Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: DNS Server works for Domain not external sites

  1. #11
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,999
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    Can you post the contents of named.conf?
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  2. #12
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    $cat named.conf Several lines of stock comments then three include lines of "/etc/bind/named.conf.options" "/etc/bind/named.conf.local" "/etc/bind/named.conf.default-zones"

  3. #13
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,999
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    But what is in the options{} section of the file? That's what really matters. I doubt it's just "stock comments."
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #14
    Join Date
    Dec 2007
    Beans
    416

    Re: DNS Server works for Domain not external sites

    The default named.conf is now just an "includes" file. The options{} section has been moved to named.conf.options.

  5. #15
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    do you mean the named.conf.options file?

  6. #16
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    leaving out the commented items: options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none }; }; note all other lines in the file are commented out with the // including the forwarders section.

  7. #17
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,603
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by WilJenMM View Post
    ... I do not have anything set in my named.conf.options file that would restrict recursion. ...
    Yes, but I think it's disabled by default, so you need to specifically allow it for your internal clients. Here is my file:
    Code:
    doug@doug-64:~/config/bind$ cat named.conf.options
    options {
            directory "/var/cache/bind";
    
            recursion yes;
            allow-recursion {any;};
            allow-query {any;}; // this is needed to override the default
            allow-transfer {"none"; }; // transfer will be allowed per zone below.
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
    //      forwarders {
    //              75.153.176.9;
    //              75.153.176.1;
    //      };
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { none; };
    };
    (and external DNS requests are not allowed, but via my iptables rules, instead of above.)
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  8. #18
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    ip tables rules?

  9. #19
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,999
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by WilJenMM View Post
    ip tables rules?
    iptables is the method for writing firewall rules in Linux. It is built into the kernel by default.

    Here are a couple of rules for DNS; assume eth0 points to the Internet, and eth1 points to an internal network.

    Code:
    # allow UDP DNS queries on all interfaces
    /sbin/iptables -A INPUT --p udp --dport 53 -j ACCEPT
    
    # allow a TCP zone transfer to off-site my.backup.dns.server
    /sbin/iptables -A INPUT -p tcp -i eth0 -s my.backup.dns.server --dport 53 -j ACCEPT
    [additional rules for any other servers that need to back up zones from you
    
    # block any other TCP traffic on port 53
    /sbin/iptables -A INPUT -p tcp --dport 53 -j REJECT
    The first rule allows both public and private clients to query your server on port 53. Whether you are actually listening to port 53 on one or both interfaces, and whether you accept public queries, is controlled in named.conf.

    The next two rules cover TCP connections to your server which are used to transfer zone files. If this computer is a master for a domain, then its slaves need to connect with it over TCP. Depending on how many different backup servers you have, you might have multiple iptables rules with the name or IP address of each backup. The last command adds ("-A") the final rule governing DNS to the INPUT chain that denies any other TCP connections to your computer's port 53.

    You could block external queries to the DNS server, but allow them from inside the local network, by replacing the first rule above with these:
    Code:
    # allow internal queries on eth1; block public queries on eth0
    /sbin/iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -i eth0 --dport 53 -j REJECT
    
    # allow internal zone transfers
    /sbin/iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT
    [etc.]
    I also added a rule to allow TCP zone transfers on eth1 if the server has slaves within the local network.

    You can also control access to your server with parameters like "listen-on {};" in named.conf. That is a level 7 protocol in the OSI model, where the application itself, in this case bind9, manages its relations with other computers. Iptables operates at the "network" level, level 3, because it screens packets based on their headers.
    Last edited by SeijiSensei; July 2nd, 2013 at 01:40 AM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •