DNS problem port 53 is blocked

Discussion in 'ISPConfig 3 Priority Support' started by Ylli Frroku, Mar 18, 2017.

  1. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    Hi
    I have installed ISPConfig multiserver with Debian my problem is that i can not reach my dns i have open the ports from firewall that i have in front but something is blocking them from the server inside i have fail2ban installed. I want to check if my port is opened
    netstat -an | grep "LISTEN " but 0.0.0.0:53 is not listed. There are listened my local ip:53 and 127.0.0.1:53 they but i still take lot of errors and i see that port 53 is not communicating https://intodns.com/ssvag.com you can check here. I have no errors at my servers everything looks fine but i can not connect with my domains.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely, bind is configured to listen on localhost only and not on 'any'. Please take a look into the file:

    /etc/bind/named.conf.options

    to check if it listens to localhost or to any.
     
  3. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk. See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    //forwarders {
    // 0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys. See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    };
    this what is showing
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This file is ok so far. Please use the coomand "named-checkzone" to test the zone file of the affected zone. and post the output of:

    netstat -tap | grep named
     
  5. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    named-checkzone ssvag.com /var/named/ssvag.com
    zone ssvag.com/IN: loading from master file /var/named/*.ssvag.com failed: file not found
    zone ssvag.com/IN: not loaded due to errors.
    netstat -tap | grep named doesn't show nothing
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you either you used a wrong directory or wrong file name in the command. On Debian, the zone files should be in the /etc/bind/ directory and the files start with pri. , so the command should be like:
    named-checkzone ssvag.com /etc/bind/pri.ssvag.com
     
  7. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    zone ssvag.com/IN: 'ssvag.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record
    zone ssvag.com/IN: loaded serial 2017032205
    OK

    [email protected]:~# netstat -tap | grep named
    tcp 0 0 ns1.ssvag.com:domain *:* LISTEN 542/named
    tcp 0 0 localhost:domain *:* LISTEN 542/named
    tcp 0 0 localhost:953 *:* LISTEN 542/named
    tcp6 0 0 [::]:domain [::]:* LISTEN 542/named
    tcp6 0 0 localhost:953 [::]:* LISTEN 542/named

    after i reinstalled all the servers again exactly as the manual that you have write :( now except dns also ftp is not working is offline
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    that's ok, SPF records these days are TXT records, the old type "SPF" is deprecated.

    Please post the content of the file: /etc/bind/pri.ssvag.com

    Try to restat pure-ftpd-mysql and if it is not restarting, then check the syslog file for the exact error message.
     
  9. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    $TTL 3600
    @ IN SOA ns1.ssvag.com. ylli.ssvag.com. (
    2017032205 ; serial, todays date + todays serial #
    7200 ; refresh, seconds
    540 ; retry, seconds
    604800 ; expire, seconds
    3600 ) ; minimum, seconds
    ;

    ssvag.com. 3600 A 192.168.110.105
    www 3600 A 192.168.110.105
    mail 3600 A 192.168.110.105
    ssvag.com. 3600 NS ns1.ssvag.com.
    ssvag.com. 3600 NS ns2.ssvag.com.
    ssvag.com. 3600 MX 10 mail.ssvag.com.
    ssvag.com. 3600 TXT "v=spf1 mx a ~all"
    ns1 3600 A 192.168.110.106
    ns2 3600 A 192.168.110.107
     
  10. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    i also scaned with different tools my ip for dns 185.30.144.212/213 port udp 53 is opened from my firewall

    here is what i get from dig localy

    [email protected]:~# dig @192.168.110.106 ssvag.com

    ; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @192.168.110.106 ssvag.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49965
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;ssvag.com. IN A

    ;; ANSWER SECTION:
    ssvag.com. 3600 IN A 192.168.110.105

    ;; AUTHORITY SECTION:
    ssvag.com. 3600 IN NS ns2.ssvag.com.
    ssvag.com. 3600 IN NS ns1.ssvag.com.

    ;; ADDITIONAL SECTION:
    ns1.ssvag.com. 3600 IN A 192.168.110.106
    ns2.ssvag.com. 3600 IN A 192.168.110.107

    ;; Query time: 1 msec
    ;; SERVER: 192.168.110.106#53(192.168.110.106)
    ;; WHEN: Wed Mar 22 18:31:55 CET 2017
    ;; MSG SIZE rcvd: 122
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so dns is working fine. If you can not reach it from outside, then your router, an external firewall or your ISP is blocking the dns requests.
     
  12. Ylli Frroku

    Ylli Frroku New Member HowtoForge Supporter

    Thank Till
    After i installed and reinstalled more than 10 times ispconfig multiserver i realized that my ISP was blocking udp port 53 as you said. 2 weeks of frustration and more than 12 hours per day checking everything i realized that someone to protect himself from ddos attacks closed this port. I finally gave up from dns hosted by myself and i am using single server setup now everything looks fine except roundcube i can not access the link of webmail when i try to pen it gives error 404 but i guess i have to recheck the installation. maybe is connected with also another error when i try to connect to ftp i can only access it with ip and not with the domain.

    Thank you very much for your support.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

Share This Page