[SOLVED] BIND~~ Bind working on Localhost but not not working from remotehost

abhishekdixit98 · 08-19-2015, 10:45 AM

Query results on Local server
================================================================
[root@dns ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 6a:dd:c0:d7:5f:af brd ff:ff:ff:ff:ff:ff
inet 10.10.0.110/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::68dd:c0ff:fed7:5faf/64 scope link
valid_lft forever preferred_lft forever
[root@dns ~]# dig @10.10.0.110 www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.3 <<>> @10.10.0.110 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53245
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 300 IN A 216.58.220.36

;; AUTHORITY SECTION:
google.com. 171485 IN NS ns1.google.com.
google.com. 171485 IN NS ns3.google.com.
google.com. 171485 IN NS ns4.google.com.
google.com. 171485 IN NS ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com. 171485 IN A 216.239.34.10
ns1.google.com. 171485 IN A 216.239.32.10
ns3.google.com. 171485 IN A 216.239.36.10
ns4.google.com. 171485 IN A 216.239.38.10

;; Query time: 421 msec
;; SERVER: 10.10.0.110#53(10.10.0.110)
;; WHEN: Wed Aug 19 11:40:11 EDT 2015
;; MSG SIZE rcvd: 195

But when running the same query on other server getting following error
===============================================================
root@parametrique:~# dig @10.10.0.110 www.google.com

; <<>> DiG 9.8.1-P1 <<>> @10.10.0.110 www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Below is my named.conf
===========================================================
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
allow-recursion { localnets; localhost;};
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

autolycus · 08-19-2015, 11:43 AM

What flavor of Linux are you using? Do you have iptables/firewalld running? What does netstat -alpn report for port 53? If you run tcpdump -i eth0 -vv -n | grep \.53 and then try to query from the client, do you see any output?

abhishekdixit98 · 08-20-2015, 01:27 AM

Quote:

Originally Posted by autolycus

What flavor of Linux are you using?

I am using CentOS 7

Quote:

Originally Posted by autolycus

Do you have iptables/firewalld running?

I have disabled firewalld

Quote:

Originally Posted by autolycus

What does netstat -alpn report for port 53?

It show that DNS server is listening on port 53.

tcp 0 0 10.10.0.110:53 0.0.0.0:* LISTEN 21197/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 21197/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 21197/named
tcp6 0 0 ::1:53 :::* LISTEN 21197/named
tcp6 0 0 ::1:953 :::* LISTEN 21197/named
udp 0 0 10.10.0.110:53 0.0.0.0:* 21197/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 21197/named

Detailed output is attached in the file.

Quote:

Originally Posted by autolycus

If you run tcpdump -i eth0 -vv -n | grep \.53 and then try to query from the client, do you see any output?

Yes I got some output It is attached in the file(putty.txt).

autolycus · 08-21-2015, 12:02 PM

Ok...try running that tcpdump again but this time 'tcpdump -i eth0 -vv -n | grep (domain|dns|bind)'. While that tcpdump is running, use dig or nslookup on another device on your network. I forgot that you have to do -nn to not translate DNS names, and it may be clearer to get the output that way. Basically, we're just looking to see if the network traffic is making it and if your server is sending any kind of response.

You may also want to peruse /var/log/messages for any bind/named related errors. Is anything showing up in /var/named/data/named.run (defined in your logging section below and assuming you installed from rpm)?

autolycus · 08-21-2015, 12:20 PM

Also, just to confirm that firewalld didn't leave anything hanging, what is the output of 'systemctl status firewalld' and 'iptables --list'?

abhishekdixit98 · 08-22-2015, 02:30 AM

Quote:

tcpdump -i eth0 -vv -n | grep (domain|dns|bind)

Nothing getting on it.

Quote:

/var/log/messages

File Attached.

Quote:

/var/named/data/named.run

File Attached.

==================================================================================================== ==========
[root@dns ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: failed (Result: signal) since Sat 2015-08-22 02:36:44 EDT; 31min ago
Main PID: 641 (code=killed, signal=KILL)

Aug 19 05:55:36 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 22 02:36:44 dns systemd[1]: firewalld.service: main process exited, code=killed, status=9/KILL
Aug 22 02:36:44 dns systemd[1]: Unit firewalld.service entered failed state.
[root@dns ~]#

==================================================================================================== =======

iptables --list File attached.

autolycus · 08-28-2015, 12:00 PM

Looks like the firewall is still running. If indeed you want it stopped, run 'systemctl stop firewalld;systemctl disable firewalld' and then 'systemctl stop iptables;systemctl disable iptables'. If you want to keep the firewalls running but enabled DNS, run the following:

firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload

You may need to restart named afterwards. Then try again. If that doesn't work, you can also try running 'setenforce Permissive'. If the second command fixes it, edit /etc/selinux/config and change 'SELINUX=enforcing' to 'SELINUX=permissive' to permanently change that setting. Permissive will cause SELINUX to simply log to the messages file instead of preventing disk access.

Please note, that if this is a public facing system (ie accessible from the Internet), I would recommend against permanently disabling the firewall and SELINUX for security reasons and to prevent participation in DDoS attacks.

abhishekdixit98 · 09-01-2015, 04:04 AM

Thanks for the support. My problem got resolved.with the solution provided by you.

Thanks a lot