Solved

DNS Server Setup

Posted on 2004-04-08
7
298 Views
Last Modified: 2013-12-15
I'm setting up my first DNS server on RedHat Linux 9 and have come across a problem when other computers attempt to query my server.
The server itself can resolve names to IP's but from a remote computer the server doesn't responed.
For example:
From a windows computer on the same LAN I try to do a nslookup for google.com and get the following response:

> google.com
Server:  [192.168.1.30]
Address:  192.168.1.30
*** [192.168.1.30] can't find google.com: No response from server

Why would the server not give responses to other remote computers?
0
Comment
Question by:wookaka
  • 3
  • 2
  • 2
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10788998
My guess would be that your DNS server probably isn't, in fact, working. It /etc/resolv.conf on the DNS server still contains the IP(s) of an Internet nameserver you'd still be able to resolve hostnames/IP's since the requests would go to the Internet DNS servers.

If there's a serious error in your DNS configuration you should be able to see what's wrong by watching the tail end of /var/log/messages (tail -f /var/log/messages) while you start named.
0
 

Author Comment

by:wookaka
ID: 10789430
I already removed all other DNs servers from the resolv.conf file except for 127.0.0.1 and also check the /log/messages file. I did have one error about the 0.0.127 zone file missing but corrected that and the same problem continued.
Since this was a "getting my feet wet setup" I formatted and reinstalled without the firewall and I can now get DNS requests from the server.

Thanks anyway.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 10791147
Is the RedHat server running IPTABLES and not allowing access to the BIND instance?

RedHat 9 installs IPTables by default, and bases its setup on how you answer a question or two during the installation.

See if IPTables is installed/running with    iptables -L -n

You may need to stop the firewall rules with    /etc/init.d/iptables stop    and try your DNS query again.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:wookaka
ID: 10792301
Here's what I get when I run the first command...

[root@nsi1 root]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm guessing that since I've reinstalled with no firewall that the IPTables are already stopped.

I'm guessing I would use   /etc/init.d/iptables start    to turn it on?
How would I then customize this to allow only ports 22 and 53 into the box?
0
 
LVL 12

Expert Comment

by:mburdick
ID: 10792596
The output shows that you have no restrictions in place for communications. Other machines should be able to access the NAMED server.

Let's keep the IPTables out of it for now...

You will need to check your /etc/named.conf and /etc/named.custom files for things like "allow-query" statements. It is quite possible that the server has ACL's on it (although this is not a default) that are preventing it from working properly. Use RedHat's on-line documentation to make sure you have everything set the way you need it...


http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-bind.html
0
 

Author Comment

by:wookaka
ID: 10793205
mburdick,
Just to make sure you are aware, the DNS server is working now. If you read above the server has been working since I reinstalled RedHat. I did 2 things in this setup different:
 
1) disabled the firewall during the initial installation.
2) didn't play with named.conf

It's now a caching name server and even setup as a slave for 1 domain.

I can't give the points for the DNS problem but would be happy to if you could give me some info on enambling the IPTables to secure the box and only allow ports 22 and 53 in.

Thanks
0
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 10793561
Below is the firewall setup that I use to limit access to servers. It is pretty heavily commented and is currently configured to only allow SSH & DNS. Read through the comments to see how to set it up and for examples of other things you can do with it.

#!/bin/sh
#
# This is a simple, reasonably complete local host based firewall suitable for
# protecting a server that might be exposed to malicous activity.
#
# Save this in root's home directory as iptables-host and make it executable
# with 'chmod +x iptables-host'. Then to install the rule set simply run it
# with './iptables-host'.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it to change the rulesets,
# rather than modifying the running rules. That way I have a readable
# record of the firewall configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES and define my IP.
#
IPT="/sbin/iptables"
IP1=192.168.1.30
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh from anywhere to this server
#
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# DNS access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
#
# HTTP access from anywhere
#
#$IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
#$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# Allow access to SMTP only from a single node
#
#$IPT -A INPUT -p tcp -s 10.0.0.33 --dport 25 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like this. Be sure to set IP at the top of this script if you
# enable one of these.
#
#$IPT -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPT -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPT -A INPUT -j firewalled
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
docker invalid registry name 2 52
Mail relay on Centos 1 46
good comptia a+ teacher? 4 74
Mac - rsync folders with / in name 5 60
I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now