Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to make BIND 9 DNS Server in Redhat 9 accessible to LAN

Posted on 2004-10-26
16
Medium Priority
?
1,821 Views
Last Modified: 2010-08-05
My ISP has 2 DNS server:
1.2.3.4
1.2.3.5

We ve leased line connected with xdsl modem, router & our public ips are
1.2.4.0/28
and LAN ips are
6.7.8.0/24

I ve Bind 9 DNS Server on public ip 1.2.4.4. Status of my server is this:
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running



From DNS Server I can access internet using url, but when I provide this DNS server ip 1.2.4.4 in the network configuration of any box with 1.2.4.0/28 or in my LAN 6.7.8.0/24. None of the box is able to access internet using url.

How to connect the pc's inside LAN and also on public ips by using this DNS Server?
0
Comment
Question by:rajeevsrivas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12419402
You could try adding forwarder addresses so lookups not catered for in youe zone files are done by your isp.

Add the following to your named.conf in the options section.

forwarders {ispdns;};

If that dosnt help can you post your named.conf

0
 

Author Comment

by:rajeevsrivas
ID: 12420533
named.conf :


acl external {
      202.144.128.200;
      202.144.128.210;
      };
acl internal {
      202.144.136.0/28;
      192.168.142.0/24;
      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {internal;external;};
      allow-recursion {internal;external;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12420619
You dont want to forward first if you have your own domains otherwise quires for your own domain are going to go to your isp and back.

Dont allow recursion for external clients or you leave you name server open to cache poisoning attacks.

You say your lan iprange is "my LAN 6.7.8.0/24." if so you need to add this range into the ACL.

acl internal {
     202.144.136.0/28;
     192.168.142.0/24;
     6.7.8.0/24
     };
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rajeevsrivas
ID: 12429867
You mean first I mention my DNS server ip in forward?
I ve made changes in named.conf  still problem is same. My LAN ips are 192.168.142.0/24 (which i mentioned previously 6.7.8.0/24):


acl external {
     202.144.128.200;
     202.144.128.210;
     };
acl internal {
     202.144.136.0/28;
     192.168.142.0/24;   // This is 6.7.8.0/24
     };
// generated by named-bootconf.pl

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */
     // query-source address * port 53;
     
     forward first;
     forwarders {
          202.144.136.4;    // My DNS Server
          202.144.128.200;
          202.144.128.210;
          };
     allow-transfer {none;};
     allow-query {internal;external;};
     allow-recursion {internal;};
 };


//
// a caching only nameserver config
//
controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
     type hint;
     file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
     type master;
     file  "rbit.zone";
     allow-query {any;};
     allow-transfer {internal;external;};
};
zone  "136.144.202.in-addr.arpa" {
     type master;
     file  "202.144.136.4.zone";
};
0
 
LVL 5

Expert Comment

by:badrulnm
ID: 12456146
Does the DNS server work with the default named.conf?

>> My ISP has 2 DNS server:
>> 1.2.3.4
>> 1.2.3.5
 ...
>> DNS server ip 1.2.4.4

Make sure on your server 1.2.4.4 /etc/resolv.conf contains:

nameserver 1.2.4.4
nameserver 1.2.3.4
nameserver 1.2.3.5
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12456298
and that your nsswitch.conf has

hosts: files dns
0
 

Author Comment

by:rajeevsrivas
ID: 12461231
I ve included in nameserver and my nsswitch.conf has
hosts: files dns

Still the problem is same. I can use everything (including dig) from the dns server itself but not form other PC's or server.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12461286
just a few more things to check, you shouldnt list your own server as a forwarder. Does named.ca exist in /var/named? Do you have any sort of firewall on the server that could be blocking name resolution?
Is the server itself able to resolve the domains?

You could test whether in some way the access controls arnt working by commenting them out and replacing the internal and external with all
0
 

Author Comment

by:rajeevsrivas
ID: 12461580
I ve removed own server ip as forwarder. Yes, named.ca exist.
No, i  m not using any firewall other then iptables.
Yes, server itself is able to resolve the domains.
I ve replaced with "all", still same problem.
0
 

Author Comment

by:rajeevsrivas
ID: 12461827
with "all" log file shows this:

Nov  1 15:09:28 rbitspace named[4160]: starting BIND 9.2.1 -u named
Nov  1 15:09:28 rbitspace named[4160]: using 1 CPU
Nov  1 15:09:28 rbitspace named: named startup succeeded
Nov  1 15:09:29 rbitspace named[4160]: loading configuration from '/etc/named.conf'
Nov  1 15:09:29 rbitspace named[4160]: no IPv6 interfaces found
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  1 15:09:29 rbitspace named[4160]: /etc/named.conf:28: undefined ACL 'all'
Nov  1 15:09:29 rbitspace named[4160]: loading configuration: not found
Nov  1 15:09:29 rbitspace named[4160]: exiting (due to fatal error)
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12461841
I meant in your named.conf comment out the two acl sections completley

//acl external {
//     202.144.128.200;
//    202.144.128.210;
//     };
//acl internal {
//     202.144.136.0/28;
//     192.168.142.0/24;   // This is 6.7.8.0/24
//     };


and change

allow-query {internal;external;};
allow-recursion {internal;};

to

allow-query {all;};
allow-recursion {all;};

Just as a test to see if access control is preventing access. Also as a general rule always check things are starting up correctly after each change in the *nix world its easy to mess things up by accidently leaving a loose character in a file.
0
 

Author Comment

by:rajeevsrivas
ID: 12470560
This is my named.conf now and see my log file report:

// acl external {
//      202.144.128.200;
//      202.144.128.210;
//      };
// acl internal {
//       202.144.136.0/28;
//      192.168.142.0/24;
//      };
// generated by named-bootconf.pl

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
      // query-source address * port 53;
      
      forward first;
      forwarders {
            202.144.128.200;
            202.144.128.210;
            };
      allow-transfer {none;};
      allow-query {all;};
      allow-recursion {all;};
 };


//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
      type hint;
      file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";



zone  "rbit.edu.bt" {
      type master;
      file  "rbit.zone";
      allow-query {any;};
      allow-transfer {all;};
};
zone  "136.144.202.in-addr.arpa" {
      type master;
      file  "202.144.136.4.zone";
};



Log file:

Nov  2 12:14:51 rbitspace named[4866]: starting BIND 9.2.1 -u named
Nov  2 12:14:51 rbitspace named[4866]: using 1 CPU
Nov  2 12:14:51 rbitspace named: named startup succeeded
Nov  2 12:14:51 rbitspace named[4866]: loading configuration from '/etc/named.conf'
Nov  2 12:14:51 rbitspace named[4866]: no IPv6 interfaces found
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface lo, 127.0.0.1#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth0, 202.144.136.4#53
Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth1, 192.168.142.1#53
Nov  2 12:14:51 rbitspace named[4866]: /etc/named.conf:28: undefined ACL 'all'
Nov  2 12:14:51 rbitspace named[4866]: loading configuration: not found
Nov  2 12:14:51 rbitspace named[4866]: exiting (due to fatal error)
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12470871
So sorry replace all with any

http://www.zytrax.com/books/dns/ch7/acl.html
0
 

Author Comment

by:rajeevsrivas
ID: 12501906
The problem is same. Still I m not able to access this DNS server.
Help
0
 
LVL 5

Expert Comment

by:badrulnm
ID: 12502113
since you've comment out:

// acl external {
//     202.144.128.200;
//     202.144.128.210;
//     };
// acl internal {
//      202.144.136.0/28;
//     192.168.142.0/24;
//     };

lets comment these lines out:

//     allow-query {all;};
//     allow-recursion {all;};
0
 
LVL 1

Accepted Solution

by:
rajeev1963 earned 2000 total points
ID: 12672890
u ve only problem with iptables.
once check by opening all ports or

by adding this line in etc/sysconfig/iptables

-A iptables -INPUT -p udp -m udp --dport 53  -j ACCEPT
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question