BIND9 Queries from the outside Time-Out

Hello

Okay here is the problem in a nutshell. I have a Debian server running BIND9. In that I have a zone set up, lets call it externaldomain.net. In that zone I have a few records, one of them being www pointing to an external IP. When I do a query for www through that server on my local network i get a lovely reply. However, when I do a query from the outside I get timeouts all around. Straight away you are probably thinking, "port forwarding". Nup done this...and my problem continues.

I have forwarded both UDP and TCP Port 53 to the BIND server on the local network. The wierd thing is that I can do a list all command in windows NSLOOKUP from the outside, e.g:

ls -d externaldomain.net

and it will return what is in the zone. I check the logs on my BIND server and it says it has done a transfer and all to accomplish this. However there is no log to say that when querying ,it times out. When the BIND service starts there are no erros in the logs either and it says it is listening on port 53. Oh yes i've also added the option to allow recursion and queries for 'any' as well. Any ideas anyone?

Thanks!
LVL 1
bryanfordAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
hello

first, you need to be sure it is not a network/firewall problem.

1.- when you type (at the dns server's prompt) dig @localhost www.externaldomain.net any, do you get a response?
2.- when you type (at other server on the internal network) dig @internal.ip.of.the.dns.server www.externaldomain.net any, do you get the same response?
3.- when you type (at oter server outside on the internet) dig @external.ip.of.the.dns.server www.externaldomain.net any, do you get the same response?

then we can see where the problem resides.

If it is on the internet side only (I'm gessing) Did you use a forward from other device to your server? are both (port 53 udp and tcp) dns ports open on BOTH, the router and your linux box firewall?

to see on the router: use it's web admin console
to see on the linux box: iptables -L -vn | grep 53

hope this help
0
bryanfordAuthor Commented:

1. When I do that from DNS server terminal, I get a reply and an authority response
2. When I do that on another internal computer, in this case windows using nslookup, i get a response
3. when I try doing the same thing on a windows computer on the outside, i get timeout.

I forwarded port 53 UDP/TCP on my router to the internal address of my DNS server

I have webmin install which has a Linux Firewall feature (uses iptables) and it says it's accepting all incoming packets.

Any other ideas?
0
Gabriel OrozcoSolution ArchitectCommented:
many!!! =)

what iptables -L -vn (issued as root) says?

what do you have in your /etc/named.conf ?  (please strip the RNDC KEY part, since we don't need it and it should be kept secret)
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

bryanfordAuthor Commented:
hehe glad to hear you're enthusiastic about it.

okay this is what i get when i run iptables -L -vn as root:

================================================

Chain INPUT (policy ACCEPT 24902 packets, 4398K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 26117 packets, 9733K bytes)
 pkts bytes target     prot opt in     out     source               destination        

================================================

my external domain is no secret so i will give you those details if you wish to use them to work with. domain name is "thatstough.net" and name server is "ns1.thatstough.net" which points to my IP. on my registrar i have a different name server at the moment until i can fix this other problem up. but still basically i can't make dns queries from the outside when i try to use my server.

named.conf has:

====================================

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

zone "." {
      type hint;
      file "/etc/bind/db.root";
};

zone "localhost" {
      type master;
      file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
      type master;
      file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
      type master;
      file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
      type master;
      file "/etc/bind/db.255";
};

zone "thatstough.net" {
      type master;
      file "/etc/bind/db.thatstough";
      };

====================================

named.local.conf has nothing in it
named.options.conf has:

====================================

options {
      directory "/var/cache/bind";
      recursion yes;
      allow-query { any; };
};

====================================

Thanks again
0
Gabriel OrozcoSolution ArchitectCommented:
hehehe found the problem: You do not have your DNS pointed to your IP, but instead the authority for your domain is still an external one: ns1.everydns.net and ns2.everydns.net (see the output of the dig command). You need to enter to your registrar and tell them your ip address will be the authority for your domain (this will only work if you have a static ip address):
--------------------------------------------------------------------------------------------
[gorv@localhost ~]$ dig thatstough.net any

; <<>> DiG 9.2.4 <<>> thatstough.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12143
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;thatstough.net.                        IN      ANY

;; ANSWER SECTION:
thatstough.net.         172800  IN      NS      ns1.everydns.net.
thatstough.net.         172800  IN      NS      ns2.everydns.net.

;; ADDITIONAL SECTION:
ns2.everydns.net.       172776  IN      A       216.218.240.206
ns1.everydns.net.       172776  IN      A       38.99.14.207

;; Query time: 113 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Mar 27 23:23:28 2006
;; MSG SIZE  rcvd: 109
0
bryanfordAuthor Commented:
yep i know. i don't have it pointed because it's not accepting queries properly. i've changed it on my registrar so you can try doing it from one of the public servers or something...it's stange. i can go any queries from the outside but when i try to do specific A record queries it times out. See bellow

When i search for all
=============================================================================================

Searching for thatstough.net ALL record at ns1.thatstough.net. [220.233.200.67]: Reports thatstough.net. [took 261 ms]

Answer:


Domain Type Class TTL Answer thatstough.net. SOA IN 604800 Primary DNS server: thatstough.net.
Responsible Name:   root@thatstough.net.
Serial:             1
Refresh:            604800 (1w)
Retry:              86400 (1d)
Expire:             2419200 (4w)
Minimum/NegTTL:     604800 (1w)
 thatstough.net. NS IN 604800 ns1.thatstough.net. ns1.thatstough.net. A IN 604800 220.233.200.67

=============================================================================================

When i do a specific www which does exist in the zone file

=============================================================================================
Searching for www.thatstough.net A record at ns1.thatstough.net. [220.233.200.67]: Timed out.  Trying again.

=============================================================================================
0
bryanfordAuthor Commented:
Something else to add...i just added a test CNAME record in the zone and it can query it from the outside. See bellow

mail.thatstough.net ALL record at ns1.thatstough.net. [220.233.200.67]: Got CNAME of www.thatstough.net
0
Gabriel OrozcoSolution ArchitectCommented:
heheheh

well, I don't know the tool you're using to check your  DNS, but I can check it from my own linux server and it looks more or less right:

=========================================================================
[gorv@localhost ~]$ dig @220.233.200.67 thatstough.net any

; <<>> DiG 9.2.4 <<>> @220.233.200.67 thatstough.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28211
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;thatstough.net.                        IN      ANY

;; ANSWER SECTION:
thatstough.net.         604800  IN      SOA     thatstough.net. root.thatstough.net. 1 604800 86400 2419200 604800
thatstough.net.         604800  IN      NS      ns1.thatstough.net.

;; ADDITIONAL SECTION:
ns1.thatstough.net.     604800  IN      A       220.233.200.67
=========================================================================


But, just to add some to your configuration:

A) your start of aouthority (SOA) must point to one of your DNS', so I think your SOA must be
thatstough.net.         604800  IN      SOA     ns1.thatstough.net.   root.thatstough.net. 1 604800 86400 2419200 604800

B) You have defined very high numbers for regresh and cache... when you will make the change, it's good to make them smaller so your site get's refreshed sooner, and not need to wait one week for each change.

C) for your serial number it is accepted and generally used to have the date followed by a serial within the date, as here:
2006032701 (today, AAAAMMDD serial 01 )

D) You made a CNAME called mail, but pointing it to www.thatstough.net, but haven't setup www yet =) everytime you create a CNAME it must point to an A record already setup =)
0
bryanfordAuthor Commented:
Thank you for all that extra information

However I have about 5 random A records which aren't showing up in the ALL query, including www.thatstough.net. Not even the CNAME comes up in the ALL query.
0
Gabriel OrozcoSolution ArchitectCommented:
then post here your zone file

did you ran the named-checkconf against your zone file?
0
bryanfordAuthor Commented:
db.thatstough zone file

==============================================================
$TTL      604800
@      IN      SOA      thatstough.net. root.thatstough.net. (
                        1            ; Serial
                   604800            ; Refresh
                    86400            ; Retry
                  2419200            ; Expire
                   604800 )      ; Default TTL
;
@      IN      NS      ns1.thatstough.net.

ns1      IN      A      220.233.200.67
www      IN      A      220.233.200.67
abc      IN      A      220.233.200.67
azc      IN      A      220.233.200.67
atc      IN      A      220.233.200.67
tbc      IN      A      220.233.200.67
mail      IN      CNAME      tbc
==============================================================

did check and these are the errors i got

/etc/bind/db.thatstough:1: unknown option '$TTL'
/etc/bind/db.thatstough:3: unknown option 'Serial'
/etc/bind/db.thatstough:4: unknown option 'Refresh'
/etc/bind/db.thatstough:5: unknown option 'Retry'
/etc/bind/db.thatstough:6: unknown option 'Expire'
/etc/bind/db.thatstough:7: unknown option 'Default'
/etc/bind/db.thatstough:9: unknown option '@'
/etc/bind/db.thatstough:17: unexpected token near end of file
0
Gabriel OrozcoSolution ArchitectCommented:
here an example of one of my zone files:
$ORIGIN .
$TTL 900        ; 15 minutes
vwclassicclub.com.mx    IN SOA  ns1.vwclassicclub.com.mx. root.vwclassicclub.com.mx. (
                                2005042015     ; serial
                                60         ; refresh (1 minute)
                                7200       ; retry (2 hours)
                                2419200    ; expire (4 weeks)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.vwclassicclub.com.mx.
$TTL 60 ; 1 minute
                        A       205.123.121.15
                        MX      10 correo.vwclassicclub.com.mx.
$ORIGIN vwclassicclub.com.mx.
correo                  A       205.123.121.15
listen                  A       205.123.121.15
mail                    A       205.123.121.15
status                  A       205.123.121.15
www                     CNAME @
-------------------------------------------------------------------------------------------------------------------
just try with a copy of this one (backup first yours) and check with named-checkzone
0
bryanfordAuthor Commented:
- copied it
- changed domain names to thatstough.net and left subs the same
- ran named-checkzone on the file...no errors.

seems to be the same thing.
0
Gabriel OrozcoSolution ArchitectCommented:
I just tried
 dig @220.233.200.67 thatstough.net any

and got

;; connection timed out; no servers could be reached


did you got named started?
check what it says on /var/log/messages
0
bryanfordAuthor Commented:
Hello

Yes sorry I reinstalled my Debian server from scratch. Still the same thing happening. I have redelegated my domain to a different nameserver so people can view the website. You should be able to get onto ns1.thatstough.net now to try and do queries.
0
Gabriel OrozcoSolution ArchitectCommented:
wow

it's a lot of work

but still cannot access ns1.thatstough.net

it's filtered. you need to open the firewall
0
bryanfordAuthor Commented:
I have opened the firewall. See iptables results below,

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

I don't know how more open I could make the firewall.
0
Gabriel OrozcoSolution ArchitectCommented:
well

dig @205.123.121.15 thatstough.net any

does not get anything in return, so then you must have a firewall BEFORE the linux box.

could this be possible?

Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bryanfordAuthor Commented:
My IP address is 220.233.200.67

The only firewall I have is my router (NAT) and port 53 both UDP and TCP are forwarded to the internal address of the linux box.

I am going to try using my ADSL modem in bridge mode and dialout from the linux box and then do a couple of tests with the linux box having a direct connection to the net.

Regards

Daniel
0
bryanfordAuthor Commented:
After I did this it worked...It was my router. Something is wrong with it.

I'm going to give you the points because of your persistence and troubleshooting technique. Thank you for all your help.
0
bryanfordAuthor Commented:
Sure enough I have configured another router with the same configuration and it works fine.

In case anyone wants to know...The Netgear Rangemax router does not handle DNS TCP/UDP on port 53 very  well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.