Setting up DNS - External Access Problems

I'm running Red Hat 9 with BIND 9 and am new to BIND's DNS implementation.

I've got a domain registered (energyinfotech.com) with it pointing to my nameserver (ns.energyinfotech.com)

The nameserver is connected directly to the net. The firewall I have allows all traffic to ns.

Now, when I try to resolve names locally, it works.

[LOCALMACHINE etc]# dig energyinfotech.com @ns.energyinfotech.com

; <<>> DiG 9.2.1 <<>> energyinfotech.com @ns.energyinfotech.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1237
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;energyinfotech.com. IN A

;; ANSWER SECTION:
energyinfotech.com. 259200 IN A 70.241.62.161

;; AUTHORITY SECTION:
energyinfotech.com. 259200 IN NS ns1.swbell.net.
energyinfotech.com. 259200 IN NS ns2.swbell.net.
energyinfotech.com. 259200 IN NS ns.energyinfotech.com.

;; ADDITIONAL SECTION:
ns.energyinfotech.com. 259200 IN A 70.241.62.161

;; Query time: 0 msec
;; SERVER: 70.241.62.161#53(ns.energyinfotech.com)
;; WHEN: Mon Jun 28 13:27:49 2004
;; MSG SIZE rcvd: 131

However, when I query from an external location
[EXTERNALMACHINE]# dig energyinfotech.com @ns.energyinfotech.com

; <<>> DiG 9.2.3 <<>> energyinfotech.com @ns.energyinfotech.com
;; global options: printcmd
;; connection timed out; no servers could be reached

(This external location is capable of querying other servers, btw).

Does anyone have any ideas on where to start? I've been hammering away at this for quite a while.

If you need more info, just let me know.

Thanks in Advance.

I get timeouts when I try to query 70.241.62.161.

The reason is one of these choices:

1) There is a router that isn't forwarding incoming UDP traffic for port 53 to the proper machine.

2) The router's firewall is blocking incoming UDP queries to port 53.

3) Your ISP is blocking incoming port 53.

I have an 2wire OfficePortal 1800HW

In response to 1 and 2
70.241.62.161 is set up to allow all traffic to pass through (btw, this is not the router address, it's the server address).

I'll check out about the ISP blocking 53, but I don't think it is.

if your ISP isn't the problem I want you to show me the results to this command:

netstat -an | grep '53'

Then I will tell you if it's the firewall's or router's fault or BIND's fault.

[LOCALSERVER]# netstat -an | grep '53'
tcp 0 0 70.241.62.161:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53494 127.0.0.1:6100 TIME_WAIT
tcp 0 0 127.0.0.1:53500 127.0.0.1:6100 TIME_WAIT
tcp 0 0 127.0.0.1:6100 127.0.0.1:53522 ESTABLISHED
tcp 0 0 127.0.0.1:53522 127.0.0.1:6100 ESTABLISHED
tcp 0 0 127.0.0.1:53520 127.0.0.1:6100 ESTABLISHED
tcp 0 0 127.0.0.1:53521 127.0.0.1:6100 ESTABLISHED
tcp 0 0 127.0.0.1:53519 127.0.0.1:6100 ESTABLISHED
tcp 0 0 127.0.0.1:6100 127.0.0.1:53521 ESTABLISHED
tcp 0 0 127.0.0.1:6100 127.0.0.1:53520 ESTABLISHED
tcp 0 0 127.0.0.1:6100 127.0.0.1:53519 ESTABLISHED
tcp 0 0 70.241.62.161:53491 70.241.62.161:80 TIME_WAIT
tcp 0 1 70.241.62.161:53518 192.168.0.105:6200 SYN_SENT
tcp 0 0 127.0.0.1:6100 127.0.0.1:53468 TIME_WAIT
tcp 0 0 127.0.0.1:6100 127.0.0.1:53467 TIME_WAIT
tcp 0 0 127.0.0.1:6100 127.0.0.1:53466 TIME_WAIT
tcp 0 0 127.0.0.1:6100 127.0.0.1:53465 TIME_WAIT
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 70.241.62.161:53 0.0.0.0:*
unix 2 [ ACC ] STREAM LISTENING 3533 /var/tmp/.oracle/sEXTPR
OC
unix 2 [ ACC ] STREAM LISTENING 3535 /var/tmp/.oracle/s#1366
.1
unix 2 [ ] DGRAM 125396
unix 2 [ ] STREAM CONNECTED 553

Ok, you see this line?

tcp 0 0 70.241.62.161:53 0.0.0.0:* LISTEN

That says something is listening on port 53. Now that something is probably BIND. Let's also pretend BIND is really screwed up. I should be able to connect to the port. The operating system sockets implementation let's me connect cause that port is listening. Now, BIND may immediately disconnect me, or it will ignore my request after I connect, but BIND can't stop me from connecting. Impossible as long as that line up there exists. So if BIND is really screwed up, either it will immediately disconnect me or it will ignore my request.

Then I tried to connect to port 53 on that IP. But the connection timed out. BIND can't make the connection timeout, it has no control over that. So something MUST be interfering with the connection attempt. This could be the operating system, this could be a firewall, this could be a router, this could be the ISP, or packets simply can't make it from me to you. But the problem is not BIND. The problem is most likely a misconfiguration with a router you have control of, or a firewall on the system.

on the redhat server, execute the following command:

service iptables stop

If you still can't query the server externally you know it's not a firewall related problem and that it's time to look at the router. Maybe it froze up, I dunno. But I can't connect to ANY of your ports. Your entire system is unreachable to me. Although I CAN ping you, so you aren't totally invisible.

Not even port 80? I can connect to that externally.
Make sure you're using 70.241.62.161

heh heh, ok, so scanning ya didn't turn up any gold. Yes, I can connect to port 80 so that removes the possibility that we're simply unreachable to each other. Same deal with 53 as I mentioned before however.

Hell, I even forgot to mention that I'm connecting to it via SSH as we speak.

And I didn't specify what ports to let through. I set the firewall to categorically let all packets through to all ports.

I'm investigating the ISP 53 block as we speak. Will return on that once I find out.

By the way, my router drops port scan packets.

yeah, I figured, that's why I chuckled at it. You stopped me! The evil hax0r! lol.

Yeah, I talked to my ISP, and they're not blocking 53.

They referred me to the folks who made my router, and went through the config. From the way I set it up, it shouldn't be blocking 53.

Unfortunately, during that troubleshooting session, the firewall was inadvertantly switched back on and is now blocking all ports. Obviously, this kills SSH. Doh!

I'm having someone onsite reopen the firewall tomorrow so I can continue the remote admin.

I'm calling it a day. I'm going to come back tomorrow.

Anything else you need to know? Thanks for your help.

nope, I'm confident that it's router related by process of elimination.

The only way to test out the router theory is if you knew how to packet sniff. I'm big on packet sniffing.

Alright then, I'll pull out ethereal and libpcap 'morrow.

Ran
tethereal -R udp port 53
And it received those calls from my external comp.

It's not the router or ISP.

It however, did not reply. Any ideas?

yeah, I'd like to see the sniffing results.