Solved

How to make BIND 9 DNS Server in Redhat 9 accessible to LAN

Posted on 2004-10-26
1,772 Views
Last Modified: 2010-08-05
My ISP has 2 DNS server:
1.2.3.4
1.2.3.5

We ve leased line connected with xdsl modem, router & our public ips are
1.2.4.0/28
and LAN ips are
6.7.8.0/24

I ve Bind 9 DNS Server on public ip 1.2.4.4. Status of my server is this:
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running



From DNS Server I can access internet using url, but when I provide this DNS server ip 1.2.4.4 in the network configuration of any box with 1.2.4.0/28 or in my LAN 6.7.8.0/24. None of the box is able to access internet using url.

How to connect the pc's inside LAN and also on public ips by using this DNS Server?
0
Question by:rajeevsrivas
    16 Comments
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    You could try adding forwarder addresses so lookups not catered for in youe zone files are done by your isp.

    Add the following to your named.conf in the options section.

    forwarders {ispdns;};

    If that dosnt help can you post your named.conf

    0
     

    Author Comment

    by:rajeevsrivas
    named.conf :


    acl external {
          202.144.128.200;
          202.144.128.210;
          };
    acl internal {
          202.144.136.0/28;
          192.168.142.0/24;
          };
    // generated by named-bootconf.pl

    options {
          directory "/var/named";
          /*
           * If there is a firewall between you and nameservers you want
           * to talk to, you might need to uncomment the query-source
           * directive below.  Previous versions of BIND always asked
           * questions using port 53, but BIND 8.1 uses an unprivileged
           * port by default.
           */
          // query-source address * port 53;
          
          forward first;
          forwarders {
                202.144.128.200;
                202.144.128.210;
                };
          allow-transfer {none;};
          allow-query {internal;external;};
          allow-recursion {internal;external;};
     };


    //
    // a caching only nameserver config
    //
    controls {
          inet 127.0.0.1 allow { localhost; } keys { rndckey; };
    };
    zone "." IN {
          type hint;
          file "named.ca";
    };

    zone "localhost" IN {
          type master;
          file "localhost.zone";
          allow-update { none; };
    };

    zone "0.0.127.in-addr.arpa" IN {
          type master;
          file "named.local";
          allow-update { none; };
    };

    include "/etc/rndc.key";



    zone  "rbit.edu.bt" {
          type master;
          file  "rbit.zone";
          allow-query {any;};
          allow-transfer {internal;external;};
    };
    zone  "136.144.202.in-addr.arpa" {
          type master;
          file  "202.144.136.4.zone";
    };



    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    You dont want to forward first if you have your own domains otherwise quires for your own domain are going to go to your isp and back.

    Dont allow recursion for external clients or you leave you name server open to cache poisoning attacks.

    You say your lan iprange is "my LAN 6.7.8.0/24." if so you need to add this range into the ACL.

    acl internal {
         202.144.136.0/28;
         192.168.142.0/24;
         6.7.8.0/24
         };
    0
     

    Author Comment

    by:rajeevsrivas
    You mean first I mention my DNS server ip in forward?
    I ve made changes in named.conf  still problem is same. My LAN ips are 192.168.142.0/24 (which i mentioned previously 6.7.8.0/24):


    acl external {
         202.144.128.200;
         202.144.128.210;
         };
    acl internal {
         202.144.136.0/28;
         192.168.142.0/24;   // This is 6.7.8.0/24
         };
    // generated by named-bootconf.pl

    options {
         directory "/var/named";
         /*
          * If there is a firewall between you and nameservers you want
          * to talk to, you might need to uncomment the query-source
          * directive below.  Previous versions of BIND always asked
          * questions using port 53, but BIND 8.1 uses an unprivileged
          * port by default.
          */
         // query-source address * port 53;
         
         forward first;
         forwarders {
              202.144.136.4;    // My DNS Server
              202.144.128.200;
              202.144.128.210;
              };
         allow-transfer {none;};
         allow-query {internal;external;};
         allow-recursion {internal;};
     };


    //
    // a caching only nameserver config
    //
    controls {
         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
    };
    zone "." IN {
         type hint;
         file "named.ca";
    };

    zone "localhost" IN {
         type master;
         file "localhost.zone";
         allow-update { none; };
    };

    zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "named.local";
         allow-update { none; };
    };

    include "/etc/rndc.key";



    zone  "rbit.edu.bt" {
         type master;
         file  "rbit.zone";
         allow-query {any;};
         allow-transfer {internal;external;};
    };
    zone  "136.144.202.in-addr.arpa" {
         type master;
         file  "202.144.136.4.zone";
    };
    0
     
    LVL 5

    Expert Comment

    by:badrulnm
    Does the DNS server work with the default named.conf?

    >> My ISP has 2 DNS server:
    >> 1.2.3.4
    >> 1.2.3.5
     ...
    >> DNS server ip 1.2.4.4

    Make sure on your server 1.2.4.4 /etc/resolv.conf contains:

    nameserver 1.2.4.4
    nameserver 1.2.3.4
    nameserver 1.2.3.5
    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    and that your nsswitch.conf has

    hosts: files dns
    0
     

    Author Comment

    by:rajeevsrivas
    I ve included in nameserver and my nsswitch.conf has
    hosts: files dns

    Still the problem is same. I can use everything (including dig) from the dns server itself but not form other PC's or server.
    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    just a few more things to check, you shouldnt list your own server as a forwarder. Does named.ca exist in /var/named? Do you have any sort of firewall on the server that could be blocking name resolution?
    Is the server itself able to resolve the domains?

    You could test whether in some way the access controls arnt working by commenting them out and replacing the internal and external with all
    0
     

    Author Comment

    by:rajeevsrivas
    I ve removed own server ip as forwarder. Yes, named.ca exist.
    No, i  m not using any firewall other then iptables.
    Yes, server itself is able to resolve the domains.
    I ve replaced with "all", still same problem.
    0
     

    Author Comment

    by:rajeevsrivas
    with "all" log file shows this:

    Nov  1 15:09:28 rbitspace named[4160]: starting BIND 9.2.1 -u named
    Nov  1 15:09:28 rbitspace named[4160]: using 1 CPU
    Nov  1 15:09:28 rbitspace named: named startup succeeded
    Nov  1 15:09:29 rbitspace named[4160]: loading configuration from '/etc/named.conf'
    Nov  1 15:09:29 rbitspace named[4160]: no IPv6 interfaces found
    Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface lo, 127.0.0.1#53
    Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth0, 202.144.136.4#53
    Nov  1 15:09:29 rbitspace named[4160]: listening on IPv4 interface eth1, 192.168.142.1#53
    Nov  1 15:09:29 rbitspace named[4160]: /etc/named.conf:28: undefined ACL 'all'
    Nov  1 15:09:29 rbitspace named[4160]: loading configuration: not found
    Nov  1 15:09:29 rbitspace named[4160]: exiting (due to fatal error)
    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    I meant in your named.conf comment out the two acl sections completley

    //acl external {
    //     202.144.128.200;
    //    202.144.128.210;
    //     };
    //acl internal {
    //     202.144.136.0/28;
    //     192.168.142.0/24;   // This is 6.7.8.0/24
    //     };


    and change

    allow-query {internal;external;};
    allow-recursion {internal;};

    to

    allow-query {all;};
    allow-recursion {all;};

    Just as a test to see if access control is preventing access. Also as a general rule always check things are starting up correctly after each change in the *nix world its easy to mess things up by accidently leaving a loose character in a file.
    0
     

    Author Comment

    by:rajeevsrivas
    This is my named.conf now and see my log file report:

    // acl external {
    //      202.144.128.200;
    //      202.144.128.210;
    //      };
    // acl internal {
    //       202.144.136.0/28;
    //      192.168.142.0/24;
    //      };
    // generated by named-bootconf.pl

    options {
          directory "/var/named";
          /*
           * If there is a firewall between you and nameservers you want
           * to talk to, you might need to uncomment the query-source
           * directive below.  Previous versions of BIND always asked
           * questions using port 53, but BIND 8.1 uses an unprivileged
           * port by default.
           */
          // query-source address * port 53;
          
          forward first;
          forwarders {
                202.144.128.200;
                202.144.128.210;
                };
          allow-transfer {none;};
          allow-query {all;};
          allow-recursion {all;};
     };


    //
    // a caching only nameserver config
    //
    controls {
          inet 127.0.0.1 allow { localhost; } keys { rndckey; };
    };
    zone "." IN {
          type hint;
          file "named.ca";
    };

    zone "localhost" IN {
          type master;
          file "localhost.zone";
          allow-update { none; };
    };

    zone "0.0.127.in-addr.arpa" IN {
          type master;
          file "named.local";
          allow-update { none; };
    };

    include "/etc/rndc.key";



    zone  "rbit.edu.bt" {
          type master;
          file  "rbit.zone";
          allow-query {any;};
          allow-transfer {all;};
    };
    zone  "136.144.202.in-addr.arpa" {
          type master;
          file  "202.144.136.4.zone";
    };



    Log file:

    Nov  2 12:14:51 rbitspace named[4866]: starting BIND 9.2.1 -u named
    Nov  2 12:14:51 rbitspace named[4866]: using 1 CPU
    Nov  2 12:14:51 rbitspace named: named startup succeeded
    Nov  2 12:14:51 rbitspace named[4866]: loading configuration from '/etc/named.conf'
    Nov  2 12:14:51 rbitspace named[4866]: no IPv6 interfaces found
    Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface lo, 127.0.0.1#53
    Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth0, 202.144.136.4#53
    Nov  2 12:14:51 rbitspace named[4866]: listening on IPv4 interface eth1, 192.168.142.1#53
    Nov  2 12:14:51 rbitspace named[4866]: /etc/named.conf:28: undefined ACL 'all'
    Nov  2 12:14:51 rbitspace named[4866]: loading configuration: not found
    Nov  2 12:14:51 rbitspace named[4866]: exiting (due to fatal error)
    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    So sorry replace all with any

    http://www.zytrax.com/books/dns/ch7/acl.html
    0
     

    Author Comment

    by:rajeevsrivas
    The problem is same. Still I m not able to access this DNS server.
    Help
    0
     
    LVL 5

    Expert Comment

    by:badrulnm
    since you've comment out:

    // acl external {
    //     202.144.128.200;
    //     202.144.128.210;
    //     };
    // acl internal {
    //      202.144.136.0/28;
    //     192.168.142.0/24;
    //     };

    lets comment these lines out:

    //     allow-query {all;};
    //     allow-recursion {all;};
    0
     
    LVL 1

    Accepted Solution

    by:
    u ve only problem with iptables.
    once check by opening all ports or

    by adding this line in etc/sysconfig/iptables

    -A iptables -INPUT -p udp -m udp --dport 53  -j ACCEPT
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: From Zero to Hero with Nodejs & MongoDB

    Interested in Node.js, but don't know where to start or how to learn it properly? Confused about how the MEAN stack pieces of MongoDB, Expressjs, Angularjs, and Nodejs fit together? Or how it's even possible to run JavaScript outside of the browser?

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now