Solved

Fedora Core 3 & BIND

Posted on 2006-11-14
13
932 Views
Last Modified: 2012-06-27
I've configured 2 Fedora Core 3 machines with BIND, and I've enabled ports 22 and 53 for SSH and DNS.  I've verified that the zone files are transferring between the master server to the slave server and are replicating correctly.

I am not able to telnet to port 53 to verify that the DNS servers are listening and port 53 is open - I've also ran nmap to verify what ports are open and this is the output, as you can see, no port 53 is open:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-14 02:33 PST
Interesting ports on dns1 (127.0.0.1):
(The 1667 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
111/tcp   open  rpcbind
631/tcp   open  ipp
953/tcp   open  rndc
50000/tcp open  iiimsf
50002/tcp open  iiimsf
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10

__________________

I've also run nmap on our existing dns server which is in fact answering on port 53, and I'm seeing hte same output.  There is no mention of port 53.  I've also verified that iptables is not running.  What else can be preventing these servers from answering on port 53??  Is there possibly another firewall in place that I don't know about?

I've NAT'd one of these machines through our PIX and have verified that port 53 has been opened up, and our secondary DNS server (dns2) has been NAT'd through our F5 load balancer and port 53 has been properly opened as well.  

How would I verify that the gateway is correct on these machines?  I've heard that it could be the gateway setting preventing port 53 from listening?  What file is my GATEWAY=x.x.x.x setting located in?
0
Comment
Question by:JWeb Admin
  • 8
  • 5
13 Comments
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
CAn You bring here output of: iptables -L INPUT -nx
0
 

Author Comment

by:JWeb Admin
Comment Utility
[root@dns1 ~]# iptables -L INPUT -nx
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
Comment Utility
> I am not able to telnet to port 53 to verify that the DNS servers are listening and port 53 is open
Not the best way to check. Rather
host -a somename.domain.tld ip.of.server

To check gateway setting:
route -n
ip route
cat /etc/sysconfig/network # the config

Also verifym that port53 is binded with: netstat -ltunp
0
 

Author Comment

by:JWeb Admin
Comment Utility
Here's my routing table:

[root@dns1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.9.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.9.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         10.9.2.254      0.0.0.0         UG    0      0        0 eth0

The other DNS server is on our 10.9.2.x network, and these machines also have a 10.9.3.x address as well which our router to the outside world lives on.  The router (gateway) is 10.9.3.254.  Our router on the 10.9.2.x network is 10.9.2.254.  In which file would I set the gateway?  Could this be a reason why I cannot communicate properly with my DNS servers?
0
 

Author Comment

by:JWeb Admin
Comment Utility
Here's the output from ip route:

[root@dns1 ~]# ip route
10.9.2.0/24 dev eth0  proto kernel  scope link  src 10.9.2.230
10.9.3.0/24 dev eth1  proto kernel  scope link  src 10.9.3.230
169.254.0.0/16 dev eth1  scope link
default via 10.9.2.254 dev eth0
0
 

Author Comment

by:JWeb Admin
Comment Utility
One more, here's the output from the cat /etc/sysconfig/network eth0 command:

[root@dns1 ~]# cat /etc/sysconfig/network eth0
NETWORKING=yes
HOSTNAME=dns
GATEWAY=10.9.2.254
cat: eth0: No such file or directory
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:JWeb Admin
Comment Utility
I also wanted to include the output from the netstat -ltunp command:

[root@dns1 network-scripts]# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:46283               0.0.0.0:*                   LISTEN      1550/rpc.statd  
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1531/portmap    
tcp        0      0 127.0.0.1:50000             0.0.0.0:*                   LISTEN      1780/hpiod      
tcp        0      0 127.0.0.1:50002             0.0.0.0:*                   LISTEN      1785/python      
tcp        0      0 10.9.2.230:53               0.0.0.0:*                   LISTEN      10409/named      
 
....more
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
Well, I'm rather curious about the 'netstat -ltunp'. The info about routes was for You - You were asking for it.
About 10.9.2 and 10.9.3 - if they can ping each other and can ping outside internet - it's fine.
0
 

Author Comment

by:JWeb Admin
Comment Utility
I can dig at both machines, only from one of the machines though.  If I dig from an outside machine, I get a "No servers can be reached" message.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> ....more
about port 53? maybe: netstat -ltunp | grep ":53"
You will find IP's on which the named listens. But seems that 10.9.2.230:53 is open. Best way to verify it's ok is to run the following command from the gateway box (or another machine in the net)
host -a some.name.it.should.answer 10.9.2.230
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> I can dig at both machines, only from one of the machines though.  If I dig from an outside machine, I get a "No servers can be reached" message.
What You mean from outside machine? From internet? If so, then You need dd forwarding rules on Your firewall (propably the gateway box)
You need to set up DNAT(desination nat). Is the gateway/firewall(the one that has both: public & private IP) linux box or some other brand?
0
 

Author Comment

by:JWeb Admin
Comment Utility
[root@dns1 /]# netstat -ltunp | grep ":53"
tcp        0      0 10.9.2.230:53               0.0.0.0:*                   LISTEN      10409/named
udp        0      0 10.9.2.230:53               0.0.0.0:*                               10409/named
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1951/avahi-daemon:

As for the host -a command:

It answers on dns1.101m3.com but not dns2.  Interesting.  dns1 seems to work fine.
0
 

Author Comment

by:JWeb Admin
Comment Utility
I have already set up a NAT on our firewall.....thanks for your help so far its seemed to have helped already.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now