DNS Master Server Configuration in CentOS5.2

billymayday · 09-08-2008, 02:58 AM

Try

netstat -alnp | grep :80

rajendrapoudel · 09-08-2008, 05:23 AM

I can not browse my website
[root@web08 named]# netstat -alnp | grep :80
udp 0 0 0.0.0.0:804 0.0.0.0:* 6564/rpc.statd
udp 0 0 0.0.0.0:807 0.0.0.0:* 6564/rpc.statd
[root@web08 named]#

billymayday · 09-08-2008, 05:56 AM

so you don't have a webserver running?

chort · 09-08-2008, 08:01 AM

It seems that you messed up your firewall, as I can no longer query your DNS server. On the bright side, the glue record exists for it now.

Code:

[chort@horus4 chort]$ whois saraadhikari.com |grep 'Name Server:'
   Name Server: NS1.SARAADHIKARI.COM
   Name Server: NS2.SARAADHIKARI.COM

[chort@horus4 chort]$ dig +trace +short ns1.saraadhikari.com | egrep '^A'
A 221.243.63.180 from server A.GTLD-SERVERS.NET in 102 ms.

rajendrapoudel · 09-08-2008, 08:45 AM

Now I have run the web server as well as DNS server. But my webserver is not secure. Because I am stopping firewall.
If I stat iptables my all the Webserver and DNS server does not works. So how I can set these things in iptables? What are the components do i need to set in iptables.
I am going through the manual provided by RedHat but I could not catch them. Waiting for your help.

chort · 09-08-2008, 08:59 AM

PHP Code:



-A RH-Firewall-1-INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

By the way, you don't seem to have A records for your DNS servers in your own zone file. Just because the GTLD servers provide glue doesn't mean you can omit them. You need to add those to /var/named/saraadhikari.com.db .

Code:

[chort@horus4 chort]$ dig @221.243.63.180 ns2.saraadhikari.com

; <<>> DiG 9.3.5-P1 <<>> @221.243.63.180 ns2.saraadhikari.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30356
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns2.saraadhikari.com.          IN      A

;; AUTHORITY SECTION:
saraadhikari.com.       14400   IN      SOA     ns1.saraadhikari.com. root.saraadhikari.com. 2008090800 14400 3600 1209600 86400

;; Query time: 187 msec
;; SERVER: 221.243.63.180#53(221.243.63.180)
;; WHEN: Mon Sep  8 06:58:08 2008
;; MSG SIZE  rcvd: 83

[chort@horus4 chort]$ dig @221.243.63.180 ns1.saraadhikari.com

; <<>> DiG 9.3.5-P1 <<>> @221.243.63.180 ns1.saraadhikari.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32652
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.saraadhikari.com.          IN      A

;; AUTHORITY SECTION:
saraadhikari.com.       14400   IN      SOA     ns1.saraadhikari.com. root.saraadhikari.com. 2008090800 14400 3600 1209600 86400

;; Query time: 172 msec
;; SERVER: 221.243.63.180#53(221.243.63.180)
;; WHEN: Mon Sep  8 06:58:13 2008
;; MSG SIZE  rcvd: 79

rajendrapoudel · 09-08-2008, 09:20 AM

The following the content of my saraadhikari.com.db
Where I need to add the "A" record
$TTL 14400
@ IN SOA ns1.saraadhikari.com. root.saraadhikari.com. (
2008090800
14400
3600
1209600
86400 )

saraadhikari.com. 14400 IN NS ns1.saraadhikari.com.
saraadhikari.com. 14400 IN NS ns2.saraadhikari.com.

ftp 14400 IN A 221.243.63.179
localhost 14400 IN A 127.0.0.1
mail 14400 IN A 221.243.63.179
pop 14400 IN A 221.243.63.179
saraadhikari.com. 14400 IN A 221.243.63.179
smtp 14400 IN A 221.243.63.179
www 14400 IN A 221.243.63.179
saraadhikari.com. 14400 IN MX 10 mail
saraadhikari.com. 14400 IN TXT "v=spf1 a mx ip4:221.243.63.179 ?all"

chort · 09-08-2008, 09:41 AM

PHP Code:



ns1 14400 IN A 221.243.63.180
ns2 14400 IN A 221.243.63.180

rajendrapoudel · 09-09-2008, 01:39 AM

Now I am properly running my web server also. Thanks for the contribution of chort and billymayday. Now I am studying for the iptables stuffs. I will soon catch you people.

chort · 09-09-2008, 09:15 AM

Did you forget to increment your serial number on the zone file?

Code:

[chort@horus4 chort]$ dig @221.243.63.180 ns1.saraadhikari.com

; <<>> DiG 9.3.5-P1 <<>> @221.243.63.180 ns1.saraadhikari.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25441
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.saraadhikari.com.          IN      A

;; AUTHORITY SECTION:
saraadhikari.com.       14400   IN      SOA     ns1.saraadhikari.com. root.saraadhikari.com. 2008090800 14400 3600 1209600 86400

;; Query time: 164 msec
;; SERVER: 221.243.63.180#53(221.243.63.180)
;; WHEN: Tue Sep  9 07:13:44 2008
;; MSG SIZE  rcvd: 79

rajendrapoudel · 09-11-2008, 02:50 AM

Hi chort now I am successfuly running my server by you people instruction. I have paste here content of /etc/sysconfig/iptables.
Could you please suggest me how i can secure my server from the outsiders.
I need to run my webserver (Apache and Tomcat) DNS master server, Mail server, FTP server etc.
What services do i need to run and what services do i need to stop.
------------------
[root@web08 /]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Sep 11 16:48:27 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7909:541375]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep 11 16:48:27 2008
~

billymayday · 09-11-2008, 03:05 AM

I'd suggest that you start a new thread in "security"