?
Solved

BIND9 Queries from the outside Time-Out

Posted on 2006-03-27
21
Medium Priority
?
471 Views
Last Modified: 2010-03-18
Hello

Okay here is the problem in a nutshell. I have a Debian server running BIND9. In that I have a zone set up, lets call it externaldomain.net. In that zone I have a few records, one of them being www pointing to an external IP. When I do a query for www through that server on my local network i get a lovely reply. However, when I do a query from the outside I get timeouts all around. Straight away you are probably thinking, "port forwarding". Nup done this...and my problem continues.

I have forwarded both UDP and TCP Port 53 to the BIND server on the local network. The wierd thing is that I can do a list all command in windows NSLOOKUP from the outside, e.g:

ls -d externaldomain.net

and it will return what is in the zone. I check the logs on my BIND server and it says it has done a transfer and all to accomplish this. However there is no log to say that when querying ,it times out. When the BIND service starts there are no erros in the logs either and it says it is listening on port 53. Oh yes i've also added the option to allow recursion and queries for 'any' as well. Any ideas anyone?

Thanks!
0
Comment
Question by:bryanford
  • 12
  • 9
21 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16301465
hello

first, you need to be sure it is not a network/firewall problem.

1.- when you type (at the dns server's prompt) dig @localhost www.externaldomain.net any, do you get a response?
2.- when you type (at other server on the internal network) dig @internal.ip.of.the.dns.server www.externaldomain.net any, do you get the same response?
3.- when you type (at oter server outside on the internet) dig @external.ip.of.the.dns.server www.externaldomain.net any, do you get the same response?

then we can see where the problem resides.

If it is on the internet side only (I'm gessing) Did you use a forward from other device to your server? are both (port 53 udp and tcp) dns ports open on BOTH, the router and your linux box firewall?

to see on the router: use it's web admin console
to see on the linux box: iptables -L -vn | grep 53

hope this help
0
 
LVL 1

Author Comment

by:bryanford
ID: 16307120

1. When I do that from DNS server terminal, I get a reply and an authority response
2. When I do that on another internal computer, in this case windows using nslookup, i get a response
3. when I try doing the same thing on a windows computer on the outside, i get timeout.

I forwarded port 53 UDP/TCP on my router to the internal address of my DNS server

I have webmin install which has a Linux Firewall feature (uses iptables) and it says it's accepting all incoming packets.

Any other ideas?
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16307267
many!!! =)

what iptables -L -vn (issued as root) says?

what do you have in your /etc/named.conf ?  (please strip the RNDC KEY part, since we don't need it and it should be kept secret)
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:bryanford
ID: 16307737
hehe glad to hear you're enthusiastic about it.

okay this is what i get when i run iptables -L -vn as root:

================================================

Chain INPUT (policy ACCEPT 24902 packets, 4398K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 26117 packets, 9733K bytes)
 pkts bytes target     prot opt in     out     source               destination        

================================================

my external domain is no secret so i will give you those details if you wish to use them to work with. domain name is "thatstough.net" and name server is "ns1.thatstough.net" which points to my IP. on my registrar i have a different name server at the moment until i can fix this other problem up. but still basically i can't make dns queries from the outside when i try to use my server.

named.conf has:

====================================

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

zone "." {
      type hint;
      file "/etc/bind/db.root";
};

zone "localhost" {
      type master;
      file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
      type master;
      file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
      type master;
      file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
      type master;
      file "/etc/bind/db.255";
};

zone "thatstough.net" {
      type master;
      file "/etc/bind/db.thatstough";
      };

====================================

named.local.conf has nothing in it
named.options.conf has:

====================================

options {
      directory "/var/cache/bind";
      recursion yes;
      allow-query { any; };
};

====================================

Thanks again
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16307886
hehehe found the problem: You do not have your DNS pointed to your IP, but instead the authority for your domain is still an external one: ns1.everydns.net and ns2.everydns.net (see the output of the dig command). You need to enter to your registrar and tell them your ip address will be the authority for your domain (this will only work if you have a static ip address):
--------------------------------------------------------------------------------------------
[gorv@localhost ~]$ dig thatstough.net any

; <<>> DiG 9.2.4 <<>> thatstough.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12143
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;thatstough.net.                        IN      ANY

;; ANSWER SECTION:
thatstough.net.         172800  IN      NS      ns1.everydns.net.
thatstough.net.         172800  IN      NS      ns2.everydns.net.

;; ADDITIONAL SECTION:
ns2.everydns.net.       172776  IN      A       216.218.240.206
ns1.everydns.net.       172776  IN      A       38.99.14.207

;; Query time: 113 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Mar 27 23:23:28 2006
;; MSG SIZE  rcvd: 109
0
 
LVL 1

Author Comment

by:bryanford
ID: 16307940
yep i know. i don't have it pointed because it's not accepting queries properly. i've changed it on my registrar so you can try doing it from one of the public servers or something...it's stange. i can go any queries from the outside but when i try to do specific A record queries it times out. See bellow

When i search for all
=============================================================================================

Searching for thatstough.net ALL record at ns1.thatstough.net. [220.233.200.67]: Reports thatstough.net. [took 261 ms]

Answer:


Domain Type Class TTL Answer thatstough.net. SOA IN 604800 Primary DNS server: thatstough.net.
Responsible Name:   root@thatstough.net.
Serial:             1
Refresh:            604800 (1w)
Retry:              86400 (1d)
Expire:             2419200 (4w)
Minimum/NegTTL:     604800 (1w)
 thatstough.net. NS IN 604800 ns1.thatstough.net. ns1.thatstough.net. A IN 604800 220.233.200.67

=============================================================================================

When i do a specific www which does exist in the zone file

=============================================================================================
Searching for www.thatstough.net A record at ns1.thatstough.net. [220.233.200.67]: Timed out.  Trying again.

=============================================================================================
0
 
LVL 1

Author Comment

by:bryanford
ID: 16307961
Something else to add...i just added a test CNAME record in the zone and it can query it from the outside. See bellow

mail.thatstough.net ALL record at ns1.thatstough.net. [220.233.200.67]: Got CNAME of www.thatstough.net
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16308026
heheheh

well, I don't know the tool you're using to check your  DNS, but I can check it from my own linux server and it looks more or less right:

=========================================================================
[gorv@localhost ~]$ dig @220.233.200.67 thatstough.net any

; <<>> DiG 9.2.4 <<>> @220.233.200.67 thatstough.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28211
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;thatstough.net.                        IN      ANY

;; ANSWER SECTION:
thatstough.net.         604800  IN      SOA     thatstough.net. root.thatstough.net. 1 604800 86400 2419200 604800
thatstough.net.         604800  IN      NS      ns1.thatstough.net.

;; ADDITIONAL SECTION:
ns1.thatstough.net.     604800  IN      A       220.233.200.67
=========================================================================


But, just to add some to your configuration:

A) your start of aouthority (SOA) must point to one of your DNS', so I think your SOA must be
thatstough.net.         604800  IN      SOA     ns1.thatstough.net.   root.thatstough.net. 1 604800 86400 2419200 604800

B) You have defined very high numbers for regresh and cache... when you will make the change, it's good to make them smaller so your site get's refreshed sooner, and not need to wait one week for each change.

C) for your serial number it is accepted and generally used to have the date followed by a serial within the date, as here:
2006032701 (today, AAAAMMDD serial 01 )

D) You made a CNAME called mail, but pointing it to www.thatstough.net, but haven't setup www yet =) everytime you create a CNAME it must point to an A record already setup =)
0
 
LVL 1

Author Comment

by:bryanford
ID: 16308050
Thank you for all that extra information

However I have about 5 random A records which aren't showing up in the ALL query, including www.thatstough.net. Not even the CNAME comes up in the ALL query.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16308096
then post here your zone file

did you ran the named-checkconf against your zone file?
0
 
LVL 1

Author Comment

by:bryanford
ID: 16308137
db.thatstough zone file

==============================================================
$TTL      604800
@      IN      SOA      thatstough.net. root.thatstough.net. (
                        1            ; Serial
                   604800            ; Refresh
                    86400            ; Retry
                  2419200            ; Expire
                   604800 )      ; Default TTL
;
@      IN      NS      ns1.thatstough.net.

ns1      IN      A      220.233.200.67
www      IN      A      220.233.200.67
abc      IN      A      220.233.200.67
azc      IN      A      220.233.200.67
atc      IN      A      220.233.200.67
tbc      IN      A      220.233.200.67
mail      IN      CNAME      tbc
==============================================================

did check and these are the errors i got

/etc/bind/db.thatstough:1: unknown option '$TTL'
/etc/bind/db.thatstough:3: unknown option 'Serial'
/etc/bind/db.thatstough:4: unknown option 'Refresh'
/etc/bind/db.thatstough:5: unknown option 'Retry'
/etc/bind/db.thatstough:6: unknown option 'Expire'
/etc/bind/db.thatstough:7: unknown option 'Default'
/etc/bind/db.thatstough:9: unknown option '@'
/etc/bind/db.thatstough:17: unexpected token near end of file
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16308157
here an example of one of my zone files:
$ORIGIN .
$TTL 900        ; 15 minutes
vwclassicclub.com.mx    IN SOA  ns1.vwclassicclub.com.mx. root.vwclassicclub.com.mx. (
                                2005042015     ; serial
                                60         ; refresh (1 minute)
                                7200       ; retry (2 hours)
                                2419200    ; expire (4 weeks)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.vwclassicclub.com.mx.
$TTL 60 ; 1 minute
                        A       205.123.121.15
                        MX      10 correo.vwclassicclub.com.mx.
$ORIGIN vwclassicclub.com.mx.
correo                  A       205.123.121.15
listen                  A       205.123.121.15
mail                    A       205.123.121.15
status                  A       205.123.121.15
www                     CNAME @
-------------------------------------------------------------------------------------------------------------------
just try with a copy of this one (backup first yours) and check with named-checkzone
0
 
LVL 1

Author Comment

by:bryanford
ID: 16308207
- copied it
- changed domain names to thatstough.net and left subs the same
- ran named-checkzone on the file...no errors.

seems to be the same thing.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16311036
I just tried
 dig @220.233.200.67 thatstough.net any

and got

;; connection timed out; no servers could be reached


did you got named started?
check what it says on /var/log/messages
0
 
LVL 1

Author Comment

by:bryanford
ID: 16318246
Hello

Yes sorry I reinstalled my Debian server from scratch. Still the same thing happening. I have redelegated my domain to a different nameserver so people can view the website. You should be able to get onto ns1.thatstough.net now to try and do queries.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16324560
wow

it's a lot of work

but still cannot access ns1.thatstough.net

it's filtered. you need to open the firewall
0
 
LVL 1

Author Comment

by:bryanford
ID: 16328451
I have opened the firewall. See iptables results below,

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

I don't know how more open I could make the firewall.
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 750 total points
ID: 16328596
well

dig @205.123.121.15 thatstough.net any

does not get anything in return, so then you must have a firewall BEFORE the linux box.

could this be possible?

Regards
0
 
LVL 1

Author Comment

by:bryanford
ID: 16328802
My IP address is 220.233.200.67

The only firewall I have is my router (NAT) and port 53 both UDP and TCP are forwarded to the internal address of the linux box.

I am going to try using my ADSL modem in bridge mode and dialout from the linux box and then do a couple of tests with the linux box having a direct connection to the net.

Regards

Daniel
0
 
LVL 1

Author Comment

by:bryanford
ID: 16330603
After I did this it worked...It was my router. Something is wrong with it.

I'm going to give you the points because of your persistence and troubleshooting technique. Thank you for all your help.
0
 
LVL 1

Author Comment

by:bryanford
ID: 16331065
Sure enough I have configured another router with the same configuration and it works fine.

In case anyone wants to know...The Netgear Rangemax router does not handle DNS TCP/UDP on port 53 very  well.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question