Remote denied DNS requests

Discussion in 'Installation/Configuration' started by t-mug, Dec 11, 2009.

  1. t-mug

    t-mug New Member

    After researching for while I havn't any clue what is going on ...
    I am running a secondary DNS server on Ubuntu Hardy with a ISPConfig 2 installation. If I try remote to resolve a configured DN (I use "example.com" here for this) I get a REFUSED error:
    Code:
    ; <<>> DiG 9.6.1-P2 <<>> @ispconfig.machi.ne example.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6898
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;example.com.			IN	A
    
    ;; Query time: 13 msec
    ;; SERVER: xx.xxx.x.xxx#53(xx.xxx.x.xxx)
    ;; WHEN: Fri Dec 11 12:17:03 2009
    ;; MSG SIZE  rcvd: 30
    If I do the same dig from a machine within the same C-subnet it gives the expected answer.

    Here is my netstat -tap, where "yyy.yyy.yyy.yy" is a second official IP for the machine:
    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 yyy.yyy.yyy.yy:domain   *:*                     LISTEN      3058/named      
    tcp        0      0 ispconfig.machi.ne.:domain  *:*                 LISTEN      3058/named      
    tcp        0      0 localhost.locald:domain *:*                     LISTEN      3058/named      
    tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      3058/named      
    tcp6       0      0 ip6-localhost:953       [::]:*                  LISTEN      3058/named      
    
    It looks like there is only local access on DNS, doesn't it? If I try from remote:
    Code:
    nmap -p 53,953 ispconfig.machi.ne
    I get the answer that port 53 is open and 953 is closed.
    My named.conf
    and my named.conf.options:
    The domains are all in named.conf.local and manually inserted. I think they are all OK, since times ago all this stuff has worked fine.


    Thanks very much for diving in.
    Help would be much appreciated.
     
    Last edited: Dec 11, 2009
  2. falko

    falko Super Moderator ISPConfig Developer

    Looks as if the zone wasn't transferred to the slave, and therefore it can't look it up since recursion is not allowed.
     
  3. t-mug

    t-mug New Member

    Problem solved

    Thanks, Falko. Yes, the recursion message was about bind couldn't find any transferred zone files and therefore would need to perform recursion, what was not allowed. At first glance this is not obvious.

    The intial problem was: I've installed ISPconfig on a machine, that was already in use as a manually managed secondary dns server. But ISPconfig has it's own way (compared to Debian and Ubuntu) to handle bind's configuration files; one big difference is, that ISPconfig doesn't split the bind configuration into parts like named.conf.options or named.conf.local and let these files finally be included in named.conf, but handle the whole thing in named.conf allone and throws existent includes inside it away. Another difference was the distribution way to place zone files below /var/cache/bind whereas ISPconfig has a UI-Setting for the zone files directory, which defaults to /etc/bind. This causes that my zone files got lost for bind's eyes and the recursion message appeared.

    So all this was a rather untypical problem and "handmade" in a certain way :)

    Thanks again for diving in.
     

Share This Page