Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: DNS Server works for Domain not external sites

  1. #1
    Join Date
    May 2013
    Beans
    14

    DNS Server works for Domain not external sites

    I just set up my 2nd Ubuntu Server as a DNS server using bind. My queries within the domain respond correctly. When I try to query something external 'www.ubuntu.com/' using my Windows box I receive the request could not find www.ubuntu.com. When I do a NSLookup I get a response of server as unknown with the address of my DNS server. With my working DNS server the nslookup provides both the correct name and IP of the DNS server. When I go to my server I can ping externally etc. I did notice that when I do a DIG instead of listing the Server as my local address, it is the address of my ISP's DNS server which I have listed as the second nameserver on my interface. When I look at my working DNS server that field reflects the local IP. All my zones pass the check (forward and reverse). I do not have anything set in my named.conf.options file that would restrict recursion. I have confirmed that Bind is running and listening on port 53. What else do I need to look at?

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,798
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    Some ISPs intercept DNS requests, usually so they can show ads to people when they mistype a domain name. In order for your server to resolve domains outside your own it needs to be able to connect directly with the root nameservers. If the ISP grabs those requests, those requests will be diverted.

    You could try installing nmap, then running

    Code:
    sudo nmap -sU -p 53 a.root-servers.net
    That returns this result for me:
    Code:
    Nmap scan report for a.root-servers.net (198.41.0.4)
    Host is up (0.11s latency).
    PORT   STATE         SERVICE
    53/udp open|filtered domain
    If the ISP is intercepting DNS requests, your best bet it to add a "forwarders" directive that sends requests for hosts outside your domain to your ISP's nameservers.
    Last edited by SeijiSensei; June 21st, 2013 at 11:34 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Dec 2007
    Beans
    562

    Re: DNS Server works for Domain not external sites

    You need to add forwarders in your named.conf.options file.
    Code:
            forwarders {
                    8.8.8.8;
                    8.8.4.4;
            };
    Your DNS server is only authoritative for your domain. It cannot resolve external domains on its own, so it needs to forward unknown DNS requests to external servers for name resolution.

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,798
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by newbie-user View Post
    You need to add forwarders in your named.conf.options file.
    Your DNS server is only authoritative for your domain. It cannot resolve external domains on its own, so it needs to forward unknown DNS requests to external servers for name resolution.
    No, it doesn't. A DNS server communicates directly with the root nameservers to resolve names outside the domains for which it is authoritative. I only use forwarders in rare situations like when I want to resolve names against some internal DNS server. For instance, I have forwarding set up for one of my client's domains so that queries are sent to their internal nameserver over a VPN tunnel.

    In the OPs case he may need to use forwarders if the ISP intercepts port 53 traffic on remote servers. That would make it impossible for his server to communicate directly with the roots.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    I installed nmap and ran as described. I get basically the same output. My concern is the first part of the output.
    Attached Images Attached Images
    Last edited by WilJenMM; June 24th, 2013 at 04:11 PM. Reason: screen shot upload

  6. #6
    Join Date
    Dec 2007
    Beans
    562

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by SeijiSensei View Post
    No, it doesn't. A DNS server communicates directly with the root nameservers to resolve names outside the domains for which it is authoritative. I only use forwarders in rare situations like when I want to resolve names against some internal DNS server. For instance, I have forwarding set up for one of my client's domains so that queries are sent to their internal nameserver over a VPN tunnel.

    In the OPs case he may need to use forwarders if the ISP intercepts port 53 traffic on remote servers. That would make it impossible for his server to communicate directly with the roots.
    Ah, thanks for getting me straight on that.

  7. #7
    Join Date
    Dec 2007
    Beans
    562

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by WilJenMM View Post
    I installed nmap and ran as described. I get basically the same output. My concern is the first part of the output.
    Check your /etc/hosts file and see if your hostname matches the contents of the file.

  8. #8
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    That was the issue. Typo. The other issue turns out to be the firewall. I now allow the server out on IP and it works. When I limit it to UDP it fails. I thought you only needed TCP for zone transfers, which I don't believe I am doing. I would like to lock the server down as much as possible. I also have noticed that sites hosted by Akamai respond on a hit and miss basis.

  9. #9
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,798
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: DNS Server works for Domain not external sites

    Quote Originally Posted by WilJenMM View Post
    When I limit it to UDP it fails. I thought you only needed TCP for zone transfers, which I don't believe I am doing.
    That's my understanding as well.

    I would like to lock the server down as much as possible.
    Letting your own server make outbound queries is not much of a risk. As long as you allow reply traffic ("ESTABLISHED,RELATED" in iptables) you should be fine. Bind9 has the occasional security problem, but Paul Vixie and company at ISC are quick to patch it, and the updates are distributed soon thereafter. I never worry about outbound traffic on my servers. I haven't had a server compromised in any way in about a decade now, and the last time it happened it was my own fault for not updating to fix a security hole in Apache 1.3. Inbound traffic is a different story, of course.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  10. #10
    Join Date
    May 2013
    Beans
    14

    Re: DNS Server works for Domain not external sites

    I reviewed a capture of ping's from my dns server. I saw requests going to both my ISP and the root servers. I have gone in and removed the forwarders. Responses are better, yet a little slow. I do have issues with sites hosted by Akamai. I can ping a site (from a dns client) and it will time out. I immediately try again and it responds. This is primarily with the Akamai hosted sites. Is there some additional configuration changes I can make on my end?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •