Bind 9 on Redhat 9 behind router

Good day,
I am having a little difficulty with DNS resolution. It would seem that i can resolve locally hosted domains but nothing external. I have bind 9 setup on redhat 9 behind a router. Now I also have bind 9 set up on a redhat 8 box that is not behind a router that works fine, the conifgs are identical. My router is setup to forward port 53 (TCP & UDP) to the redhat 9 box. When doing an nslookup from an external system i can resolve the local domains but nothing else. The same is true when I do an nslookup on the local host. Any help here would be greatly appreciated.

TIA, Ikabod.

sorry can't help ya, you didn't give me a domain with which I can test.

Sorry,

canadianman.ca

Is the website supposed to resolve to 68.145.52.149?

Are these supposed to be your dns servers:

ns1.thecave.net (68.144.64.9)
pd1.canadianman.ca (68.145.39.91)
pd2.canadianman.ca (68.145.52.149)

If so, why isn't pd2 set as a dns host for your domain at your registrar?
Also, why isn't a NS record for ns1.thecave.net in your zone file?

Please post your named.conf to your next reply.

That is strange, pd1 is the server that should not be listed as I want to pull it from production for a rejump when i get pd2 running.

ns1.thecave .net is a friends dns server which I use as my secondary.

Here is the named.conf


// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
listen-on port 53 { 192.168.1.3; };
query-source address * port 53;
};

//
// a caching only nameserver config
//

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "canadianman.ca" IN {
type master;
file "canadianman.zone";
allow-update { 68.145.39.91; 68.144.64.9; localhost; };
allow-query { any; };
};

zone "mountainprk.com" IN {
type master;
file "mountainprk.zone";
allow-update { 68.145.39.91; 68.144.64.9; localhost; };
allow-query { any; };
};

include "/etc/rndc.key";

ns1.theccave.net is in the zone file as my secondary. Should I not include this in the zone file if it is being used as the secondary?

Yes, the IP is correct for the page. this is the external IP of the router.

FYI - This list:

Name servers set at your registrar

Should always match this list:

Name servers set in your zone file

Now, I need to figure out what exactly the problem is cause your domain is fine. So I assume that your original question was why are you not able to resolve domains like "www.yahoo.com" etc. The reason I asked to see named.conf was to make sure it was acting as a resolver, and you are. Anybody in the entire world can use your server to resolve domains. Well, at least they should be. I tried it and got time outs. So this could be a firewall/router related problem. So let's test that theory:

On the redhat dns server execute the following commands and paste for me the results:

dig @127.0.0.1 www.yahoo.com
dig @198.41.0.4 com ns

Also paste for me the contents of resolv.conf

[EDIT]
Actually I may be wrong. one of your servers IS a open resolver. The other isn't. Which dns server's IP did you show the named.conf for?

I showed the named.conf for pd2, this is the one I am having trouble with. here are the results if the digs...

[jrus@pd2 jrus]$ dig @127.0.0.1 www.yahoo.com

; <<>> DiG 9.2.2-P3 <<>> @127.0.0.1 www.yahoo.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[jrus@pd2 jrus]$ dig @198.41.0.4 com ns

; <<>> DiG 9.2.2-P3 <<>> @198.41.0.4 com ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44830
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;com. IN NS

;; ANSWER SECTION:
com. 172694 IN NS g.gtld-servers.net.
com. 172694 IN NS h.gtld-servers.net.
com. 172694 IN NS i.gtld-servers.net.
com. 172694 IN NS j.gtld-servers.net.
com. 172694 IN NS k.gtld-servers.net.
com. 172694 IN NS l.gtld-servers.net.
com. 172694 IN NS m.gtld-servers.net.
com. 172694 IN NS a.gtld-servers.net.
com. 172694 IN NS b.gtld-servers.net.
com. 172694 IN NS c.gtld-servers.net.
com. 172694 IN NS d.gtld-servers.net.
com. 172694 IN NS e.gtld-servers.net.
com. 172694 IN NS f.gtld-servers.net.

;; Query time: 34 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon May 10 13:34:06 2004
;; MSG SIZE rcvd: 245

[jrus@pd2 jrus]$ cat /etc/resolv.conf
nameserver 64.145.39.91

Ok, now I'm assuming that your original question was talking about how pd1 is fine, but pd2 is not working right even though it has the exact same config. Well they're 2 different versions although I don't see a problem with this. pd1 is BIND 9.2.1 and pd2 is BIND 9.2.3-P3.

So the only other explanation is that there is a firewall or router preventing return UDP packets from reaching your server. Try disabling any firewalls between pd2 and the internet, and route all UDP packets to pd2 with any routers that might be in the way. Then show me the dig yahoo request again.

All traffic on port #53 is being directed to pd2. And the port on the router is open...


[root@pd2 root]# nmap 68.145.52.149

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on S01060040052ab83e.cg.shawcable.net (68.145.52.149):
(The 1595 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
53/tcp open domain
80/tcp open http
143/tcp open imap2
443/tcp open https
8080/tcp open http-proxy

Nmap run completed -- 1 IP address (1 host up) scanned in 142 seconds

Still the same results. Is there somthing on the host I may need to do?


[root@pd2 root]# dig @127.0.0.1 www.yahoo.com

; <<>> DiG 9.2.2-P3 <<>> @127.0.0.1 www.yahoo.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@pd2 root]# ig @198.41.0.4 com ns
-bash: ig: command not found
[root@pd2 root]# dig @198.41.0.4 com ns

; <<>> DiG 9.2.2-P3 <<>> @198.41.0.4 com ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8420
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;com. IN NS

;; ANSWER SECTION:
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.

;; Query time: 249 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon May 10 18:49:15 2004
;; MSG SIZE rcvd: 245

That nmap doesn't prove anything. TCP is not the problem. Outgoing TCP requests establish a connection where both sending and recieving data is passed along by firewalls. UDP is different. If you send a UDP request, firewalls that don't support stateful packet inspection may block the response cause they're too stupid to know better.

So once again, I repeat. Route all UDP traffic to pd2. No, I don't mean just port 53, I really mean ALL udp traffic.

Ok, I have Disabled any fire wall rules on the host, and I'm allowing all UDP traffic through the router...

Action Name Source Destination Protocol/Port
Allow WAN,* LAN,* UDP, *

Here is the results of the dig, this time a bit different.

[jrus@pd2 jrus]$ dig @127.0.0.1 www.yahoo.com

; <<>> DiG 9.2.2-P3 <<>> @127.0.0.1 www.yahoo.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[jrus@pd2 jrus]$
[jrus@pd2 jrus]$ dig @198.41.0.4 com ns

; <<>> DiG 9.2.2-P3 <<>> @198.41.0.4 com ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58205
;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13

;; QUESTION SECTION:
;com. IN NS

;; ANSWER SECTION:
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30

;; Query time: 111 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue May 11 08:41:58 2004
;; MSG SIZE rcvd: 453


I may require some asstance if this was not quite what you were looking for.

Well I suppose named might not even be listening on loopback. Let's make sure it returns at least your domain on 127.0.0.1:

dig @127.0.0.1 canadianman.ca