Solved

Fedora Core 3 & BIND

Posted on 2006-11-14
13
940 Views
Last Modified: 2012-06-27
I've configured 2 Fedora Core 3 machines with BIND, and I've enabled ports 22 and 53 for SSH and DNS.  I've verified that the zone files are transferring between the master server to the slave server and are replicating correctly.

I am not able to telnet to port 53 to verify that the DNS servers are listening and port 53 is open - I've also ran nmap to verify what ports are open and this is the output, as you can see, no port 53 is open:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-14 02:33 PST
Interesting ports on dns1 (127.0.0.1):
(The 1667 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
111/tcp   open  rpcbind
631/tcp   open  ipp
953/tcp   open  rndc
50000/tcp open  iiimsf
50002/tcp open  iiimsf
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10

__________________

I've also run nmap on our existing dns server which is in fact answering on port 53, and I'm seeing hte same output.  There is no mention of port 53.  I've also verified that iptables is not running.  What else can be preventing these servers from answering on port 53??  Is there possibly another firewall in place that I don't know about?

I've NAT'd one of these machines through our PIX and have verified that port 53 has been opened up, and our secondary DNS server (dns2) has been NAT'd through our F5 load balancer and port 53 has been properly opened as well.  

How would I verify that the gateway is correct on these machines?  I've heard that it could be the gateway setting preventing port 53 from listening?  What file is my GATEWAY=x.x.x.x setting located in?
0
Comment
Question by:JWeb Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17940462
CAn You bring here output of: iptables -L INPUT -nx
0
 

Author Comment

by:JWeb Admin
ID: 17940488
[root@dns1 ~]# iptables -L INPUT -nx
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17940665
> I am not able to telnet to port 53 to verify that the DNS servers are listening and port 53 is open
Not the best way to check. Rather
host -a somename.domain.tld ip.of.server

To check gateway setting:
route -n
ip route
cat /etc/sysconfig/network # the config

Also verifym that port53 is binded with: netstat -ltunp
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:JWeb Admin
ID: 17941203
Here's my routing table:

[root@dns1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.9.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.9.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         10.9.2.254      0.0.0.0         UG    0      0        0 eth0

The other DNS server is on our 10.9.2.x network, and these machines also have a 10.9.3.x address as well which our router to the outside world lives on.  The router (gateway) is 10.9.3.254.  Our router on the 10.9.2.x network is 10.9.2.254.  In which file would I set the gateway?  Could this be a reason why I cannot communicate properly with my DNS servers?
0
 

Author Comment

by:JWeb Admin
ID: 17941208
Here's the output from ip route:

[root@dns1 ~]# ip route
10.9.2.0/24 dev eth0  proto kernel  scope link  src 10.9.2.230
10.9.3.0/24 dev eth1  proto kernel  scope link  src 10.9.3.230
169.254.0.0/16 dev eth1  scope link
default via 10.9.2.254 dev eth0
0
 

Author Comment

by:JWeb Admin
ID: 17941216
One more, here's the output from the cat /etc/sysconfig/network eth0 command:

[root@dns1 ~]# cat /etc/sysconfig/network eth0
NETWORKING=yes
HOSTNAME=dns
GATEWAY=10.9.2.254
cat: eth0: No such file or directory
0
 

Author Comment

by:JWeb Admin
ID: 17941290
I also wanted to include the output from the netstat -ltunp command:

[root@dns1 network-scripts]# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:46283               0.0.0.0:*                   LISTEN      1550/rpc.statd  
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1531/portmap    
tcp        0      0 127.0.0.1:50000             0.0.0.0:*                   LISTEN      1780/hpiod      
tcp        0      0 127.0.0.1:50002             0.0.0.0:*                   LISTEN      1785/python      
tcp        0      0 10.9.2.230:53               0.0.0.0:*                   LISTEN      10409/named      
 
....more
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17941300
Well, I'm rather curious about the 'netstat -ltunp'. The info about routes was for You - You were asking for it.
About 10.9.2 and 10.9.3 - if they can ping each other and can ping outside internet - it's fine.
0
 

Author Comment

by:JWeb Admin
ID: 17941316
I can dig at both machines, only from one of the machines though.  If I dig from an outside machine, I get a "No servers can be reached" message.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17941349
> ....more
about port 53? maybe: netstat -ltunp | grep ":53"
You will find IP's on which the named listens. But seems that 10.9.2.230:53 is open. Best way to verify it's ok is to run the following command from the gateway box (or another machine in the net)
host -a some.name.it.should.answer 10.9.2.230
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17941370
> I can dig at both machines, only from one of the machines though.  If I dig from an outside machine, I get a "No servers can be reached" message.
What You mean from outside machine? From internet? If so, then You need dd forwarding rules on Your firewall (propably the gateway box)
You need to set up DNAT(desination nat). Is the gateway/firewall(the one that has both: public & private IP) linux box or some other brand?
0
 

Author Comment

by:JWeb Admin
ID: 17941374
[root@dns1 /]# netstat -ltunp | grep ":53"
tcp        0      0 10.9.2.230:53               0.0.0.0:*                   LISTEN      10409/named
udp        0      0 10.9.2.230:53               0.0.0.0:*                               10409/named
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1951/avahi-daemon:

As for the host -a command:

It answers on dns1.101m3.com but not dns2.  Interesting.  dns1 seems to work fine.
0
 

Author Comment

by:JWeb Admin
ID: 17941432
I have already set up a NAT on our firewall.....thanks for your help so far its seemed to have helped already.
0

Featured Post

Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question