#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    4
    Rep Power
    0

    Home dns server not 'dig'-able from Internet


    Hi all,

    I'm a beginner networking enthusiast and I've got a linux box functioning as a nat router, firewall, and nameserver (bind 9.2) for my 3 pc lan (on the 192.168.1.0 network) on a adsl connection (dynamic ip).

    Within my private lan, the nameserver works perfectly (i.e. i've set my windows box to use it as nameserver, my 3rd linux box is able to 'dig' it and i am using it to host some bogus domains which i am using for developmental purposes).

    However, when I try the 'dig' tool from a remote host (e.g. my school's servers) to my nameserver box, (e.g. dig @210.24.202.244 test.com), I get the connection timeout, no servers reached error.

    I had opened up port 53 on the firewall, tried to telnet 210.24.202.244 53 and there is response so the nameserver is reachable from the internet.

    For my named.conf, I've only got this critical (I think) line:

    options {
    directory "/var/named";
    };

    .
    .
    ...zone files data

    , as I've read that named defaults to accepting dns queries from anywhere.


    Can anyone advise what I have I have overlooked? Thank you very much!
  2. #2
  3. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    172
    Perhaps you were mistaken. I am not able to get DNS responses via UDP or TCP from 210.24.202.244. It smells like a firewall misconfiguration since I'm not even getting connection refused. Just timeouts.

    "...which i am using for developmental purposes"

    Now that sounds interesting. I also host a dns server with various records for developmental purposes. If you'd like to use my server for testing feel free to query this server:

    server: ns1.dollardns.org (Win32 BIND 9.2.3)
    protocol: TCP or UDP
    zone: example.com (AXFR allowed)

    Quick-Link:

    http://www.dollardns.org/cgi-bin/DNS...axfr&submit=DS
    Last edited by SilentRage; January 2nd, 2004 at 02:14 PM.
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    4
    Rep Power
    0
    Thanks Silentrage for your reply.

    Btw, the ip i stated in my first post is an arbitrary dynamic IP. I had shutdown my connection so you wasn't able to get any response at all from that address.

    I managed to get my linux box answer dns query from your web based dns crawler tool, and eventually I found out that my linux box is accepting both udp/tcp based queries from my private lan, while it is only accepting only tcp based dns queries from the internet itself.

    I have already opened port 53 to allow both tcp/udp packets and also shut down my iptables firewalls but the problem still persists.

    Any other possibilities? Meanwhile I shall study my iptables ....

    A portion of my iptables --list

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    REJECT tcp -- anywhere anywhere tcp option=!2 rejec
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT udp -- anywhere anywhere udp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT udp -- anywhere anywhere udp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
    ACCEPT udp -- anywhere anywhere udp dpt:bootps
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT udp -- anywhere anywhere udp dpt:http
    DROP all -- openlans.com anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ..
    ..
    Last edited by njo; July 28th, 2003 at 01:38 AM.
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    4
    Rep Power
    0
    After more rounds of testing with udp sockets, I found that my linux box itself is not accepting any udp packets to privileged ports < 1024. TCP packets can get through, since my webserver is working as well as tcp based dns query. I've shut down the firewall entirelly and this is still the case. Is there other system settings other than iptables I have missed out that is blocking these ports?
  8. #5
  9. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    172
    heh heh, there's a reason why I'm not in the linux forum helping people - I'm not good at that sort of thing. However, here's some suggestions from somebody I know. In case you'd like to get ahold of him for further help, this is where you can find him (if he's non-idle and present)

    user: energy
    irc server: irc.asylum-net.org
    channel: #geeks

    <energy> on his server he can run iptables -L -v > temp.txt then do an external query to see which rule is blocking his udp 53 query
    <energy> also on his ACCEPT udp -- anywhere anywhere udp dpt:domain make it...
    <energy> ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
    <energy> nothing else should be blocking udp
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts

IMN logo majestic logo threadwatch logo seochat tools logo