DNS zones aren't resolving

Discussion in 'ISPConfig 3 Priority Support' started by M Javier, Feb 25, 2020.

  1. M Javier

    M Javier New Member HowtoForge Supporter

    Hello,

    I can't make DNS zones resolve outside my network, I follow the manual, the ports are open on the firewall, but I cant telnet port 53 from the internet.

    Please point me where to fix this issue.
    Best Regards
     
    Last edited: Feb 25, 2020
  2. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    How is your server connected to the internet? Did you open the ports on your router?
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    M Javier likes this.
  4. M Javier

    M Javier New Member HowtoForge Supporter

    Hello thanks for the reply man,

    Yes the port is open, 53 and 953 also in the firewall. The domain are registered and the server is the start of authority in the registrar. I have a conversation with the ISP and my public IP is now authorize to send emails, that was an advance (roundcube send the email to google but as it does not resolve it was dellivered to spam, but before it wasn't even received),
    I delete al the DNS records to start all over again. When I telnet the 53 port with localhost it connected :

    [email protected]:~# telnet 192.168.15.27 53
    Trying 192.168.15.27...
    Connected to 192.168.15.27.
    Escape character is '^]'.
    Connection is made from server I could think that ports on firewall are correctly open also fron localhost.
    but when I try the same test from the outside :

    [email protected]:/etc/bind# telnet host2722.borderxxx.com 53
    Trying 187.162.218.53...
    telnet: Unable to connect to remote host: Connection timed out

    The ISP insist that the port is open. The router config is DMZ to local address everything else works. I have two locations thinking in redundancy and on both happens that port unaccesible.
    if I execute :
    ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> foraneos.mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16626
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 5406cee5c42fda7dae692eef5e5525548beb34caff35a4e1 (good)
    ;; QUESTION SECTION:
    ;foraneos.mx. IN A

    ;; ANSWER SECTION:
    foraneos.mx. 3600 IN A 187.162.218.53

    ;; AUTHORITY SECTION:
    foraneos.mx. 3600 IN NS dns2.borderxxxx.com.
    foraneos.mx. 3600 IN NS dns1.borderxxxx.com.

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Feb 25 07:47:00 CST 2020
    ;; MSG SIZE rcvd: 137

    I resolve without problems, but again If I try to resolve from outside It didn't. I have a chat with my ISP later and he insist that the port is open and fowarded to my router.
    Please help, how can I tell that's true or false?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Check with netstat that BIND really listens to the correct IP and with iptables command that port 53 is not closed. If that's both ok, then your problem must be outside of the server (Router / External Firewall / Firewall at ISP).
     
    M Javier likes this.
  6. M Javier

    M Javier New Member HowtoForge Supporter

    Hello Till,
    I made the test from my workstation that has another internal IP address 192.168.15.5 :

    [email protected]:~> telnet 192.168.15.27 53
    Trying 192.168.15.27...
    Connected to 192.168.15.27.
    Escape character is '^]'.

    And netstat :
    [email protected]:~# netstat -tuanp | grep named
    tcp 0 0 192.168.15.27:53 0.0.0.0:* LISTEN 1097/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1097/named
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1097/named
    tcp6 0 0 :::53 :::* LISTEN 1097/named
    tcp6 0 0 ::1:953 :::* LISTEN 1097/named
    udp 0 0 192.168.15.27:53 0.0.0.0:* 1097/named
    udp 0 0 127.0.0.1:53 0.0.0.0:* 1097/named
    udp6 0 0 :::53 :::* 1097/named

    and iptables -L
    Chain ufw-user-input (1 references)
    target prot opt source destination
    ....
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    .......
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    ACCEPT tcp -- anywhere anywhere tcp dpt:953
    ACCEPT udp -- anywhere anywhere udp dpt:953

    I even add on named.conf.options : listen-on { any; }; allow-query { any; };
    I end this post when solved, thank you.
    Best regards,

    looks everithing is ok so it is the ISP.
     
  7. M Javier

    M Javier New Member HowtoForge Supporter

    Sorry for the delay, yes it is as DMZ, but only that port is not passing through. I check and recheck is crazy, the ISP is going to change the router for one better, but I run out of Ideas.
    Regards,
     
  8. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Seems like your ISP is blocking that port, or the router has this port assigned to a DNS service of it's own.
    Besides that, do you really want to run your DNS at a normal home connection, which is not too reliable?
     
  9. M Javier

    M Javier New Member HowtoForge Supporter

    Yes I think the router uses that port (just for catching). do you know how to work around it?
    Regrads
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    If the company where you bought the domains offers a DNS service (as most of them do), then use their DNS service instead of running your own DNS server. Or get a server or virtual server in a data center and run your server there without port restrictions.
     
    M Javier and Th0m like this.
  11. M Javier

    M Javier New Member HowtoForge Supporter

    Thank's for your attention Till, I follow your advise with a shared unexpensive server can do the DNS job.
    Best Regards,

    Update: Talking with my ISP they had no restrictions, just a bad "modem-router" with a small ubiquity one I will have control of everything on ISPconfig.
     
    Last edited: Mar 10, 2020

Share This Page