bind server not resolving external request
 

DEAR All,

i configured bind 9 on centos 6.3 and restart the named service its successfully restarted .than i enter the dig command to check its working .is successfully resolve the cnn.com the output is here
<<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56796
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;cnn.com. IN A

;; ANSWER SECTION:
cnn.com. 300 IN A 157.166.226.25
cnn.com. 300 IN A 157.166.226.26

;; AUTHORITY SECTION:
cnn.com. 170300 IN NS ns2.p42.dynect.net.
cnn.com. 170300 IN NS ns1.p42.dynect.net.
cnn.com. 170300 IN NS ns3.timewarner.net.
cnn.com. 170300 IN NS ns1.timewarner.net.

;; ADDITIONAL SECTION:
ns1.timewarner.net. 170301 IN A 204.74.108.238
ns3.timewarner.net. 170301 IN A 199.7.68.238

;; Query time: 5948 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 9 16:25:24 2013
;; MSG SIZE rcvd: 186
when i give this dns to the window machine and go to the cmd and try to resolve cnn.com but here it can not resolve please help me in this regard thanks in advance .the out put of window cmd command is here

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.x.x.x ( dns server ip)

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Make sure there is no firewall on your server blocking port 53 udp/tcp

Thanks for reply my firewall is in off state and not blocking port 53

So check if named is listening on its public interface (192.x.x.x)

Thanks for reply once again i use only one private ip on bind server . i need public ip on it or not .

By public IP I mean the 192.x.x.x that is used by your LAN. Check if named is listening on that IP, as you said it's not a firewall issue

the out put of command netstat -tunalp|grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13487/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 13487/named
tcp 0 0 ::1:53 :::* LISTEN 13487/named
tcp 0 0 ::1:953 :::* LISTEN 13487/named
udp 0 0 0.0.0.0:49554 0.0.0.0:* 13487/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 13487/named
udp 0 0 ::1:53 :::* 13487/named
for your info plz its show its listing on ip

From the above it's obvious that bind is listening only on the local loopback interface
Open named.conf and comment out the "Listen-on..." directive and restart the service

after comment out the listen on the output of netstat -tunalp| grep named command is as under
tcp 0 0 10.3.20.225:53 0.0.0.0:* LISTEN 15914/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 15914/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 15914/named
tcp 0 0 ::1:53 :::* LISTEN 15914/named
tcp 0 0 ::1:953 :::* LISTEN 15914/named
udp 0 0 10.3.20.225:53 0.0.0.0:* 15914/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 15914/named
udp 0 0 ::1:53 :::* 15914/named
but it still not resolving on window machine

Your server listens on 10.3.20.225 and not on 192.x.x.x, so it's normal that the windows cannot contact it. Use that IP in the windows networking settings and it should work.

Actually we used 20 subnet for server and our cliets where window pc's lies use 50 subnet and natting already be done there is no 192 subnet there i just post for your info the out put of window machine is
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.3.20.225

DNS request timed out.
timeout was 2 seconds.

Apparently the windows client cannot connect to the dns server. If there is no firewall in between (as you said), then routing from 50 to 20 subnet is not correct.
Check if you can access this or other servers on the 20 subnet, using ping, traceroute or telnet to known open ports

I check on server which on same network means on 20 network and our dns server also on 20 network . i stop the iptables also on dns server .and dig command output is below
dig cnn.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 11384
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cnn.com. IN A

;; Query time: 0 msec
;; SERVER: 10.3.20.225#53(10.3.20.225)
;; WHEN: Tue Sep 10 14:09:33 2013
;; MSG SIZE rcvd: 25
this is also centos server .i enter dns in reslove.conf file of this server

You get recursion refused.
Specif the subnets that can use your dns like follows:

Thanks a lot its working now . and Thanks once again for your precious time . can you give your email address .if i face any problem i contact you directly on your email address.


Bundle of Thanks

Glad to see you've made it. You can click on my nick on the left and send me an email if you want.
Please mark the thread as "SOLVED" from the "Thread Tools" om top of the page

Regards

After successfully configuring bind server on centos .and its working fine .but i think it not caching the host name because

when i dig some host on first attempt it not resolving .when i enter the same command it start resolving . so help me in this regard

In order to test caching, dig for the same host twice and look the query time:

on first attempt it show me this message
dig cnn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 40296
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cnn.com. IN A

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Sep 11 20:31:02 2013
;; MSG SIZE rcvd: 25

when i use the up arrow key to enter the same command that it resolve successfully . every time this happen why not resolve on first attempt

although i resolve cnn.com 3 or 4 times before that.

It does that because it first uses the ipv6 loopback interface (::1) for the query. The ::1 is not in the IPs allowed recursion,. so you get a REFUSED answer.
You can add it in the "allow-recursion ..." statement, or delete ::1 from /etc/resolv.conf. Or even disable ipv6 completely if you don't need it.

if i add in allow-recursion statement than how i allow there just i write ::1 this or some thing else

Yes, you write the ipv6 IP (::1) followed by a semicolon:

thanks i think problem with ip version 6 so i add in allow-recursion .its working fine now.

Thanks for supporting in DNS server . Now i configure Openvpn version 2.0 on centos server 6.3 .i configure it and restart the openvpn services successfully . now i want to configure it with LDAP server .and i want to authenticate users from LDAP server. your support in this regard will be highly appreciated

Even though this is totally unrelated and I'm not familiar with Openvpn, I'll bite and reply in your other thread

how we can increase the caching of DNS server .and how to check how long it kept the host name in cache and we can increase the caching time and size ?

Hi,

Have a look here for the options that control the dns cache.
BUT!
For the cache size leave it undefined so your caching dns uses as much of your RAM as it's available.
Also it's little you can do for the cache time, as it depends on the zone $TTL value of the authoritative dns.
E,g. you can have a max-cache-ttl of 1w (one week) while the $TTL on the authoritative dns server is 2d or less, meaning that the record on your dns will expire after that time, so it has to query again the authoritative dns for a fresh copy.