DNS configuration worries

Discussion in 'Installation/Configuration' started by rzlines, Dec 4, 2010.

  1. rzlines

    rzlines New Member

    Hello,

    I have been following the ISPConfig 3 tutorial for CentOS and have completed the setup successfully.

    My current server connects to the internet via a router and hence I have configured it to use a private ip i.e. 192.168.*.* series during the install process.

    At the moment I am unable to access the server from the internet nor can I link up the DNS to any domain I try to host or the domain of the server, do I have to configure the router in anyway to allow the server to be online? I have 2 static ip's given to me by my ISP but I'm at a loss of how to configure the router to allow the server ip (local) to translate the the public static ip. I could be wrong here but I think that is the problem in my case.

    Please guide me appropriately.


    EDIT: I looked at this post after I posted here and realized that I have to port forward my server's ip address. I had already configured an A record on my domain to point to my static IP address and it does indeed currently point to my router. I have port forwarded the local ip address of my server to forward port 80 and port 8080 but it still points to the router.

    - I have added a DNS zone using the DNS Zone Wizard, but I have a query about it - should I add the public ip address here or the private (local) ip of my server (192.168.*.*) ? (configured this using the ISPConfig 3 manual)

    - What happens in a multi-server setup? Do I have to also port foward all my other server's IP's and will it work with just 1 public ip?
     
    Last edited: Dec 4, 2010
  2. falko

    falko Super Moderator Howtoforge Staff

    Always use public IPs for DNS records.

    IF you run different services on your servers, e.g. a web server on one system and a mail server on the other system, then this is no problem because you can forward port 80 to the web server and port 25 to the mail server. But if you run multiple web or mail servers, then this is is problem because you can forward a port to just one server.
     
  3. rzlines

    rzlines New Member

    Hello Falko,

    Thanks for your reply! I was following the tutorial of setting up my own name servers and I have indeed used my public IP for setting up my nameservers. But I yet have been unsuccesful (atleast that's what I think) I will list down all that I have done till date and then you can advise me accordingly, and pm you the details as I would not like my server information to be out in the open.
     
  4. rzlines

    rzlines New Member

    I have replied with a PM, about all my settings please let me know if you need any more inputs from me.

    Thanks,
    rzlines
     
  5. rzlines

    rzlines New Member

    I have also attached the outputs of netstat -tap and iptables -L to this post, please have a look.

    I would also like to add here that when I boot into the machine all the services start up OK except Enabling local file system quotas shows FAILED
     

    Attached Files:

  6. falko

    falko Super Moderator Howtoforge Staff

    As far as I can see, named is listening only on localhost instead of on all interfaces. dnsmasq is listening on your other IP... Please change the configuration so that named listens on all interfaces.
     
  7. rzlines

    rzlines New Member

    amm.. how do I do I get named to listen to all interfaces? and sorry I just pm'ed you right now! have you seen my other settings of ISPConfig3, domains and my router?
     
  8. falko

    falko Super Moderator Howtoforge Staff

    Your settings seem to be ok. Please stop dnsmasq, and then post your named.conf here.
     
  9. rzlines

    rzlines New Member

    I stopped dnsmasq and here's the output of named.conf

    Code:
    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    options {
            listen-on port 53 { 127.0.0.1; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named/chroot/var/named";
            dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
            statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; };
            recursion yes;
    };
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    zone "." IN {
            type hint;
            file "named.root";
    };
    include "/var/named/chroot/etc/named.conf.local";
     
    Last edited: Dec 8, 2010
  10. rzlines

    rzlines New Member

    .

    I tried to read up on how to get named to listen to all interfaces and I reached this page, any way to keep it short should I configure named.conf to

    Code:
    listen-on { any; };
    instead of

    Code:
    listen-on port 53 { 127.0.0.1; };
    and do I have to always stop the dnsmasq process? or was it just to debug/get the output of named.conf file.

    I'm not really sure if I'll be doing the right thing. ( Phew! at the end of this i'll definitely write a mini how to, to configure DNS zones if your configuration is behind a router.. ;) )


    ---------------------------------------------------------------------------------------------------------------------------------------

    Edit: I have changed the named.conf file from the previous
    Code:
    listen-on port 53 { 127.0.0.1; };
    to
    Code:
    listen-on port 53 { any; };
    but it didn't make a difference should I start dnsmasq too or let it continue to be stopped?
     
    Last edited: Dec 8, 2010
  11. falko

    falko Super Moderator Howtoforge Staff

    Let it continue to be stopped.

    Code:
    server1:~# dig @ns1.techstudio.co.cc speakgeek.co.cc
    
    ; <<>> DiG 9.6-ESV-R1 <<>> @ns1.techstudio.co.cc speakgeek.co.cc
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    server1:~#
    Your nameserver still isn't responding. What are the outputs of
    Code:
    netstat -tap
    and
    Code:
    iptables -L
    now?
     
  12. rzlines

    rzlines New Member

    Output of netstat -tap
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 localhost.localdomain:2208  *:*                         LISTEN      2540/hpiod
    tcp        0      0 *:imaps                     *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:pop3s                     *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:vce                       *:*                         LISTEN      3721/ricci
    tcp        0      0 localhost.localdomain:10024 *:*                         LISTEN      2756/amavisd (maste
    tcp        0      0 *:11145                     *:*                         LISTEN      10408/skype
    tcp        0      0 localhost.localdomain:10025 *:*                         LISTEN      2809/master
    tcp        0      0 *:mysql                     *:*                         LISTEN      2674/mysqld
    tcp        0      0 *:pop3                      *:*                         LISTEN      2714/dovecot
    tcp        0      0 localhost.local:dyna-access *:*                         LISTEN      2590/clamd
    tcp        0      0 *:imap                      *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:sunrpc                    *:*                         LISTEN      2232/portmap
    tcp        0      0 *:rrh                       *:*                         LISTEN      2267/rpc.statd
    tcp        0      0 *:16851                     *:*                         LISTEN      3642/modclusterd
    tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      3055/dnsmasq
    tcp        0      0 *:ftp                       *:*                         LISTEN      2845/pure-ftpd (SER
    tcp        0      0 neonglow.techstudio.:domain *:*                         LISTEN      2213/named
    tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      2213/named
    tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      2567/cupsd
    tcp        0      0 *:smtp                      *:*                         LISTEN      2809/master
    tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      2213/named
    tcp        0      0 localhost.localdomain:2207  *:*                         LISTEN      2545/python
    tcp        0      0 neonglow.techstudio.c:37581 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:37582 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:37583 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:37584 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:37585 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:37586 192.168.1.1:http            TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56650 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56649 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56653 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56652 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56659 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56656 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:56664 117.211.123.49:http         TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:35982 rhlx01.hs-esslingen.de:http TIME_WAIT   -
    tcp        0      0 neonglow.techstudio.c:53731 114-40-125-147.dynami:https ESTABLISHED 10408/skype
    tcp        0      0 *:imaps                     *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:pop3s                     *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:wbem-https                *:*                         LISTEN      3072/cimserver
    tcp        0      0 *:pop3                      *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:imap                      *:*                         LISTEN      2714/dovecot
    tcp        0      0 *:webcache                  *:*                         LISTEN      2833/httpd
    tcp        0      0 *:http                      *:*                         LISTEN      2833/httpd
    tcp        0      0 *:tproxy                    *:*                         LISTEN      2833/httpd
    tcp        0      0 *:ftp                       *:*                         LISTEN      2845/pure-ftpd (SER
    tcp        0      0 localhost6.localdoma:domain *:*                         LISTEN      2213/named
    tcp        0      0 *:ssh                       *:*                         LISTEN      2558/sshd
    tcp        0      0 localhost6.localdomain:rndc *:*                         LISTEN      2213/named
    tcp        0      0 *:https                     *:*                         LISTEN      2833/httpd
    Output of iptables -L
    Code:
    [07:50:15 PM] NeonGlow: Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
     
  13. falko

    falko Super Moderator Howtoforge Staff

    dnsmasq is still running on 192.168.122.1. You need to stop it and make named listen on that IP.

    Also, please stop the firewall for testing purposes.
     
  14. rzlines

    rzlines New Member

    I stopped dnsmasq from running as a service right now, I have the Server GUI installed and I don't know how to permanently stop a service from starting up. (do I have to delete the service to do that?) I currently stopped it from running in the services window. How can I make named listen from that IP? I have edited named.conf file to do this (is this right?):

    Code:
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    options {
            //listen-on port 53 { 127.0.0.1; };
            //listen-on port 53 { any; };
            listen-on port 53 { 192.168.122.1; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named/chroot/var/named";
            dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
            statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; };
            recursion yes;
    };
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    zone "." IN {
            type hint;
            file "named.root";
    };
    include "/var/named/chroot/etc/named.conf.local";
    This is what I did to stop the firewall is this right? I'm not really sure :eek:

    [​IMG]

    [​IMG]
     
    Last edited: Dec 10, 2010
  15. falko

    falko Super Moderator Howtoforge Staff

    Which distribution do you use?

    What's the output of
    Code:
    iptables -L
    now?
     
  16. rzlines

    rzlines New Member

    I use centos 5.5.

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
     
    Last edited: Dec 12, 2010
  17. falko

    falko Super Moderator Howtoforge Staff

    The firewall is still running. Please stop it as follows:
    Code:
    /etc/init.d/bastille-firewall stop
    What's the output of
    Code:
    getenforce
    ?
     
  18. rzlines

    rzlines New Member

    okay i did that

    output of the firewall stop

    Code:
    disabling IP forwarding... done.
    unloading masquerading modules... done.
    resetting default input rules to accept... done.
    resetting default output rule to accept... done.
    resetting default forward rule to accept... done.
    flushing INPUT rules... done.
    flushing OUTPUT rules... done.
    flushing FORWARD rules... done.
    removing user-defined chains...iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
     done.
    and the output is disabled

    P.S: Am I facing these issues because I'm behind a router? I think I had tried out the perfect server tutorial ISPConfig 3 (for centos 5.3 if i remember correctly) a year back and it worked perfectly at that time I was connected directly to the modem and I used the static (public) ip address for the entire installation process. This time around I used an internal ip because I would like to try out a multiserver setup and well I'm still stuck here. Hope this problem sorts out soon. Thanks a lot for helping me out here so patiently. (Would it work better if I used Debian instead or am I just being hasty here? and CentOS will work out just fine. I would definitely like my server setup to be online)
     
    Last edited: Dec 14, 2010
  19. falko

    falko Super Moderator Howtoforge Staff

    What's the output of

    Code:
    iptables -L
    now?

    Does your router forward port 53 (TCP and UDP) to your server?
     
  20. rzlines

    rzlines New Member


    Output of iptables -L:
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Ports Forwarded on my router:
    [​IMG]
     
    Last edited: Dec 15, 2010

Share This Page