DNS problem

[qb7]

Quote:

Originally Posted by falko

Looks good. If you use BIND - can you post your named.conf?

# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
"/var/named/chroot/etc/named.conf" 29L, 938C

[matty]

Hi qb7. You need to fix the listen-on and allow-query parameters as I mentioned on the 1st page.

[veuster]

Hi matty, I need to ask something.

I have a VPS that I use as nameserver and webserver

My website on my VPS can't be accessed before.

I have registered my nameserver to my domain provider and assigns the domain nameserver to my nameserver. I waited for a week and it doesn't work

At first I think it's because my nameserver (in this case my VPS) have to be added in the global registry of my domain provider, according to some howto article. So I tried to contact my domain provider, but they say I must ask the VPS provider and the VPS provider says I must ask the domain provider.

Then, I also found out that in order to check the DNS is running and accessible, one should be able to telnet to the server IP at port 53. I tried this but can't connect.

After I read this thread, you suggest to change the parameter in named.conf.
I tried it and it works like a charm. My website can be accessed now.
What I want to ask is :
Is it OK to make this change? I mean secure or anything?

Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter

Thanks.

[matty]

Quote:

Originally Posted by veuster

After I read this thread, you suggest to change the parameter in named.conf.
I tried it and it works like a charm. My website can be accessed now.
What I want to ask is :
Is it OK to make this change? I mean secure or anything?

Yes, it's fine for a server that needs zones to be publically accessable.

It's important to understand a couple of concepts about name servers. When you host a zone, the name server becomes an authoritative name server. That is, your name servers are the only ones in the world that can answer queries authoritatively (meaning it has the exact, non-cached answer) for that zone. Because we're running ISPConfig, we probably want everyone in the world to be able to ask our nameservers about the the zones we host, so that they can see the sites and services we host. To enable that, we need to set bind to allow-queries from any(where).

allow-query { any; };

The other main function of name servers is to do the work querying other name servers that host other peoples zones, so that we can connect to their sites and services. This is a function known as recursion. That is, we ask our name server to find out the address of a site, and it then goes and makes multiple queries until it obtains an answer (or fails) and then passes that answer back to your computer. It's best practice to only allow your name server to perform recursive lookups for computers you control or trust, and not allow everybody on the 'net to use your name server in that way. So you tell bind who is allowed to do recursion. In this example, use your own networks, and don't forget to allow localhost so the nameserver can access its own service. An ISP would probably allow the IP ranges of its user base.

allow-recursion { 192.168.0.0/24; 192.168.3.0/24; localhost; };

The other parameter I mentioned, listen-on, tells bind to only answer queries it receives on the specified network interfaces. If it is left as localhost/127.0.0.1, it will ignore queries from anywhere but itself.

listen-on { any; };

Advanced users may have a need to do things a little different to the examples above, but these will suit 99% of us that use ISPConfig to host publicly accessable DNS zones and web/email servers.

Quote:

Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter

There's quite a few perfect server guides. I'm sure falko and till would appreciate feedback that could be used to improve them. Could you point out which one you used?

[veuster]

Thanks a lot.
That explains everything that have happened.

I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko :

http://www.howtoforge.com/perfect-se...64-ispconfig-2

But I think almost all the guide still used named.conf which point their query to localhost or 127.0.0.1
Maybe they hope that we'll be able to change it according to our needs, but some people still doesn't know about this concept.
Thank you everyone!

[falko]

Quote:

Originally Posted by veuster

I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko :

http://www.howtoforge.com/perfect-se...64-ispconfig-2

This tutorial is for ISPConfig 2 and therefore incompatible with ISPConfig 3. For ISPConfig 3, you should've used this guide: http://www.howtoforge.com/perfect-se...64-ispconfig-3

[qb7]

Quote:

Originally Posted by falko

This tutorial is for ISPConfig 2 and therefore incompatible with ISPConfig 3. For ISPConfig 3, you should've used this guide: http://www.howtoforge.com/perfect-se...64-ispconfig-3

// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query {any; };
recursion no;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.root";
};
include "/var/named/chroot/etc/named.conf.local";

This configuration run OK for a littel internet web server. Falko, this is a security problem? This is a security hole?
My server run in CentOS 5.5 and last estable ispConfig 3.
Wich the configutation of the guide http://www.howtoforge.com/perfect-se...64-ispconfig-3 don't run OK for the internet request. Don't show the web pages. Why?

[veuster]

Sorry Falko, I posts the wrong url, I use the ISPconfig 3 really.

This is the url:
http://www.howtoforge.com/perfect-se...64-ispconfig-3

But, as you can see the problem is still the same.
Do you think matty is right?

The listen-on port 53 and allow-query needs to be set to { any; } ?

I don't know, maybe you have the right answer.
Anyway, thanks.