Bind9 DNS Issue

b00gz · 07-14-2006, 11:42 PM

Can someone please help me with a really simple Bind issue. I am using Bind9 and I am hosting ibxsecurity.com ... If I ask 192.168.10.12 (Local Private IP) about ibxsecurity.com it will respond with my WAN IP (Which it should do) now if I ask my Wan IP about ibxsecurity.com it gives me DNS requested timed out. I do have the ports forwarded and it does not fail until I ask about the domain. PLEASE HELP!

scowles · 07-15-2006, 06:45 AM

Quote:

I do have the ports forwarded and it does not fail until I ask about the domain.

Are you sure???

From my end, I do not get an answer from your DNS server.

Another possibility is your ISP could be blocking inbound DNS requests. Based on a lookup of your domain, the IP address referenced appears to be dynamic. ie. DHCP assigned.

b00gz · 07-15-2006, 08:16 AM

If I do nslookup ibxsecurity.com

nslookup
> server 192.168.10.12
> ibxsecurity.com
> replies with my public IP

nslookup
> server 64.233.245.124
> ibxsecurity.com
> DNS request timed out

My ISP does not block dns request and I have a static IP. Sorry when you tried Bind needed restarted.

bathory · 07-15-2006, 08:39 AM

Well, also dnsreport gives timeout with your dns. So if your isp does not block port 53 tcp/udp, then perhaps your dns does not listen on the external interface (64.233.245.124) of ypu have a firewall that blocks that ports.

b00gz · 07-15-2006, 08:46 AM

How do I make bind listen on the external interface?

bathory · 07-15-2006, 09:02 AM

By default named listens to all interfaces on port 53, unless you've changed the "listen-on" option in your named.conf or you have an acl to block external requests. So if you are sure it's not a firewall or your isp that blocks port 53 problem, take a look at named.conf for the "listen-on" and "acl" directives.

b00gz · 07-15-2006, 09:24 AM

Thanks for all the help, but I do not have "listen-on" or "acl" in named.conf

options {
pid-file "/var/run/bind/run/named.pid";
directory "/etc/bind";
auth-nxdomain no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." {
type hint;
file "db.root";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "db.local";
};

zone "245.233.64.in-addr.arpa" {
type master;
file "pri.245.233.64.in-addr.arpa";
};

zone "ibxsecurity.com" {
type master;
file "pri.ibxsecurity.com";
};

//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////

bathory · 07-15-2006, 10:13 AM

Check if you have a firewall running that blocks incoming requests on port 53:

Code:

iptables -L

Check that your external interface is up and listening on port 53:

Code:

ifconfig -a
netstat -tupanl

Re-check that your isp does not blocks you.

b00gz · 07-15-2006, 10:18 AM

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I use a router and have 53 tcp/udp routed to this computer.

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:18

2:B1:3C
inet addr:192.168.10.12 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:18ff:fed2:b13c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107270 errors:0 dropped:0 overruns:0 frame:0
TX packets:204597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25480329 (24.2 MiB) TX bytes:40084259 (38.2 MiB)
Interrupt:177

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:162 errors:0 dropped:0 overruns:0 frame:0
TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15542 (15.1 KiB) TX bytes:15542 (15.1 KiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3719/mysqld
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 4041/ispconfig_http
tcp 0 0 192.168.10.12:53 0.0.0.0:* LISTEN 13885/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13885/named
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 4291/proftpd: (acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 13885/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 4234/master
tcp6 0 0 :::993 :::* LISTEN 3593/couriertcpd
tcp6 0 0 :::995 :::* LISTEN 3628/couriertcpd
tcp6 0 0 :::110 :::* LISTEN 3608/couriertcpd
tcp6 0 0 :::143 :::* LISTEN 3568/couriertcpd
tcp6 0 0 :::80 :::* LISTEN 4142/apache2
tcp6 0 0 :::22 :::* LISTEN 3882/sshd
tcp6 0 0 ::1:953 :::* LISTEN 13885/named
tcp6 0 0 :::25 :::* LISTEN 4234/master
tcp6 0 0 :::443 :::* LISTEN 4142/apache2
tcp6 0 432 ::ffff:192.168.10.12:22 ::ffff:192.168.10.243:48343 ESTABLISHED14259/0
udp 0 0 0.0.0.0:53 0.0.0.0:* 13885/named
udp 0 0 192.168.10.12:53 0.0.0.0:* 13885/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 13885/named
udp6 0 0 :::32787 :::* 13885/named

I also rechecked with ISPs NOC and they state the port is not blocked.

bathory · 07-15-2006, 10:33 AM

Then it's your router that is not forwarding requests cause I've ran nmap against your public IP and it founds all ports closed.

b00gz · 07-15-2006, 11:32 AM

Accepted Traffice by the firewall
Jul 15 16:24:02 WAN 65.24.7.3:32776 192.168.10.12:53 UDP

If the computer is not accepting the traffic wouldn't it come up as being closed. So I think that is what is happening.