stupid semi-newbie question #3 DNS/named problem?

[craig baker]

I've just noticed that on my new server (ns5.cdbsystems.com) though named is running and I followed the install-chroot-bind howto, I cant get to it from outside world.

when I do

dig @ns5.cdbsystems.com cdbsystems.com

I get REFUSED form dig.
my other nameserver
dig @ns4.cdbsystems.com cdbsystems.com

reponds normally.

how can I tell what named is up to?

one complicating factor is I have it behind a xincom dual-wan router.
The centos 5.1 server has a static ip of 192.168.2.50 and I have
the router passing through all dns / port 53 request (tcp and udp) to this static ip.
the router ip is 71.163.161.26 which is of course what ns5.cdbsystems.com is saved as at godaddy (the registrar) and ns4.cdbsystems.com.

doing /etc/rc.d/rc3.d/S13named restart messages contains:
May 14 13:50:29 ns5 named[1999]: shutting down: flushing changes
May 14 13:50:29 ns5 named[1999]: stopping command channel on 127.0.0.1#953
May 14 13:50:29 ns5 named[1999]: stopping command channel on ::1#953
May 14 13:50:29 ns5 named[1999]: no longer listening on 127.0.0.1#53
May 14 13:50:29 ns5 named[1999]: no longer listening on 192.168.2.50#53
May 14 13:50:29 ns5 named[1999]: exiting
May 14 13:50:31 ns5 named[3456]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot
May 14 13:50:31 ns5 named[3456]: found 2 CPUs, using 2 worker threads
May 14 13:50:31 ns5 named[3456]: loading configuration from '/etc/named.conf'
May 14 13:50:31 ns5 named[3456]: listening on IPv4 interface lo, 127.0.0.1#53
May 14 13:50:31 ns5 named[3456]: listening on IPv4 interface eth0, 192.168.2.50#53
May 14 13:50:31 ns5 named[3456]: command channel listening on 127.0.0.1#953
May 14 13:50:31 ns5 named[3456]: command channel listening on ::1#953
May 14 13:50:31 ns5 named[3456]: zone 0.in-addr.arpa/IN/localhost_resolver: loaded serial 42
May 14 13:50:31 ns5 named[3456]: zone 0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 1997022700
May 14 13:50:31 ns5 named[3456]: zone 255.in-addr.arpa/IN/localhost_resolver: loaded serial 42
May 14 13:50:31 ns5 named[3456]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver: loaded serial 1997022700
May 14 13:50:31 ns5 named[3456]: zone localdomain/IN/localhost_resolver: loaded serial 42
May 14 13:50:31 ns5 named[3456]: zone localhost/IN/localhost_resolver: loaded serial 1
May 14 13:50:31 ns5 named[3456]: zone cdbsystems.com/IN/external: loaded serial 1997022735
May 14 13:50:31 ns5 named[3456]: zone cdbsystems.com/IN/external: sending notifies (serial 1997022735)
May 14 13:50:31 ns5 named[3456]: running
May 14 13:50:31 ns5 named[3456]: client 192.168.2.1#1345: view internal: received notify for zone 'cdbsystems.com': not authoritative

on ns4.cdbsystems.com (and ns5) the cdbsystems.hosts file contains:
-------------------------------------
$TTL 84600
@ IN SOA cdbsystems.com. root.cdbsystems.com. (
1997022735 ; Serial
3600 ; Refresh
14400 ; Retry
1209600 ; Expire
86400 ) ; TTL
IN NS ns4.cdbsystems.com.
IN NS ns5.cdbsystems.com.


admin IN A 65.254.36.202
ns6 IN A 65.254.36.202
newbrutha IN A 65.254.36.202
cdbtest IN A 65.254.36.202
inthezoneonline IN A 65.254.36.202
ns5 IN A 71.163.161.26
ns4 IN A 65.254.36.202
www IN A 71.163.161.26
ns3 IN A 65.254.36.202
ns2 IN A 65.254.36.202
www2 IN A 65.254.36.202
ns1 IN CNAME admin
wwwns5 IN CNAME admin
ftp IN CNAME admin
pop3 IN CNAME admin
smtp IN CNAME admin
mail IN CNAME admin
cdbsystems.com. MX 50 ns4.cdbsystems.com.

-----------------
any ideas as to how to diagnose the problem?
I notice in messages reference to ports 953 and 1345 as far as I know the firewall is NOT passing those through - do I need to allow them?
(most firewall setup howtos only mention 53 and making sure TCP and UDP are both allowed for DNS passthrough)

any help is most welcome

cdb.

[falko]

Seems to respond for me:

Code:

mh1:~# dig @ns5.cdbsystems.com cdbsystems.com

; <<>> DiG 9.3.4 <<>> @ns5.cdbsystems.com cdbsystems.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46414
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cdbsystems.com.                        IN      A

;; Query time: 107 msec
;; SERVER: 71.163.161.26#53(71.163.161.26)
;; WHEN: Thu May 15 19:44:20 2008
;; MSG SIZE  rcvd: 32

mh1:~#

[craig baker]

it gives status REFUSED - and provides no information.
ns4.cdbsystems.com gives good status and provides all we need
cdb.

[craig baker]

I just realized (its been a LONG week) that I've got my centos server on
static ip 192.168.2.50
now the router is forwarding traffic (including dns traffic hopefully) to 192.168.2.50.
but maybe the REFUSED means that bind is not listening for requests to the external static ip? (71.163.161.26)
if so, how to get bind to respond to both address properly?

thanks
cdb.

[falko]

Sorry, I've overlooked the REFUSED...

What's the output of

Code:

netstat -tap

? What's in named.conf?

[craig baker]

here's from NS5:
[root@ns5 rc5.d]# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdomain:2208 *:* LISTEN 2243/hpiod
tcp 0 0 *:mysql *:* LISTEN 2399/mysqld
tcp 0 0 *:sunrpc *:* LISTEN 2020/portmap
tcp 0 0 ns5.cdbsystems.com:domain *:* LISTEN 16468/named
tcp 0 0 localhost.localdomai:domain *:* LISTEN 16468/named
tcp 0 0 *:ftp *:* LISTEN 2424/proftpd: (acce
tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2274/cupsd
tcp 0 0 *:squid *:* LISTEN 3982/(squid)
tcp 0 0 localhost.localdomain:rndc *:* LISTEN 16468/named
tcp 0 0 localhost.localdomain:smtp *:* LISTEN 30379/sendmail: acc
tcp 0 0 localhost.localdomain:2207 *:* LISTEN 2248/python
tcp 0 0 *:959 *:* LISTEN 2049/rpc.statd
tcp 0 0 ns5.cdbsystems.com:domain ns4.cdbsystems.com:55609 TIME_WAIT -
tcp 1 0 ns5.cdbsystems.com:43767 192.150.18.46:http CLOSE_WAIT 2969/python
tcp 1 0 ns5.cdbsystems.com:45051 hpc-mirror.usc.edu:http CLOSE_WAIT 2969/python
tcp 1 0 ns5.cdbsystems.com:49617 hilbert.unl.edu:http CLOSE_WAIT 2969/python
tcp 1 0 ns5.cdbsystems.com:49611 hilbert.unl.edu:http CLOSE_WAIT 2969/python
tcp 1 0 ns5.cdbsystems.com:40206 ns1.centos.org:http CLOSE_WAIT 2969/python
tcp 1 0 ns5.cdbsystems.com:40212 ns1.centos.org:http CLOSE_WAIT 2969/python
tcp 0 0 *:http *:* LISTEN 2447/httpd
tcp 0 0 *:ssh *:* LISTEN 2263/sshd
tcp 0 0 localhost6.localdomain:rndc *:* LISTEN 16468/named
tcp 0 0 *:https *:* LISTEN 2447/httpd
tcp 0 0 ns5.cdbsystems.com:ssh ::ffff:192.168.2.1:dbstar ESTABLISHED 16207/1
tcp 0 0 ns5.cdbsystems.com:http crawl-66-249-67-10.go:35485 TIME_WAIT -
[root@ns5 rc5.d]#

as I noted before the eth0 is static 192.168.2.50 but ns5 in my cdbsystems.hosts is defined as 71.163.161.26. maybe the problem?
do I need to have my 'external' address someplace special?

I have port 53 t&u passed through to 192.168.2.50 from the router that is at 71.163.161.26.

in named.conf: I have
query-source port 53.

in the external view i have:
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { !localnets; !localhost; };
match-destinations { !localnets; !localhost; };

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// all views must contain the root hints zone:
include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

include "/etc/named.myzones";

};

my file 'named.myzones' contains all the zone statements.

/etc/hosts contains:
[root@ns5 etc]# cat hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
71.163.161.26 ns5.cdbsystems.com ns5
192.168.2.50 ns5.cdbsystems.com ns5

I'm thinking this is maybe a router issue? also, I notice than sendmail is not responding on port 25 when I
telnet from ns4 - just get connection refused.
maybe the two are linked?


anything else you need? any ideas?
thanks again. love your site!

cdb.

[craig baker]

I turned on bind logging to debug 3 and when I do a query

dig @ns5.cdbsystems.com from ns4, I'm getting:
lient @0x555566eaf460: udprecv
client 65.254.36.202#39458: UDP request
client 65.254.36.202#39458: no matching view in class 'IN'
client 65.254.36.202#39458: error
client 65.254.36.202#39458: send
client 65.254.36.202#39458: sendto
client 65.254.36.202#39458: senddone
client 65.254.36.202#39458: next
client 65.254.36.202#39458: endrequest

I'm googling to see what the problem is but obviously its a bind misconfiguration.
my file named.myzones should be included in the EXTERNAL view, so not sure why its unhappy!
cdb.

[falko]

Quote:

Originally Posted by craig baker

as I noted before the eth0 is static 192.168.2.50 but ns5 in my cdbsystems.hosts is defined as 71.163.161.26. maybe the problem?
do I need to have my 'external' address someplace special?

What's the output of

Code:

ifconfig

, and what's in /etc/hosts?

[craig baker]

Last login: Fri May 16 20:51:17 2008 from ip72-192-192-225.dc.dc.cox.net
[root@ns5 ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:17:08:51:90:FC
inet addr:192.168.2.50 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::217:8ff:fe51:90fc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:520273 errors:0 dropped:0 overruns:0 frame:0
TX packets:394473 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:122350600 (116.6 MiB) TX bytes:93703061 (89.3 MiB)
Interrupt:193

[root@ns5 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
71.163.161.26 ns5.cdbsystems.com ns5
192.168.2.50 ns5.cdbsystems.com ns5
[root@ns5 ~]#

I added the second ns5 line in hosts thinking that might help
cdb.

[craig baker]

turns out I needed to have in the named.conf view 'external'

match-clients { any; };
match-destinations { any; };

now dig @ns5.cdbsystems.com whatever seems to respond ok!

now back to the sendmail issue
cdb.