the dns cache, and it works.
It doesn't make sense.
If named is running and listening on 127.0.0.1 among others, how do you get a timeout? What's in /etc/resolv.conf?
 
Old 12-01-2015, 05:04 AM   #12
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Quote:
Originally Posted by bathory View Post
It doesn't make sense.
If named is running and listening on 127.0.0.1 among others, how do you get a timeout? What's in /etc/resolv.conf?
I might be doing a very basic mistake that I'm not aware of. But I've been struggling all this time to understand what the hell is going on.

/etc/resolv.conf
Code:
; generated by /sbin/dhclient-script
search myISPdomain.eu
namserver mydnsIP1
nameserver mydnsIP2
So there are two DNS IPs provided by my ISP through dhcp.

Just to make sure, I'm going to copy the named.conf again:
Quote:
options {
listen-on port 53 { 127.0.0.1; 10.0.0.1; 195.128.136.216; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { localhost; any; };
recursion yes;

// allow-recursion { 127.0.0.1; 10.0.0.50; 10.0.0.1; };

// auth-nxdomain no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

#forwarders {
#8.8.8.8;
#8.8.4.4;
# };

// forward only;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
I commented out the forwaders line, so I'm using the root hints through zone "." It shouldn't make any difference. Anyway, it doesn't work with either one.

Last edited by vincix; 12-01-2015 at 05:11 AM.
 
Old 12-01-2015, 05:47 AM   #13
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,545

Rep: Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790Reputation: 1790
Quote:
I commented out the forwaders line, so I'm using the root hints through zone "." It shouldn't make any difference. Anyway, it doesn't work with either one.
Please define "it doesn't work". Or post the output of:
Code:
dig google.com
dig google.com @localhost
dig google.com @10.0.0.1
ran from the server and if possible the last one also from the client. You can mask sensitive data if you want.
 
Old 12-01-2015, 05:56 AM   #14
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
By "it doesn't work" I meant to say that it displays the same error as it did before when trying dig (server not found, etc.)

Anyway, I figured it out. It was the ISP. They're blocking the access to any DNS server on port 53, except to their two DNS servers that they've provided. And I kept struggling with my own configuration, until someone simply suggested querying another DNS server directly. So I did dig @8.8.8.8 facebook.com and it didn't work.

Then I changed the forwarders directive and inserted the ISP's two dns servers. Then I tried again dig @localhost facebook.com and it worked.

It was all so simple

Thanks a lot for helping and sticking with me, anyway

If you have any other suggestions, I'm looking forward to hearing them.

Last edited by vincix; 12-01-2015 at 05:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
configure a DNS server with forward and reverse look up? tahaarabi Linux - Server 1 03-03-2012 10:22 AM
Configure basic DNS Server vikashwow Red Hat 1 11-19-2011 02:33 AM
captive portal help using iptables to forward udp 53 (dns) to local nameserver slac-in-the-box Linux - Networking 0 09-07-2011 08:52 PM
How to configure DNS for a local LAN (at least I think I want DNS) FlyingPenguin128 Linux - Networking 8 12-11-2005 04:15 PM
How to configure a basic DNS server? kikis Linux - Newbie 1 05-06-2004 09:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration