DNS problem

Discussion in 'Installation/Configuration' started by qb7, Jul 12, 2010.

  1. qb7

    qb7 New Member

    Hi any one, I'had this problem:
    Went i write the comand
    # dig www.xxx.com @192.168.XXX.XXX

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.xxx.com @192.168.XXX.XXX
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28283
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.xxx.com. IN A

    ;; ANSWER SECTION:
    www.xxx.com. 86400 IN A XXX.XXX.XXX.XXX

    ;; AUTHORITY SECTION:
    xxx.com. 86400 IN NS ns1.xxx.com.
    xxx.com. 86400 IN NS ns2.xxx.com.

    ;; Query time: 0 msec
    ;; SERVER: 192.168.XXX.XXX#53(192.168.XXX.XXX)
    ;; WHEN: Mon Jul 12 21:52:11 2010
    ;; MSG SIZE rcvd: 83

    and whent I' write the comand
    # dig www.xxx.com @XXX.XXX.XXX.XXX (IP name server)

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.xxx.com @XXX.XXX.XXX.XXX
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 54142
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.xxx.com. IN A

    ;; Query time: 1 msec
    ;; SERVER: XXX.XXX.XXX.XXX#53(XXX.XXX.XXX.XXX)
    ;; WHEN: Mon Jul 12 22:05:46 2010
    ;; MSG SIZE rcvd: 31

    in the panel ISPconfig give me the error Server MyDNS: out of line

    Can you help me any one?

    CENTOS 5.5 and ISPcongif 3.0
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Looks as if your dns server is not listening on localhost (IP 127.0.0.1). Please post the output of the command:

    netstat -tap | grep dns
     
  3. qb7

    qb7 New Member

    netstat -tap

    # netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
    tcp 0 0 *:imaps *:* LIST EN 2856/dovecot
    tcp 0 0 *:pop3s *:* LIST EN 2856/dovecot
    tcp 0 0 localhost.localdomain:10024 *:* LIST EN 2902/amavisd (maste
    tcp 0 0 localhost.localdomain:10025 *:* LIST EN 2959/master
    tcp 0 0 *:mysql *:* LIST EN 2818/mysqld
    tcp 0 0 *:pop3 *:* LIST EN 2856/dovecot
    tcp 0 0 localhost.local:dyna-access *:* LIST EN 2734/clamd
    tcp 0 0 *:imap *:* LIST EN 2856/dovecot
    tcp 0 0 *:sunrpc *:* LIST EN 2393/portmap
    tcp 0 0 web.xxx.com:domain *:* LIST EN 2365/named
    tcp 0 0 *:ftp *:* LIST EN 3006/pure-ftpd (SER
    tcp 0 0 *:918 *:* LIST EN 2432/rpc.statd
    tcp 0 0 localhost.localdomain:ipp *:* LIST EN 2718/cupsd
    tcp 0 0 *:smtp *:* LIST EN 2959/master
    tcp 0 0 localhost.localdomain:rndc *:* LIST EN 2365/named
    tcp 0 0 *:imaps *:* LIST EN 2856/dovecot
    tcp 0 0 *:pop3s *:* LIST EN 2856/dovecot
    tcp 0 0 *:pop3 *:* LIST EN 2856/dovecot
    tcp 0 0 *:imap *:* LIST EN 2856/dovecot
    tcp 0 0 *:webcache *:* LIST EN 2990/httpd
    tcp 0 0 *:http *:* LIST EN 2990/httpd
    tcp 0 0 *:tproxy *:* LIST EN 2990/httpd
    tcp 0 0 *:ftp *:* LIST EN 3006/pure-ftpd (SER
    tcp 0 0 localhost6.localdoma:domain *:* LIST EN 2365/named
    tcp 0 0 *:ssh *:* LIST EN 2705/sshd
    tcp 0 0 localhost6.localdomain:rndc *:* LIST EN 2365/named
    tcp 0 0 *:https *:* LIST EN 2990/httpd
    tcp 0 2520 web.xxx.com:ssh xx.Red-217-127-xxx.sta:nirp ESTA BLISHED 19937/0
     
    Last edited: Jul 12, 2010
  4. qb7

    qb7 New Member

    netstat -tap | grep dns

    no repli this comand
     
  5. qb7

    qb7 New Member

    DNS repli Ok in localhost

    Good de comand dig repli OK now in localhost:
    dig www.xxxxx.com @localhost

    BUT NOT IN EXTERNAL ANSWER: IN INTERNET REQUEST.

    dig www.xxxxx.com @IP of ns1.

    port in firewall is OK 53 tcp - udp
    NAT port in ruter OK 53 tcp - udp

    I work a lot hours and nothing.

    Some one can help my.

    thank.
     
  6. qb7

    qb7 New Member

    I see this in the reg system of tab monitor

    ul 13 17:17:00 web named[31628]: client 66.249.xxx.xxx#59173: query (cache) 'something.org/A/IN' denied
    Jul 13 17:17:04 web named[31628]: client 66.249.xxx.xxx#51912: query (cache) 'something.org/A/IN' denied
    Jul 13 17:18:41 web named[31628]: client 210.19.xxx.xxx#1026: query 'any.com/MX/IN' denied
    Jul 13 17:18:46 web named[31628]: client 218.248.xxx.xxx#3946: query 'any.com/MX/IN' denied
    Jul 13 17:18:52 web named[31628]: client 218.248.xxx.xxx#26147: query 'any.com/MX/IN' denied
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's the output of
    Code:
    getenforce
    ?
     
  8. matty

    matty New Member

    It looks like you haven't allowed authoritative requests from off your network.

    I don't use MyDNS or whatever ISPConfig uses for DNS, but if it's bind, have a look in your config at the options statement and check your external facing interface is in the listen-on list, and that allow-query (if it exists) lists who should be able to access it. Usually, you would want "any;" for a publically accessable authoritative name server.
     
  9. qb7

    qb7 New Member

    comand getenforce

    Hi falko this is the result of getenforce:

    Disabled
     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Looks good. If you use BIND - can you post your named.conf?
     
  11. qb7

    qb7 New Member

    post the named.conf

    # vi /var/named/chroot/etc/named.conf
    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    options {
    listen-on port 53 { localhost; };
    listen-on-v6 port 53 { ::1; };
    directory "/var/named/chroot/var/named";
    dump-file "/var/named/chroot/var/named/data/cache_dump.db";
    statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
    allow-query { localhost; };
    recursion yes;
    };
    logging {
    channel default_debug {
    file "data/named.run";
    severity dynamic;
    "/var/named/chroot/etc/named.conf" 29L, 938C
     
  12. matty

    matty New Member

    Hi qb7. You need to fix the listen-on and allow-query parameters as I mentioned on the 1st page.
     
  13. veuster

    veuster New Member

    need confirmation

    Hi matty, I need to ask something.

    I have a VPS that I use as nameserver and webserver

    My website on my VPS can't be accessed before.

    I have registered my nameserver to my domain provider and assigns the domain nameserver to my nameserver. I waited for a week and it doesn't work

    At first I think it's because my nameserver (in this case my VPS) have to be added in the global registry of my domain provider, according to some howto article. So I tried to contact my domain provider, but they say I must ask the VPS provider and the VPS provider says I must ask the domain provider.

    Then, I also found out that in order to check the DNS is running and accessible, one should be able to telnet to the server IP at port 53. I tried this but can't connect.

    After I read this thread, you suggest to change the parameter in named.conf.
    I tried it and it works like a charm. My website can be accessed now.
    What I want to ask is :
    Is it OK to make this change? I mean secure or anything?

    Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter

    Thanks.
     
  14. matty

    matty New Member

    Yes, it's fine for a server that needs zones to be publically accessable.

    It's important to understand a couple of concepts about name servers. When you host a zone, the name server becomes an authoritative name server. That is, your name servers are the only ones in the world that can answer queries authoritatively (meaning it has the exact, non-cached answer) for that zone. Because we're running ISPConfig, we probably want everyone in the world to be able to ask our nameservers about the the zones we host, so that they can see the sites and services we host. To enable that, we need to set bind to allow-queries from any(where).

    allow-query { any; };

    The other main function of name servers is to do the work querying other name servers that host other peoples zones, so that we can connect to their sites and services. This is a function known as recursion. That is, we ask our name server to find out the address of a site, and it then goes and makes multiple queries until it obtains an answer (or fails) and then passes that answer back to your computer. It's best practice to only allow your name server to perform recursive lookups for computers you control or trust, and not allow everybody on the 'net to use your name server in that way. So you tell bind who is allowed to do recursion. In this example, use your own networks, and don't forget to allow localhost so the nameserver can access its own service. An ISP would probably allow the IP ranges of its user base.

    allow-recursion { 192.168.0.0/24; 192.168.3.0/24; localhost; };

    The other parameter I mentioned, listen-on, tells bind to only answer queries it receives on the specified network interfaces. If it is left as localhost/127.0.0.1, it will ignore queries from anywhere but itself.

    listen-on { any; };

    Advanced users may have a need to do things a little different to the examples above, but these will suit 99% of us that use ISPConfig to host publicly accessable DNS zones and web/email servers.

    There's quite a few perfect server guides. I'm sure falko and till would appreciate feedback that could be used to improve them. Could you point out which one you used?
     
  15. veuster

    veuster New Member

    nice explanation

    Thanks a lot.
    That explains everything that have happened.

    I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko :

    http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-2

    But I think almost all the guide still used named.conf which point their query to localhost or 127.0.0.1
    Maybe they hope that we'll be able to change it according to our needs, but some people still doesn't know about this concept.
    Thank you everyone! :)
     
  16. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  17. qb7

    qb7 New Member

    this is my named.conf now. Is run OK for internet request

    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    options {
    listen-on port 53 { localhost; };
    listen-on-v6 port 53 { ::1; };
    directory "/var/named/chroot/var/named";
    dump-file "/var/named/chroot/var/named/data/cache_dump.db";
    statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
    allow-query {any; };
    recursion no;
    };
    logging {
    channel default_debug {
    file "data/named.run";
    severity dynamic;
    };
    };
    zone "." IN {
    type hint;
    file "named.root";
    };
    include "/var/named/chroot/etc/named.conf.local";

    This configuration run OK for a littel internet web server. Falko, this is a security problem? This is a security hole?
    My server run in CentOS 5.5 and last estable ispConfig 3.
    Wich the configutation of the guide http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-3 don't run OK for the internet request. Don't show the web pages. Why?
     
    Last edited: Jul 19, 2010
  18. veuster

    veuster New Member

    wrong url

    Sorry Falko, I posts the wrong url, I use the ISPconfig 3 really.

    This is the url:
    http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-3

    But, as you can see the problem is still the same.
    Do you think matty is right?

    The listen-on port 53 and allow-query needs to be set to { any; } ?

    I don't know, maybe you have the right answer.
    Anyway, thanks.
     

Share This Page