[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1823
  • Last Modified:

How to make BIND 9 DNS Server in Redhat 9 accessible to LAN

My ISP has 2 DNS server:
1.2.3.4
1.2.3.5

We ve leased line connected with xdsl modem, router & our public ips are
1.2.4.0/28
and LAN ips are
6.7.8.0/24

I ve Bind 9 DNS Server on public ip 1.2.4.4. Status of my server is this:
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running



From DNS Server I can access internet using url, but when I provide this DNS server ip 1.2.4.4 in the network configuration of any box with 1.2.4.0/28 or in my LAN 6.7.8.0/24. None of the box is able to access internet using url.

How to connect the pc's inside LAN and also on public ips by using this DNS Server?
0
rajeevsrivas
Asked:
rajeevsrivas
  • 7
  • 6
  • 2
  • +1
1 Solution
 
paranoidcookieCommented:
You could try adding forwarder addresses so lookups not catered for in youe zone files are done by your isp.

Add the following to your named.conf in the options section.

forwarders {ispdns;};

If that dosnt help can you post your named.conf

0
 
rajeevsrivasAuthor Commented:
named.conf :


acl external {
      202.144.128.200;
      202.144.128.210;
      };
acl internal {
      202.144.136.0/28;
      192.168.142.0/24;
      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {internal;external;};
      allow-recursion {internal;external;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



0
 
paranoidcookieCommented:
You dont want to forward first if you have your own domains otherwise quires for your own domain are going to go to your isp and back.

Dont allow recursion for external clients or you leave you name server open to cache poisoning attacks.

You say your lan iprange is "my LAN 6.7.8.0/24." if so you need to add this range into the ACL.

acl internal {
     202.144.136.0/28;
     192.168.142.0/24;
     6.7.8.0/24
     };
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
rajeevsrivasAuthor Commented:
You mean first I mention my DNS server ip in forward?
I ve made changes in named.conf  still problem is same. My LAN ips are 192.168.142.0/24 (which i mentioned previously 6.7.8.0/24):


acl external {
     202.144.128.200;
     202.144.128.210;
     };
acl internal {
     202.144.136.0/28;
     192.168.142.0/24;   // This is 6.7.8.0/24
     };
// generated by named-bootconf.pl

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */
     // query-source address * port 53;
     
     forward first;
     forwarders {
          202.144.136.4;    // My DNS Server
          202.144.128.200;
          202.144.128.210;
          };
     allow-transfer {none;};
     allow-query {internal;external;};
     allow-recursion {internal;};
 };


//
// a caching only nameserver config
//
controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
     type hint;
     file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
     type master;
     file  "rbit.zone";
     allow-query {any;};
     allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
     type master;
     file  "202.144.136.4.zone";
};
0
 
badrulnmCommented:
Does the DNS server work with the default named.conf?

>> My ISP has 2 DNS server:
>> 1.2.3.4
>> 1.2.3.5
 ...
>> DNS server ip 1.2.4.4

Make sure on your server 1.2.4.4 /etc/resolv.conf contains:

nameserver 1.2.4.4
nameserver 1.2.3.4
nameserver 1.2.3.5
0
 
paranoidcookieCommented:
and that your nsswitch.conf has

hosts: files dns
0
 
rajeevsrivasAuthor Commented:
I ve included in nameserver and my nsswitch.conf has
hosts: files dns

Still the problem is same. I can use everything (including dig) from the dns server itself but not form other PC's or server.
0
 
paranoidcookieCommented:
just a few more things to check, you shouldnt list your own server as a forwarder. Does named.ca exist in /var/named? Do you have any sort of firewall on the server that could be blocking name resolution?
Is the server itself able to resolve the domains?

You could test whether in some way the access controls arnt working by commenting them out and replacing the internal and external with all
0
 
rajeevsrivasAuthor Commented:
I ve removed own server ip as forwarder. Yes, named.ca exist.
No, i  m not using any firewall other then iptables.
Yes, server itself is able to resolve the domains.
I ve replaced with "all", still same problem.
0
 
rajeevsrivasAuthor Commented:
with "all" log file shows this:

Nov  1 15:09:28 rbitspace named[4160]: starting BIND 9.2.1 -u named
Nov  1 15:09:28 rbitspace named[4160]: using 1 CPU
Nov  1 15:09:28 rbitspace named: named startup succeeded
Nov  1 15:09:29 rbitspace named[4160]: loading configuration from '/etc/named.conf'
Nov  1 15:09:29 rbitspace named[4160]: no IPv6 interfaces found
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  1 15:09:29 rbitspace named[4160]: /etc/named.conf:28: undefined ACL 'all'
Nov  1 15:09:29 rbitspace named[4160]: loading configuration: not found
Nov  1 15:09:29 rbitspace named[4160]: exiting (due to fatal error)
0
 
paranoidcookieCommented:
I meant in your named.conf comment out the two acl sections completley

//acl external {
//     202.144.128.200;
//    202.144.128.210;
//     };
//acl internal {
//     202.144.136.0/28;
//     192.168.142.0/24;   // This is 6.7.8.0/24
//     };


and change

allow-query {internal;external;};
allow-recursion {internal;};

to

allow-query {all;};
allow-recursion {all;};

Just as a test to see if access control is preventing access. Also as a general rule always check things are starting up correctly after each change in the *nix world its easy to mess things up by accidently leaving a loose character in a file.
0
 
rajeevsrivasAuthor Commented:
This is my named.conf now and see my log file report:

// acl external {
//      202.144.128.200;
//      202.144.128.210;
//      };
// acl internal {
//       202.144.136.0/28;
//      192.168.142.0/24;
//      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {all;};
      allow-recursion {all;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {all;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



Log file:

Nov  2 12:14:51 rbitspace named[4866]: starting BIND 9.2.1 -u named
Nov  2 12:14:51 rbitspace named[4866]: using 1 CPU
Nov  2 12:14:51 rbitspace named: named startup succeeded
Nov  2 12:14:51 rbitspace named[4866]: loading configuration from '/etc/named.conf'
Nov  2 12:14:51 rbitspace named[4866]: no IPv6 interfaces found
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  2 12:14:51 rbitspace named[4866]: /etc/named.conf:28: undefined ACL 'all'
Nov  2 12:14:51 rbitspace named[4866]: loading configuration: not found
Nov  2 12:14:51 rbitspace named[4866]: exiting (due to fatal error)
0
 
paranoidcookieCommented:
So sorry replace all with any

http://www.zytrax.com/books/dns/ch7/acl.html
0
 
rajeevsrivasAuthor Commented:
The problem is same. Still I m not able to access this DNS server.
Help
0
 
badrulnmCommented:
since you've comment out:

// acl external {
//     202.144.128.200;
//     202.144.128.210;
//     };
// acl internal {
//      202.144.136.0/28;
//     192.168.142.0/24;
//     };

lets comment these lines out:

//     allow-query {all;};
//     allow-recursion {all;};
0
 
rajeev1963Commented:
u ve only problem with iptables.
once check by opening all ports or

by adding this line in etc/sysconfig/iptables

-A iptables -INPUT -p udp -m udp --dport 53  -j ACCEPT
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now