bind9 working locally no response outside

vojtaz

vojtaz

hi,

i've got a problem (like in title) with bind9, bind service is working correctly inside my local net, (what is strange) only between units (like my laptop -> server), unfortunately not between my router -> server (which is wrt-54g with tomato) the same with units from outside. port forwarding is set correctly. everything was working till yesterday. i have no idea why - i've made no changes in my confs. a month ago i had the same problem, but solved by commenting query-source in named.conf. my dns is working as a master, secondery is at freedns.sgh.waw.pl. pf is configured properly, i also tried with pf turned off - with no changes.


Code: 
### named.conf

options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";

listen-on { global-ip; 127.0.0.1; 10.0.0.2; };

//query-source address 10.0.0.2 port 53;
recursion no;
version "go away";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0";
};

zone "domain.org" {
type master;
file "domain.org";
allow-transfer {
193.111.27.194; 194.145.96.21;
};
};

key "rndc-key" {
algorithm hmac-md5;
secret "************************************";
};

controls {
inet * allow { 127.0.0.1; } keys { "rndc-key"; };
};


### netstat

tcp4 0 0 *.953 *.* LISTEN
tcp4 0 0 127.0.0.1.53 *.* LISTEN
tcp4 0 0 10.0.0.2.53 *.* LISTEN


### named -4 -g

10-Sep-2009 11:45:54.539 starting BIND 9.3.6-P1 -4 -g
10-Sep-2009 11:45:54.539 using up to 4096 sockets
10-Sep-2009 11:45:54.575 loading configuration from '/usr/local/etc/named.conf'
10-Sep-2009 11:45:54.600 using default UDP/IPv4 port range: [49152, 65535]
10-Sep-2009 11:45:54.600 using default UDP/IPv6 port range: [49152, 65535]
10-Sep-2009 11:45:54.602 no IPv6 interfaces found
10-Sep-2009 11:45:54.602 listening on IPv4 interface rl0, 10.0.0.2#53
10-Sep-2009 11:45:54.603 listening on IPv4 interface lo0, 127.0.0.1#53
10-Sep-2009 11:45:54.638 command channel listening on 0.0.0.0#953
10-Sep-2009 11:45:54.639 ignoring config file logging statement due to -g option

[loading outside zones .arpa]

10-Sep-2009 11:45:54.732 zone ip6.int/IN: loaded serial 42
10-Sep-2009 11:45:54.733 zone localhost/IN: loaded serial 42
10-Sep-2009 11:45:54.740 zone domena.org/IN: loaded serial 1224794394
10-Sep-2009 11:45:54.751 running
10-Sep-2009 11:45:54.772 zone domena.org/IN: sending notifies (serial 1224794394)


### /var/log/messages

Sep 10 11:53:34 host named[8669]: starting BIND 9.3.6-P1 -t /var/named -u bind
Sep 10 11:53:34 host named[8669]: command channel listening on 0.0.0.0#953
Sep 10 11:53:34 host named[8669]: the working directory is not writable
all other daemons are responsing :80 :22 :21 :110 etc. only dns not :|
 
network schema is very simple
Code: 
Freebsd server ------> wrt-54gl router ------> internet

my laptop ----------------^


ifconfig

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
	ether 00:19:66:77:24:7e
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
 
seems configs are ok...
try to `tcpdump -pn -i rl0 port domain` on server and try resolve ip from outside - is packets visible?
 
Code: 
13:20:16.180729 IP 10.0.0.2.63199 > 10.0.0.1.53:  48291+ A? MY-DOMAIN.pl. (36)
13:20:16.209087 IP 10.0.0.1.53 > 10.0.0.2.63199:  48291 ServFail 0/0/0 (36)
13:20:16.209463 IP 10.0.0.2.58318 > 10.0.0.1.53:  48291+ A? MY-DOMAIN.pl. (36)
13:20:16.213246 IP 10.0.0.1.53 > 10.0.0.2.58318:  48291 ServFail 0/0/0 (36)
13:20:16.213373 IP 10.0.0.2.53759 > 10.0.0.1.53:  48292+ AAAA? MY-DOMAIN.pl. (36)
13:20:16.239321 IP 10.0.0.1.53 > 10.0.0.2.53759:  48292 ServFail 0/0/0 (36)
13:20:16.239492 IP 10.0.0.2.62432 > 10.0.0.1.53:  48292+ AAAA? MY-DOMAIN.pl. (36)
13:20:16.243438 IP 10.0.0.1.53 > 10.0.0.2.62432:  48292 ServFail 0/0/0 (36)
13:20:16.243601 IP 10.0.0.2.53685 > 10.0.0.1.53:  48293+ A? MY-DOMAIN.pl.org. (40)
13:20:16.244838 IP 10.0.0.1.53 > 10.0.0.2.53685:  48293 2/0/0 A[|domain]
13:20:16.244967 IP 10.0.0.2.51305 > 10.0.0.1.53:  48294+ AAAA? MY-DOMAIN.pl.org. (40)
13:20:16.430975 IP 10.0.0.1.53 > 10.0.0.2.51305:  48294 0/1/0 (109)
13:20:16.960697 IP 10.0.0.2.57867 > 10.0.0.1.53:  48295+ A? [url]www.wsearch.net[/url]. (33)
13:20:16.961905 IP 10.0.0.1.53 > 10.0.0.2.57867:  48295 2/0/0 A 216.240.187.103, (65)
13:20:16.962039 IP 10.0.0.2.52068 > 10.0.0.1.53:  48296+ AAAA? [url]www.wsearch.net[/url]. (33)
13:20:17.145551 IP 10.0.0.1.53 > 10.0.0.2.52068:  48296 0/1/0 (102)


and this happen when i'm trying to telnet port 53 from router

Code: 
13:29:14.695350 IP MY-PUBLIC-IP.2061 > 10.0.0.2.53: S 730950990:730950990(0) win 5840 <mss 1460,sackOK,timestamp 14517770 0,nop,wscale 0>
13:29:14.695437 IP 10.0.0.2.53 > MY-PUBLIC-IP.2061: S 235667499:235667499(0) ack 730950991 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 157490500 14517770,sackOK,eol>
13:29:14.695897 IP MY-PUBLIC-IP.2061 > 10.0.0.2.53: . ack 1 win 5840 <nop,nop,timestamp 14517770 157490500>
13:29:18.775417 IP MY-PUBLIC-IP.2061 > 10.0.0.2.53: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 14518178 157490500>
13:29:18.775486 IP 10.0.0.2.53 > MY-PUBLIC-IP.2061: . ack 2 win 33304 <nop,nop,timestamp 157494580 14518178>
13:29:18.775582 IP 10.0.0.2.53 > MY-PUBLIC-IP.2061: F 1:1(0) ack 2 win 33304 <nop,nop,timestamp 157494580 14518178>
13:29:18.777880 IP MY-PUBLIC-IP.2061 > 10.0.0.2.53: . ack 2 win 5840 <nop,nop,timestamp 14518178 157494580>
 
vojtaz said:
13:20:16.180729 IP 10.0.0.2.63199 > 10.0.0.1.53: 48291+ A? MY-DOMAIN.pl. (36)
Click to expand...
Why your nameserver ask router for resolving ?

vojtaz said:
when i'm trying to dig or telnet from outside nothing happens whith tcpdump
Click to expand...
It can mean port forwarding doesnot work
 
this is my pf.conf

Code: 
ext_if = "rl0"
tcp_pass = "{ 22 110 80 20 21 53 953 }"
udp_pass = "{ 53 110 953 }"

scrub in all
block in on $ext_if from any to any
pass out keep state
set skip on lo0
antispoof for $ext_if

pass in on $ext_if proto tcp from any to any port $tcp_pass keep state
pass in on $ext_if proto udp from any to any port $udp_pass keep state
 
sorry, it happens when telnet from outside

Code: 
13:52:16.036333 IP 83.246.67.210.64072 > 10.0.0.2.53: S 4013455291:4013455291(0) win 65535 <mss 1380,sackOK,eol>
13:52:16.036384 IP 10.0.0.2.53 > 83.246.67.210.64072: S 232467764:232467764(0) ack 4013455292 win 65535 <mss 1460,sackOK,eol>
13:52:16.071046 IP 83.246.67.210.64072 > 10.0.0.2.53: . ack 1 win 65535
13:52:46.072499 IP 10.0.0.2.53 > 83.246.67.210.64072: F 1:1(0) ack 1 win 65535
13:52:46.107213 IP 83.246.67.210.64072 > 10.0.0.2.53: . ack 2 win 65535
13:52:46.107915 IP 83.246.67.210.64072 > 10.0.0.2.53: F 1:1(0) ack 2 win 65535
13:52:46.107948 IP 10.0.0.2.53 > 83.246.67.210.64072: . ack 2 win 65534
13:53:10.323582 IP 83.246.67.210.64072 > 10.0.0.2.53: F 1:1(0) ack 2 win 65535
13:53:10.323624 IP 10.0.0.2.53 > 83.246.67.210.64072: . ack 2 win 65534
13:54:14.353565 IP 83.246.67.210.64072 > 10.0.0.2.53: F 1:1(0) ack 2 win 65535
13:54:14.353598 IP 10.0.0.2.53 > 83.246.67.210.64072: R 232467766:232467766(0) win 0

but with a delay, don't know why
 
Well, so who is nameserver on 10.0.0.1 ?
You said about port forwarding - will he forward 53 port back to dns ?
 
i changed resolv.conf nameserver to my provider right now. i also tried to change bind port and also change port forward on my router and bind responsed for dig like a charm. but still can't find what's wrong... who's blocking my 53 port. i've got public ip, no other server which might listen on 53... even in router port forwarding 53 is routed to my server ip address.
 
vojtaz said:
yes, i sent them e-mail about it... they're going to look at this tomorrow. thanks for all!
Click to expand...
(I realize that this is an old thread; regardless, ) . . .well, if you ISP is AT&T, then good luck with that. I'll soon have more to post . . .new thread, TBA. I've just "upgraded" to U-verse DSL (yes, it's still DSL) -- now they are blocking queries to my DNS server.
 
You must log in or register to reply here.
Back
Top