yarekGmail
asked on
DNS relay
Hello experts,
I am totally newbue to DNS managment.
I have a dedicated server and I am using it as my DNS for my PC. (Linux srever with BIND installed)
Works fine !
My idea would be to use opendns for filtering web.
So a kind of system like:
My PC<----> my DNS server<----->OpenDNS<----- > check if website is ok
Do you think this is possible ? Any clue on where to start ?
I am totally newbue to DNS managment.
I have a dedicated server and I am using it as my DNS for my PC. (Linux srever with BIND installed)
Works fine !
My idea would be to use opendns for filtering web.
So a kind of system like:
My PC<----> my DNS server<----->OpenDNS<-----
Do you think this is possible ? Any clue on where to start ?
What do you mean by "filtering web" - as in blocking objectionable content?
ASKER
yes : that's correct !
Blocking content really doesn't have anything much to do with DNS - in order to do filtering on outbound web requests, you have to access the port 80/tcp stream out of your network. If you can get your user machines configured to use a proxy server, that is probably the cheapest/easiest solution, however that is easily bypassed/disabled.
u
The higher-end solution would be to put a network appliance at the outermost point of your network which inspects all your http (and/or https) traffic outbound.
Finally, you have to get your list of "bad sites" from somewhere. Usually this is a subscription based service, but in the squid/proxy environment, you could statically code in your own rules for objectionable words/titles, etc.
u
The higher-end solution would be to put a network appliance at the outermost point of your network which inspects all your http (and/or https) traffic outbound.
Finally, you have to get your list of "bad sites" from somewhere. Usually this is a subscription based service, but in the squid/proxy environment, you could statically code in your own rules for objectionable words/titles, etc.
ASKER
Obviously you do not know opendns.com
I do not need help about how a paretal control works, just some help about BIND rules or configuration on :
My PC<----> my DNS server<--*****---->OpenDNS <-----> check if website is ok
espcially this <---****----> gateway
regards
I do not need help about how a paretal control works, just some help about BIND rules or configuration on :
My PC<----> my DNS server<--*****---->OpenDNS
espcially this <---****----> gateway
regards
I've been doing this for 15 years, and I know opendns.com well, along with many other similar technologies and this is not how it has been done at the telecom providers I've worked for.
Nevertheless, if you simply want to have your DNS server send all qureries to opendns.com do in the options section of named.conf:
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
Substitute those sample IPs for the IP addresses of opendns' DNS servers.
Nevertheless, if you simply want to have your DNS server send all qureries to opendns.com do in the options section of named.conf:
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
Substitute those sample IPs for the IP addresses of opendns' DNS servers.
ASKER
thanks, will check that !
Do I need to change something so I can use my dedicated server instead of ISP DNS ?
(a kind of authorization so any IP can connect to this my dedicatred server BIND ?)
Thanks again
Do I need to change something so I can use my dedicated server instead of ISP DNS ?
(a kind of authorization so any IP can connect to this my dedicatred server BIND ?)
Thanks again
I thought you said that your PC was already set up to use your Linux dedicated server for DNS?
ASKER
yes, but I realized it works with 1 server.
I tried with 2 anothers dedicated server I have , with no success.
(As you realized, my linux knwoledge is very weak.)
Thanks again for your help.
Regards
I tried with 2 anothers dedicated server I have , with no success.
(As you realized, my linux knwoledge is very weak.)
Thanks again for your help.
Regards
Can you please give me a detailed description of what does not work, and I will try to help you fix it.
ASKER
ASKER
By the way, I can pay you for this, there is no reason you try to help me for free.
Are you ok to handle that project ?
Are you ok to handle that project ?
Let's fix one at a time, so server2 - that is a Linux machine too right?
Please log in to server2 and type "ps ax | grep named" and tell me what it says.
Thank you for the offer of payment, but let's see if it's an easy fix first.
Please log in to server2 and type "ps ax | grep named" and tell me what it says.
Thank you for the offer of payment, but let's see if it's an easy fix first.
ASKER
Linux of course.
Here is the output:
ns28315 ~ # ps ax | grep named
2656 pts/0 D+ 0:00 grep --colour=auto named
19801 ? Ss 0:00 /usr/sbin/named -u named -n 1
It is BIND and it is running (since I host some websites on it)
Regards
Here is the output:
ns28315 ~ # ps ax | grep named
2656 pts/0 D+ 0:00 grep --colour=auto named
19801 ? Ss 0:00 /usr/sbin/named -u named -n 1
It is BIND and it is running (since I host some websites on it)
Regards
Please run the following command on server2:
nslookup www.experts-exchange.com 0.0.0.0
ASKER
ns28315 ~ # nslookup https://www.experts-exchange.com 0.0.0.0
Server: 0.0.0.0
Address: 0.0.0.0#53
Non-authoritative answer:
https://www.experts-exchange.com canonical name = experts-exchange.com.
Name: experts-exchange.com
Address: 64.156.132.140
Server: 0.0.0.0
Address: 0.0.0.0#53
Non-authoritative answer:
https://www.experts-exchange.com canonical name = experts-exchange.com.
Name: experts-exchange.com
Address: 64.156.132.140
Okay, so we know it's listening (and working) on localhost:53.
But we need to see if it's working on the main IP of the box. So please do "netstat -na | grep :53"
If you see something like this:
udp 0 0 0.0.0.0:53 0.0.0.0:*
Then it means that named is listening fine, and perhaps there is a firewall blocking your Windows machine from using it. Please also do:
/sbin/iptables -Nl
But we need to see if it's working on the main IP of the box. So please do "netstat -na | grep :53"
If you see something like this:
udp 0 0 0.0.0.0:53 0.0.0.0:*
Then it means that named is listening fine, and perhaps there is a firewall blocking your Windows machine from using it. Please also do:
/sbin/iptables -Nl
ASKER
ns28315 ~ # netstat -na | grep :53
tcp 0 0 91.121.93.45:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 5027 91.121.93.45:80 190.251.178.40:53638 ESTABLISHED
tcp 0 0 91.121.93.45:80 181.40.169.97:53708 FIN_WAIT2
tcp 0 702 91.121.93.45:80 190.251.178.40:53635 ESTABLISHED
tcp 0 676 91.121.93.45:80 190.251.178.40:53639 ESTABLISHED
tcp 0 681 91.121.93.45:80 190.251.178.40:53636 ESTABLISHED
tcp 0 46464 91.121.93.45:80 190.251.178.40:53629 ESTABLISHED
tcp 0 3548 91.121.93.45:80 190.251.178.40:53637 ESTABLISHED
tcp 0 0 91.121.93.45:80 190.251.178.40:53468 TIME_WAIT
tcp 0 0 91.121.93.45:80 181.40.169.97:53707 TIME_WAIT
udp 0 0 91.121.93.45:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
No there is no firewall running
ns28315 ~ # /sbin/iptables -Nl
ns28315 ~ #
Maybe what I am trying to do has no sense.
- Is it possible to use DNS BIND service from my dedicated server instead of DNS servers provided by my intenet provider to access internet (I use windows XP) ?
(It seems it can be done since I put IP of my server as primary DNS and IP provided by the hosting company ovh.com as my secondary Ip) and that work for server1 and not for server2 , nor server3.
if you need to contact me directly, use yarekc at gmail com
Thanks again for your time
tcp 0 0 91.121.93.45:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 5027 91.121.93.45:80 190.251.178.40:53638 ESTABLISHED
tcp 0 0 91.121.93.45:80 181.40.169.97:53708 FIN_WAIT2
tcp 0 702 91.121.93.45:80 190.251.178.40:53635 ESTABLISHED
tcp 0 676 91.121.93.45:80 190.251.178.40:53639 ESTABLISHED
tcp 0 681 91.121.93.45:80 190.251.178.40:53636 ESTABLISHED
tcp 0 46464 91.121.93.45:80 190.251.178.40:53629 ESTABLISHED
tcp 0 3548 91.121.93.45:80 190.251.178.40:53637 ESTABLISHED
tcp 0 0 91.121.93.45:80 190.251.178.40:53468 TIME_WAIT
tcp 0 0 91.121.93.45:80 181.40.169.97:53707 TIME_WAIT
udp 0 0 91.121.93.45:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
No there is no firewall running
ns28315 ~ # /sbin/iptables -Nl
ns28315 ~ #
Maybe what I am trying to do has no sense.
- Is it possible to use DNS BIND service from my dedicated server instead of DNS servers provided by my intenet provider to access internet (I use windows XP) ?
(It seems it can be done since I put IP of my server as primary DNS and IP provided by the hosting company ovh.com as my secondary Ip) and that work for server1 and not for server2 , nor server3.
if you need to contact me directly, use yarekc at gmail com
Thanks again for your time
Yes, of course it is possible - you are already doing it with server1. All you have to do is uncheck "obtain DNS servers automatically" in XP, and put in the IP address(es) of your own ones.
I can use your server2 fine to do lookups - are you sure you're putting the IP in correctly into your XP settings?
xterm@dellxps:~$ nslookup www.ibm.com 91.121.93.45
Server: 91.121.93.45
Address: 91.121.93.45#53
Non-authoritative answer:
www.ibm.com canonical name = www.ibm.com.cs186.net.
Name: www.ibm.com.cs186.net
Address: 129.42.60.216
I can use your server2 fine to do lookups - are you sure you're putting the IP in correctly into your XP settings?
xterm@dellxps:~$ nslookup www.ibm.com 91.121.93.45
Server: 91.121.93.45
Address: 91.121.93.45#53
Non-authoritative answer:
www.ibm.com canonical name = www.ibm.com.cs186.net.
Name: www.ibm.com.cs186.net
Address: 129.42.60.216
ASKER
I have put 91.121.93.45 and 127.0.0.1
(I do not know what to put as second DNS) and I got:
Server not found
Firefox can't find the server at www.ibm.com.
When I put
91.121.93.45 and 8.8.8.8 : this works (google dns) !
Regards
(I do not know what to put as second DNS) and I got:
Server not found
Firefox can't find the server at www.ibm.com.
When I put
91.121.93.45 and 8.8.8.8 : this works (google dns) !
Regards
What about 91.121.93.45 by itself? You don't have to fill in both.
ASKER
I dont understand what you mean. Windows do not accept sam ip for primary and secondary
No, just leave the secondary empty, put nothing in there.
ASKER
I just filled 1st with 91.121.93.45 and left blank the second:
I cannot access internet
regards
I cannot access internet
regards
xterm@dellxps:~/Downloads$ nslookup www.ibm.com 91.121.93.45
Server: 91.121.93.45
Address: 91.121.93.45#53
** server can't find www.ibm.com.lsn.net: REFUSED
Did you change something on server2? Yesterday when I did this lookup off it, it worked fine. Today it fails. What is the date of the file /etc/named.conf?
Server: 91.121.93.45
Address: 91.121.93.45#53
** server can't find www.ibm.com.lsn.net: REFUSED
Did you change something on server2? Yesterday when I did this lookup off it, it worked fine. Today it fails. What is the date of the file /etc/named.conf?
ASKER
I changed it and restored it(and restarted the BIND server) : all this was done on saturday when testing.
ns28315 etc # ls -l resolv.conf
-rw-r--r-- 1 root root 70 jun 1 2009 resolv.conf
And here is the content of resolv.conf:
nameserver 127.0.0.1
nameserver 91.121.93.45
nameserver 213.186.33.99
Regards
ns28315 etc # ls -l resolv.conf
-rw-r--r-- 1 root root 70 jun 1 2009 resolv.conf
And here is the content of resolv.conf:
nameserver 127.0.0.1
nameserver 91.121.93.45
nameserver 213.186.33.99
Regards
ASKER
When I use:
213.251.134.156 (my server1)
BLANK
It works !
Regards
213.251.134.156 (my server1)
BLANK
It works !
Regards
Okay, so what did you change on server2 ( 91.121.93.45 ) - it was working on Saturday.
Can you please paste /etc/named.conf (not resolv.conf - that is not relevant for this problem) in here so I can look at it. I suspect you have recursion turned off.
Thanks.
Can you please paste /etc/named.conf (not resolv.conf - that is not relevant for this problem) in here so I can look at it. I suspect you have recursion turned off.
Thanks.
ASKER
The things I would do to your named.conf ...
ASKER
???
Okay, you have recursion blocked, see this line:
allow-recursion {127.0.0.1;};
Recursion means allowing queries to go to the Internet to get answers. Obviously for all your domains on there, that is not necessary, because the zone files are located on the system.
You have two options to make it work. You can either add your Windows XP machine's IP to the allowed recursion directive on server2 like this:
allow-recursion {127.0.0.1; 10.0.0.1; };
Or you can just comment out that line entirely, and allow it to everybody by replacing it with:
recursion yes;
So, do one or the other, restart named, and then you can go into XP settings and set for DNS servers
91.121.93.45
BLANK
And you'll be all good.
allow-recursion {127.0.0.1;};
Recursion means allowing queries to go to the Internet to get answers. Obviously for all your domains on there, that is not necessary, because the zone files are located on the system.
You have two options to make it work. You can either add your Windows XP machine's IP to the allowed recursion directive on server2 like this:
allow-recursion {127.0.0.1; 10.0.0.1; };
Or you can just comment out that line entirely, and allow it to everybody by replacing it with:
recursion yes;
So, do one or the other, restart named, and then you can go into XP settings and set for DNS servers
91.121.93.45
BLANK
And you'll be all good.
ASKER
Ok GREAT !!!
Help for your help !
Now : back to the original question : is it possible that 91.121.93.45 uses these 2 servers: 208.67.222.123 , 208.67.220.123
so I have: My PC<----> my DNS server (this part is ok now) <----->OpenDNS<-----> check if website is ok
Regards
Help for your help !
Now : back to the original question : is it possible that 91.121.93.45 uses these 2 servers: 208.67.222.123 , 208.67.220.123
so I have: My PC<----> my DNS server (this part is ok now) <----->OpenDNS<-----> check if website is ok
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for everything.
I am trying now to use a new server with no domain names, with no chance:
It's IP is 88.190.30.200
When I type in : nslookup www.ibm.com 88.190.30.200 from another server:
ns28315 ~ # nslookup www.ibm.com 88.190.30.200
Server: 88.190.30.200
Address: 88.190.30.200#53
** server can't find www.ibm.com: REFUSED
SO I guess I have no rights to use from an external source
When I type in:
ocate named.conf
/etc/named.conf
/etc/bind/named.conf
/etc/bind/named.conf.defau lt-zones
/etc/bind/named.conf.local
/etc/bind/named.conf.optio ns
/usr/share/man/man5/named. conf.5.gz
/var/named/run-root/etc/na med.conf
/var/named/run-root/etc/na med.conf.d efault
which of the conf files should I edit and what should I change there ?
etc-named.conf.txt
etc-bind.named.conf.txt
Regards
I am trying now to use a new server with no domain names, with no chance:
It's IP is 88.190.30.200
When I type in : nslookup www.ibm.com 88.190.30.200 from another server:
ns28315 ~ # nslookup www.ibm.com 88.190.30.200
Server: 88.190.30.200
Address: 88.190.30.200#53
** server can't find www.ibm.com: REFUSED
SO I guess I have no rights to use from an external source
When I type in:
ocate named.conf
/etc/named.conf
/etc/bind/named.conf
/etc/bind/named.conf.defau
/etc/bind/named.conf.local
/etc/bind/named.conf.optio
/usr/share/man/man5/named.
/var/named/run-root/etc/na
/var/named/run-root/etc/na
which of the conf files should I edit and what should I change there ?
etc-named.conf.txt
etc-bind.named.conf.txt
Regards
I have to get going, but I'll upload a fixed /etc/named.conf for you tomorrow.
ASKER
great, thanks !
In options {} section:
Take out the allow-recursion {} 3 lines, and replace with
recursion yes;
Then add the following lines just below
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
Replace the IPs above with opendns.com's DNS servers, and restart, and then your queries should go there.
Take out the allow-recursion {} 3 lines, and replace with
recursion yes;
Then add the following lines just below
forwarders { 8.8.8.8; 8.8.4.4; };
forward only;
Replace the IPs above with opendns.com's DNS servers, and restart, and then your queries should go there.