We help IT Professionals succeed at work.

iptables rules for Dns  service

fosiul01
fosiul01 asked
on
1,580 Views
Last Modified: 2013-11-08
HI
This is little bit of wired ..
i have simple iptables rules

iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT

so all output allow and forward allow

Now problem,s
when i try to restart named servcie

service named stop or restart
it will stuck .. it would not  stop.. i will have to manually kill it by cntrl +c
it start fine, only stop has the probem

but if i keep the iptables rules normal, like iptables --flush , it does stop without any problem

so that meants, there is some extra rules i will have to add... but dont know what

any one has any idea??
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Top Expert 2009

Author

Commented:
[root@mail file]# iptables -L --line
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
2    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED



If you keep iptables rules normal, meaning no incoming DNS requests?  :>>

 i there is not any iptables rules, then i can stop named service without any problem. example, with this rules, iptables --flush. now if i , service iptables stop .. it will stop without any problem. i dont have to press ctrl + c, to stop it abnormaly.



You can increase the debug level of named through signal USR1/USR2 or with rndc.::>> Sorry i dont know abt this, can you please give me the command

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
kill -USR1 <pid_named>

rndc status
rndc help provides an example of what you directives you can issue to the named process.

Without understanding what is going on on the system it is impossible to know what is going on.
Top Expert 2009

Author

Commented:
normaly when i typed ,
service named start

its start with one process :

[root@mail /]# ps aux | grep -v grep | grep named
named     3738  0.1  0.3  70676  3632 ?        Ssl  20:06   0:00 /usr/sbin/named -u named -t /var/named/chroot



when i am typing this

service named stop

its creating 2 extra process which does not die

root      3874  0.0  0.1   3564  1300 pts/2    S+   20:06   0:00 /bin/sh /sbin/service named stop
root      3881  0.3  0.1   3744  1400 pts/2    S+   20:06   0:00 /bin/bash /etc/init.d/named stop



Now i will have to press Ctrl +c , to kill all process

Or as you said, eariler kill -USR1 3738


also
rndc status   : does not show anything . its just hang, when i press ctrl +c, it say

[root@mail /]# rndc status
rndc: connect failed: 127.0.0.1#953: operation canceled

check the pictures


namedservice.GIF
Top Expert 2009

Author

Commented:
ok its does stop automatically but after 4 to 5 mins!!

i really dont understand whats the relation between named service stop and Iptables rules

as i said, if i flush all iptables rules , it will stop without any dealy!!!


its a vps server.. i have seen the same thing with another vps server with another vps provider..




CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The two items you see are scripts that are triggered when you run service named stop
translates into /etc/init.d/named stop

rndc stop
kill -TERM <named_pid>

do you have an rndc-key defined in /etc/named.conf?
The other issue is that you have a chrooted named. /var/named/chroot/named.conf
What IPs are configured within the /etc/named.conf for it to listen and whether named is setup to accept requests from rndc?

Post your named.conf.

Are you using this named service as a caching server for the inside or does it have authoritative zones?
If it is merely a caching server, there are no iptables rules necessary unless your output policy defaults to DROP.
Top Expert 2009

Author

Commented:
sorry for late reply

do you have an rndc-key defined in /etc/named.conf? No


The other issue is that you have a chrooted named. /var/named/chroot/named.conf
What IPs are configured within the /etc/named.conf for it to listen and whether named is setup to accept requests from rndc?  

>>Bellow is my named.conf file, i delete all the zone file info
//
// Sample named.conf BIND DNS server 'named' configuration file // for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and // its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
	// query-source    port 53;	
	// query-source-v6 port 53;
	
	// Put files that named is allowed to write in the data/ directory:
	directory "/var/named"; // the default
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";
Recursion no;
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };	
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served // to different types of client addresses, and for options to be set for groups // of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the // "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view; // so it is recommended to start off using views to avoid having to restructure // your configuration files in the future.
//
#view "localhost_resolver"
#{
#/* This view sets up named to be a localhost resolver ( caching only nameserver ).
# * If all you want is a caching-only nameserver, then you need only define this view:
# */
#	match-clients 		{ localhost; };
#	match-destinations	{ localhost; };
#	recursion yes;
#	# all views must contain the root hints zone:
#	include "/etc/named.root.hints";
#
#        /* these are zones that contain definitions for all the localhost
#         * names and addresses, as recommended in RFC1912 - these names should
#	 * ONLY be served to localhost clients:
#	 */
#	include "/etc/named.rfc1912.zones";
#};
 
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
	match-clients		{ any; };
	match-destinations	{ any; };
 
	recursion no;
	// you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
	// all views must contain the root hints zone:
	include "/etc/named.root.hints";
 
	// These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
	//zone "my.external.zone" { 
	//	type master;
	//	file "my.external.zone.db";
	//};
 
 
 
 
};
};

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, you do not have RNDC related items defined.
When setup using rndc trace as referenced in the debug section within the named.conf you posted in /var/named/chrooted/var/run/named.run file will be output.

Do you have another named.conf file in /var/named/chrooted/?
Top Expert 2009

Author

Commented:
thats the only named.conf which is /var/named/chroot/etc
i dont have any othr

one more thing
which that iptables rules
i can ping outside ... so if i say

ping google.co.uk

its will fail... so i guess, there is some problem of traifq going outside.. but i allowed all trafiq to go outside

Top Expert 2009

Author

Commented:
i have a felling
this is the problem of the VPs server...

i think its using openVZ or something like this..
and i heard they have problem with iptables

i have checked the rules with physical server, its does works

but with vps it does not
with outgoing Allow rules, i cant ping  any site..

Top Expert 2009

Author

Commented:
lol look at this one

http://www.webhostingtalk.com/showthread.php?t=670415

as i doubted before...

i will speak with them ...
they are noob i can tell .. hence the prices is soo cheap.. dont mind because its for my own testing purpose..
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
your problem is that you setup your named/dns as authoritative (recursion no).
when you try to ping google.co.uk the response ping gets is not an ip, but a reference to the root servers responsible for .uk.
change named.con be replacing recursion no with recursion yes and you will see a different behavior.

you also commented out the local resolver/view section..
Top Expert 2009

Author

Commented:
Good morning
change named.con be replacing recursion no with recursion yes and you will see a different behavior. :

i have changed recursion no to recursion yes


you also commented out the local resolver/view section..  : yes, because its, a VPs server, i dont need local resolver section ..,
is there any problem for commented out the local resolver section ??
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What is the purpose for the server?
You have the server function seemingly as a name, web, mail server.
In web and mail server dns queries are generated to resolve the IPs and get MX records.  You need to your DNS server to resolve MX and A and PTR queries for these services.

Do you have external DNS servers listed in the /etc/resolv.conf file?
nameserver external_dns_ip

Often, you should disable functionalities you know you do not need.  a local DNS on a mail server is helpful in reducing the amount of bandwidth consumed for queries when incoming connections are made if your server configuration requires that the forward and reverse resolution match as well as other anti-spam techniques.
Top Expert 2009

Author

Commented:
What is the purpose for the server? :: its vps server, suppose to work as name, web and mail server
You have the server function seemingly as a name, web, mail server.  ::: its configured to work as Name, Web and MailSErver


Do you have external DNS servers listed in the /etc/resolv.conf file? :>> yes, its the Vps providers Dns address


 a local DNS on a mail server is helpful in reducing the amount of bandwidth consumed for queries when incoming connections are made  >> Because i dont need local resolved that why i disabled those lines

Now ...

with iptables rules enabled , i cant do any dns query and i cant sent email outside from mailserver. its because, with bellow rules

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

for some strange reason, server cant do any outgoing query!! input rules working, but out going rules does not work..

hences i guess, its take long time to stop named server !!! however  still i dont know whats the relation between stopping named server and iptables out going routes)


However, as this link http://www.webhostingtalk.com/showthread.php?t=670415

i spoke with vps company, i gues they were trying to add iptables module to openvZ . but as i said they seems to  be noob, now they saying, they need to change my IP to solved the issue!! , they change the issue, still iptables outbound rules does not work. so they said they are trying to fix it..

anyway... bottom line is,, whats the relation between iptables rules and named server stop ..

there must be a relation .. as i said, with iptables rules apply i cant do any out bound dns query( ping google.com wil fail)

i dont know if before stopping name service if named server do any outbound query or not ....
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Top Expert 2009

Author

Commented:
@bibjura!!
thats interesting!!!

after putting that rules

iptables -I INPUT -i lo -j ACCEPT

i can restart or stop named services without any problem

will you be able to explain , where is the relation between iptables -I INPUT -i lo -j ACCEPT and stoping named service ??
Top Expert 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.