DNS lookups fail all zones return ;; connection timed out; no servers could be reached

Discussion in 'Installation/Configuration' started by tek, Apr 26, 2015.

  1. tek

    tek New Member

    Im running Debian GNU/Linux 7.8 (wheezy) with the latest version of ISPConfig Server has 2 interfaces.. eth0 is facing the internet and eth1 is facing an internal network. Machines has 5 ip's assigned to eth0 and 2 ip's assigned to eth1. The system has been up and running without issues now for several years, updated to wheezy when it became stable and up until a few days ago have not had any issues.
    Running netstat -tuanp shows that all internal ip's and external ip's should be bound and listening for connections all looks at it should be.
    Running dig I get this when using localhost (i'm ssh'd in)
    dig +trace +additional @localhost SOA

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace +additional @localhost SOA
    ; (2 servers found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    I get the same thing when I query via the outside IPs

    However if I query either of the internal IP's it works

    server1:/var/log/ispconfig/httpd$ dig +trace +additional SOA

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace +additional SOA
    ;; global options: +cmd
    . 516687 IN NS h.root-servers.net.
    . 516687 IN NS d.root-servers.net.
    . 516687 IN NS e.root-servers.net.
    . 516687 IN NS l.root-servers.net.
    . 516687 IN NS m.root-servers.net.
    . 516687 IN NS b.root-servers.net.
    . 516687 IN NS a.root-servers.net.
    . 516687 IN NS f.root-servers.net.
    . 516687 IN NS k.root-servers.net.
    . 516687 IN NS c.root-servers.net.
    . 516687 IN NS j.root-servers.net.
    . 516687 IN NS g.root-servers.net.
    . 516687 IN NS i.root-servers.net.
    a.root-servers.net. 516708 IN A
    a.root-servers.net. 603087 IN AAAA 2001:503:ba3e::2:30
    b.root-servers.net. 516708 IN A
    b.root-servers.net. 603087 IN AAAA 2001:500:84::b
    c.root-servers.net. 516708 IN A
    c.root-servers.net. 603087 IN AAAA 2001:500:2::c
    d.root-servers.net. 516708 IN A
    d.root-servers.net. 603087 IN AAAA 2001:500:2d::d
    e.root-servers.net. 516708 IN A
    f.root-servers.net. 516708 IN A
    f.root-servers.net. 603087 IN AAAA 2001:500:2f::f
    g.root-servers.net. 516708 IN A
    h.root-servers.net. 603087 IN A

    Then it hangs for a long time before I get these last two lines...

    ;; Received 496 bytes from in 104323 ms

    . 0 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015042501 1800 900 604800 86400
    ;; Received 106 bytes from in 74 ms

    Running named-checkzone against my zone files all checks out as it should but queries to either localhost and or the outside IP's all fail even though netstat -tuanp shows the service is bound to those ports. as seen below..
    udp 0 0 X.X.X.A:3103 ESTABLISHED 24545/named
    udp 0 0 ESTABLISHED 24907/dig
    udp 0 0 X.X.X.A:57193 ESTABLISHED 24545/named
    udp 0 0 X.X.X.B:28711 ESTABLISHED 24545/named
    udp 0 0 X.X.X.A:53* 24545/named
    udp 0 0 X.X.X.B:53* 24545/named
    udp 0 0 X.X.X.C:53* 24545/named
    udp 0 0 X.X.X.D:53* 24545/named
    udp 0 0 X.X.X.E:53* 24545/named
    udp 0 0* 24545/named
    udp 0 0* 24545/named

    Here is my named.conf
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    contents of /etc/bind/named.conf.options
    acl "trusted" {;

    // added above lines attempting to resolve dns issue 20150425

    options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk. See http://www.kb.cert.org/vuls/id/800113
    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    forwarders {;;;

    auth-nxdomain yes; # conform to RFC1035
    listen-on-v6 { ::1; };
    listen-on { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    // changed above line to all from trusted testing dns issue of 20150425 failed so switched back to trusted.
    empty-zones-enable no;


    So summarizing again. queries to inside IP's are working but queries to either localhost or outside IP's timeout each time.
  2. tek

    tek New Member

    Resolved issue... Somehow filewall is picking up weird entries for source upon removing that dns queries began working but nothing else was being affected... saw http requests imaps and smtps connections working as expected but dns failed... still find it weird but its working now.

Share This Page