DNS configuration worries

Hello,

I have been following the ISPConfig 3 tutorial for CentOS and have completed the setup successfully.

My current server connects to the internet via a router and hence I have configured it to use a private ip i.e. 192.168.*.* series during the install process.

At the moment I am unable to access the server from the internet nor can I link up the DNS to any domain I try to host or the domain of the server, do I have to configure the router in anyway to allow the server to be online? I have 2 static ip's given to me by my ISP but I'm at a loss of how to configure the router to allow the server ip (local) to translate the the public static ip. I could be wrong here but I think that is the problem in my case.

Please guide me appropriately.

EDIT: I looked at this post after I posted here and realized that I have to port forward my server's ip address. I had already configured an A record on my domain to point to my static IP address and it does indeed currently point to my router. I have port forwarded the local ip address of my server to forward port 80 and port 8080 but it still points to the router.

- I have added a DNS zone using the DNS Zone Wizard, but I have a query about it - should I add the public ip address here or the private (local) ip of my server (192.168.*.*) ? (configured this using the ISPConfig 3 manual)

- What happens in a multi-server setup? Do I have to also port foward all my other server's IP's and will it work with just 1 public ip?

 

Always use public IPs for DNS records.

IF you run different services on your servers, e.g. a web server on one system and a mail server on the other system, then this is no problem because you can forward port 80 to the web server and port 25 to the mail server. But if you run multiple web or mail servers, then this is is problem because you can forward a port to just one server.

 

Hello Falko,

Thanks for your reply! I was following the tutorial of setting up my own name servers and I have indeed used my public IP for setting up my nameservers. But I yet have been unsuccesful (atleast that's what I think) I will list down all that I have done till date and then you can advise me accordingly, and pm you the details as I would not like my server information to be out in the open.

 

I have replied with a PM, about all my settings please let me know if you need any more inputs from me.

Thanks,
rzlines

 

I have also attached the outputs of netstat -tap and iptables -L to this post, please have a look.

I would also like to add here that when I boot into the machine all the services start up OK except Enabling local file system quotas shows FAILED

 

As far as I can see, named is listening only on localhost instead of on all interfaces. dnsmasq is listening on your other IP... Please change the configuration so that named listens on all interfaces.

 

amm.. how do I do I get named to listen to all interfaces? and sorry I just pm'ed you right now! have you seen my other settings of ISPConfig3, domains and my router?

 

Your settings seem to be ok. Please stop dnsmasq, and then post your named.conf here.

 

I stopped dnsmasq and here's the output of named.conf

Code:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named/chroot/var/named";
        dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
        statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.root";
};
include "/var/named/chroot/etc/named.conf.local";

 

.

I tried to read up on how to get named to listen to all interfaces and I reached this page, any way to keep it short should I configure named.conf to

Code:

listen-on { any; };

instead of

Code:

listen-on port 53 { 127.0.0.1; };

and do I have to always stop the dnsmasq process? or was it just to debug/get the output of named.conf file.

I'm not really sure if I'll be doing the right thing. ( Phew! at the end of this i'll definitely write a mini how to, to configure DNS zones if your configuration is behind a router.. )


---------------------------------------------------------------------------------------------------------------------------------------

Edit: I have changed the named.conf file from the previous

Code:

listen-on port 53 { 127.0.0.1; };

to

Code:

listen-on port 53 { any; };

but it didn't make a difference should I start dnsmasq too or let it continue to be stopped?

 

Let it continue to be stopped.

Code:

server1:~# dig @ns1.techstudio.co.cc speakgeek.co.cc

; <<>> DiG 9.6-ESV-R1 <<>> @ns1.techstudio.co.cc speakgeek.co.cc
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server1:~#

Your nameserver still isn't responding. What are the outputs of

Code:

netstat -tap

and

Code:

iptables -L

now?

 

Output of netstat -tap

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 localhost.localdomain:2208  *:*                         LISTEN      2540/hpiod
tcp        0      0 *:imaps                     *:*                         LISTEN      2714/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2714/dovecot
tcp        0      0 *:vce                       *:*                         LISTEN      3721/ricci
tcp        0      0 localhost.localdomain:10024 *:*                         LISTEN      2756/amavisd (maste
tcp        0      0 *:11145                     *:*                         LISTEN      10408/skype
tcp        0      0 localhost.localdomain:10025 *:*                         LISTEN      2809/master
tcp        0      0 *:mysql                     *:*                         LISTEN      2674/mysqld
tcp        0      0 *:pop3                      *:*                         LISTEN      2714/dovecot
tcp        0      0 localhost.local:dyna-access *:*                         LISTEN      2590/clamd
tcp        0      0 *:imap                      *:*                         LISTEN      2714/dovecot
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2232/portmap
tcp        0      0 *:rrh                       *:*                         LISTEN      2267/rpc.statd
tcp        0      0 *:16851                     *:*                         LISTEN      3642/modclusterd
tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      3055/dnsmasq
tcp        0      0 *:ftp                       *:*                         LISTEN      2845/pure-ftpd (SER
tcp        0      0 neonglow.techstudio.:domain *:*                         LISTEN      2213/named
tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      2213/named
tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      2567/cupsd
tcp        0      0 *:smtp                      *:*                         LISTEN      2809/master
tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      2213/named
tcp        0      0 localhost.localdomain:2207  *:*                         LISTEN      2545/python
tcp        0      0 neonglow.techstudio.c:37581 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:37582 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:37583 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:37584 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:37585 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:37586 192.168.1.1:http            TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56650 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56649 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56653 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56652 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56659 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56656 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:56664 117.211.123.49:http         TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:35982 rhlx01.hs-esslingen.de:http TIME_WAIT   -
tcp        0      0 neonglow.techstudio.c:53731 114-40-125-147.dynami:https ESTABLISHED 10408/skype
tcp        0      0 *:imaps                     *:*                         LISTEN      2714/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2714/dovecot
tcp        0      0 *:wbem-https                *:*                         LISTEN      3072/cimserver
tcp        0      0 *:pop3                      *:*                         LISTEN      2714/dovecot
tcp        0      0 *:imap                      *:*                         LISTEN      2714/dovecot
tcp        0      0 *:webcache                  *:*                         LISTEN      2833/httpd
tcp        0      0 *:http                      *:*                         LISTEN      2833/httpd
tcp        0      0 *:tproxy                    *:*                         LISTEN      2833/httpd
tcp        0      0 *:ftp                       *:*                         LISTEN      2845/pure-ftpd (SER
tcp        0      0 localhost6.localdoma:domain *:*                         LISTEN      2213/named
tcp        0      0 *:ssh                       *:*                         LISTEN      2558/sshd
tcp        0      0 localhost6.localdomain:rndc *:*                         LISTEN      2213/named
tcp        0      0 *:https                     *:*                         LISTEN      2833/httpd

Output of iptables -L

Code:

[07:50:15 PM] NeonGlow: Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

dnsmasq is still running on 192.168.122.1. You need to stop it and make named listen on that IP.

Also, please stop the firewall for testing purposes.

 

I stopped dnsmasq from running as a service right now, I have the Server GUI installed and I don't know how to permanently stop a service from starting up. (do I have to delete the service to do that?) I currently stopped it from running in the services window. How can I make named listen from that IP? I have edited named.conf file to do this (is this right?):

Code:

// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on port 53 { any; };
        listen-on port 53 { 192.168.122.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named/chroot/var/named";
        dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
        statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.root";
};
include "/var/named/chroot/etc/named.conf.local";

This is what I did to stop the firewall is this right? I'm not really sure

 

Which distribution do you use?

What's the output of

Code:

iptables -L

now?

 

I use centos 5.5.

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

The firewall is still running. Please stop it as follows:

Code:

/etc/init.d/bastille-firewall stop

What's the output of

Code:

getenforce

?

 

okay i did that

output of the firewall stop

Code:

disabling IP forwarding... done.
unloading masquerading modules... done.
resetting default input rules to accept... done.
resetting default output rule to accept... done.
resetting default forward rule to accept... done.
flushing INPUT rules... done.
flushing OUTPUT rules... done.
flushing FORWARD rules... done.
removing user-defined chains...iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
 done.

and the output is disabled

P.S: Am I facing these issues because I'm behind a router? I think I had tried out the perfect server tutorial ISPConfig 3 (for centos 5.3 if i remember correctly) a year back and it worked perfectly at that time I was connected directly to the modem and I used the static (public) ip address for the entire installation process. This time around I used an internal ip because I would like to try out a multiserver setup and well I'm still stuck here. Hope this problem sorts out soon. Thanks a lot for helping me out here so patiently. (Would it work better if I used Debian instead or am I just being hasty here? and CentOS will work out just fine. I would definitely like my server setup to be online)

 

What's the output of

Code:

iptables -L

now?

Does your router forward port 53 (TCP and UDP) to your server?

 

Output of iptables -L:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Ports Forwarded on my router: