How to make BIND 9 DNS Server in Redhat 9 accessible to LAN

My ISP has 2 DNS server:
1.2.3.4
1.2.3.5

We ve leased line connected with xdsl modem, router & our public ips are
1.2.4.0/28
and LAN ips are
6.7.8.0/24

I ve Bind 9 DNS Server on public ip 1.2.4.4. Status of my server is this:
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running



From DNS Server I can access internet using url, but when I provide this DNS server ip 1.2.4.4 in the network configuration of any box with 1.2.4.0/28 or in my LAN 6.7.8.0/24. None of the box is able to access internet using url.

How to connect the pc's inside LAN and also on public ips by using this DNS Server?
rajeevsrivasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

paranoidcookieCommented:
You could try adding forwarder addresses so lookups not catered for in youe zone files are done by your isp.

Add the following to your named.conf in the options section.

forwarders {ispdns;};

If that dosnt help can you post your named.conf

0
rajeevsrivasAuthor Commented:
named.conf :


acl external {
      202.144.128.200;
      202.144.128.210;
      };
acl internal {
      202.144.136.0/28;
      192.168.142.0/24;
      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {internal;external;};
      allow-recursion {internal;external;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



0
paranoidcookieCommented:
You dont want to forward first if you have your own domains otherwise quires for your own domain are going to go to your isp and back.

Dont allow recursion for external clients or you leave you name server open to cache poisoning attacks.

You say your lan iprange is "my LAN 6.7.8.0/24." if so you need to add this range into the ACL.

acl internal {
     202.144.136.0/28;
     192.168.142.0/24;
     6.7.8.0/24
     };
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

rajeevsrivasAuthor Commented:
You mean first I mention my DNS server ip in forward?
I ve made changes in named.conf  still problem is same. My LAN ips are 192.168.142.0/24 (which i mentioned previously 6.7.8.0/24):


acl external {
     202.144.128.200;
     202.144.128.210;
     };
acl internal {
     202.144.136.0/28;
     192.168.142.0/24;   // This is 6.7.8.0/24
     };
// generated by named-bootconf.pl

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */
     // query-source address * port 53;
     
     forward first;
     forwarders {
          202.144.136.4;    // My DNS Server
          202.144.128.200;
          202.144.128.210;
          };
     allow-transfer {none;};
     allow-query {internal;external;};
     allow-recursion {internal;};
 };


//
// a caching only nameserver config
//
controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
     type hint;
     file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
     type master;
     file  "rbit.zone";
     allow-query {any;};
     allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
     type master;
     file  "202.144.136.4.zone";
};
0
badrulnmCommented:
Does the DNS server work with the default named.conf?

>> My ISP has 2 DNS server:
>> 1.2.3.4
>> 1.2.3.5
 ...
>> DNS server ip 1.2.4.4

Make sure on your server 1.2.4.4 /etc/resolv.conf contains:

nameserver 1.2.4.4
nameserver 1.2.3.4
nameserver 1.2.3.5
0
paranoidcookieCommented:
and that your nsswitch.conf has

hosts: files dns
0
rajeevsrivasAuthor Commented:
I ve included in nameserver and my nsswitch.conf has
hosts: files dns

Still the problem is same. I can use everything (including dig) from the dns server itself but not form other PC's or server.
0
paranoidcookieCommented:
just a few more things to check, you shouldnt list your own server as a forwarder. Does named.ca exist in /var/named? Do you have any sort of firewall on the server that could be blocking name resolution?
Is the server itself able to resolve the domains?

You could test whether in some way the access controls arnt working by commenting them out and replacing the internal and external with all
0
rajeevsrivasAuthor Commented:
I ve removed own server ip as forwarder. Yes, named.ca exist.
No, i  m not using any firewall other then iptables.
Yes, server itself is able to resolve the domains.
I ve replaced with "all", still same problem.
0
rajeevsrivasAuthor Commented:
with "all" log file shows this:

Nov  1 15:09:28 rbitspace named[4160]: starting BIND 9.2.1 -u named
Nov  1 15:09:28 rbitspace named[4160]: using 1 CPU
Nov  1 15:09:28 rbitspace named: named startup succeeded
Nov  1 15:09:29 rbitspace named[4160]: loading configuration from '/etc/named.conf'
Nov  1 15:09:29 rbitspace named[4160]: no IPv6 interfaces found
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  1 15:09:29 rbitspace named[4160]: /etc/named.conf:28: undefined ACL 'all'
Nov  1 15:09:29 rbitspace named[4160]: loading configuration: not found
Nov  1 15:09:29 rbitspace named[4160]: exiting (due to fatal error)
0
paranoidcookieCommented:
I meant in your named.conf comment out the two acl sections completley

//acl external {
//     202.144.128.200;
//    202.144.128.210;
//     };
//acl internal {
//     202.144.136.0/28;
//     192.168.142.0/24;   // This is 6.7.8.0/24
//     };


and change

allow-query {internal;external;};
allow-recursion {internal;};

to

allow-query {all;};
allow-recursion {all;};

Just as a test to see if access control is preventing access. Also as a general rule always check things are starting up correctly after each change in the *nix world its easy to mess things up by accidently leaving a loose character in a file.
0
rajeevsrivasAuthor Commented:
This is my named.conf now and see my log file report:

// acl external {
//      202.144.128.200;
//      202.144.128.210;
//      };
// acl internal {
//       202.144.136.0/28;
//      192.168.142.0/24;
//      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {all;};
      allow-recursion {all;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {all;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



Log file:

Nov  2 12:14:51 rbitspace named[4866]: starting BIND 9.2.1 -u named
Nov  2 12:14:51 rbitspace named[4866]: using 1 CPU
Nov  2 12:14:51 rbitspace named: named startup succeeded
Nov  2 12:14:51 rbitspace named[4866]: loading configuration from '/etc/named.conf'
Nov  2 12:14:51 rbitspace named[4866]: no IPv6 interfaces found
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  2 12:14:51 rbitspace named[4866]: /etc/named.conf:28: undefined ACL 'all'
Nov  2 12:14:51 rbitspace named[4866]: loading configuration: not found
Nov  2 12:14:51 rbitspace named[4866]: exiting (due to fatal error)
0
paranoidcookieCommented:
So sorry replace all with any

http://www.zytrax.com/books/dns/ch7/acl.html
0
rajeevsrivasAuthor Commented:
The problem is same. Still I m not able to access this DNS server.
Help
0
badrulnmCommented:
since you've comment out:

// acl external {
//     202.144.128.200;
//     202.144.128.210;
//     };
// acl internal {
//      202.144.136.0/28;
//     192.168.142.0/24;
//     };

lets comment these lines out:

//     allow-query {all;};
//     allow-recursion {all;};
0
rajeev1963Commented:
u ve only problem with iptables.
once check by opening all ports or

by adding this line in etc/sysconfig/iptables

-A iptables -INPUT -p udp -m udp --dport 53  -j ACCEPT
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.