Can anyone tell me where I can find the BIND logs so I can see if DNS requests are hitting the box? The problem Im having is dns resolution from the outside. If I do a nslookup internally on a machine and use the ISPConfig Bind server, dns resolves for the domains Im checking. However, when I do the same dns lookup from outside using my public ip address, I see the traffic hitting the firewall and the firewall is allowing it but the client on the outside is never getting a response. So I want to check to see if dns queries are actually hitting the box because I dont see any response failures on the firewall. I actually sat here and did a tcpdump on the firewall and I see the ISPConfig DNS server, when it initiates traffic on port 53 going to the internet but when traffic comes into the firewall from the outside I never see a response from the ISPConfig server. I see the firewall forwarding the DNS traffice to the ISPConfig DNS server, but again, no response. I checked the server and I see port 53 listening, after all I can do NSLOOKUP´s against the server internally and they work. So Im a bit confused as to why its not working. Should the DNS server point to itself for dns or does that matter, as that server is pointing to 8.8.8.8 for DNS. I know with Windows servers you normally point to itself for dns and then configure a dns forwarder. Any ideas?? Thanks.
Update: I found the logs in the SYSLOG file in /var/log However, Im seeing every DNS request being DENIED by the server. How do I get the server to stop denying DNS requests??? Thanks.
are you talking about a domain that you added as dns record on that server trough ispconfig or are you talking about reslving of a external domain from a external client trough your server.
Till, I´m referring to a dns zone that was created via ISPConfig. When a client somewhere out there on the internet does a nslookup query for a record in this zone, I see the request coming into my router, over to my firewall cluster, and then being forwarded to the server. However, the server doesnt log all the named requests, but for the ones that I do see they are always denied at the server. Therefore, DNS traffic is getting to the server but the server is not responding or its dropping the packets as being denied and so nothing is sent back to the client. Internally if I do a nslookup query from a client on my internal network, it responds without an issue. If I do the "dig @localhost any <domain>" it displays the info of the zone. So I baffled as to why external network clients are unable to query the server. Is there a specific ACL I need to add to allow external clients to query?? I have looked at several BIND dns articles and have tried many different things but it still wont work. Thanks.
By default the external access to bind is not blocked, only resolving from external sources is blocked to prevent that you run a open resolver which can be misused for DOS attacks. But maybe yu used a OS base image from a provider that changed the defaults. Wich OS do you use? please check with: netstat -ntap if bind / named is listening on the external interface. As you see requests in the logs, I can assume that the firewall port is open for dns?
Bind Till As you can from below, /named is listening: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 x.x.x.x:53 0.0.0.0:* LISTEN 14740/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 14740/named As for the firewall port for tcp/udp 53, yes its open. It comes in to my router, it then gets port-forwarded to the firewalls. The firewall then takes the udp/53 traffic and nats the destination to the server. Here is a copy of one of the firewall logs that clearly shows the firewall is permitting the traffic on the External interface of the firewall and then Xlate the destination to be the SERVER1 and forwards the packets on to the server. Log Info Product Security Gateway/Management Date 21Aug2014 Time 7:53:32 Number 3723524 Type Log Origin firewall01 Traffic Source Source191.224.254.37 Destination DestinationFIREWALL (x.x.x.x) <----External ip of the firewall Service domain-udp (53) Protocol udp Interface External Source Port 36705 Policy Policy Name <policy_name> Policy Date Tue Aug 19 23:44:18 2014 Policy Management CMA Rule Action Accept <------------------------ TRAFFIC ACCEPTED ON FIREWALL Rule 17 Current Rule Number 17-<policy_name> Rule Name --- User --- More Rule UID {D72AE1C2-CF8A-4D4F-A7A2-B665F58B2015} NAT rule number 17 NAT additional rule number 1 XlateDst SERVER1 (X.X.X.X) <-------IP of the Server Product Family Network Information service_id: domain-udp When I do the dig for one of the domains I get this: ; <<>> DiG 9.9.5-3-Ubuntu <<>> @localhost any <domain>.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19984 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;brasileiroparadise.com. IN ANY ;; ANSWER SECTION: <domain>.com. 3600 IN MX 10 mail.<domain>.com. <domain>.com. 3600 IN NS ns2.<domain>.com. <domain>.com. 3600 IN NS ns1.<domain>.com. <domain>.com. 3600 IN SOA ns1.<domain>. admin.<domain>.com. 2014082009 7200 540 604800 86400 <domain>.com. 3600 IN A X.X.X.X ;; ADDITIONAL SECTION: mail.<domain>.com. 3600 IN A X.X.X.X ns1.<domain>.com. 86400 IN A X.X.X.X ns2.<domain>.com. 86400 IN A X.X.X.X ;; Query time: 0 msec ;; SERVER: ::1#53:1) ;; WHEN: Thu Aug 21 08:05:23 BRT 2014 ;; MSG SIZE rcvd: 214
Till, Here ya go. ==================== options { directory "/var/cache/bind"; // forwarders { // 8.8.8.8; // }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-recursion { any; }; allow-recursion-on { any; }; allow-query { any; }; allow-query-cache { any; }; };
I guess you altered that file already? The current cinfiguration is not secure as it allows everyone to misuse your server for DOS attacks. better cahnge it to: options { directory "/var/cache/bind"; // forwarders { // 8.8.8.8; // }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-recursion { 127.0.0.1; }; allow-recursion-on { 127.0.0.1; }; allow-query { any; }; }; But beside that, the config should be ok. Which exact error do you get in syslog? And can you send me the external IP of this system and the domain name that you created in the dns server (the one that you queried with dig @localhost) by pm?
The server is defiantely not responding but its not rejected. so it can be a issue on the network or firewall side. Can you try a: dig @serverip domain.tld on the server where serverip is the address that you have bound to the network interface of the server (e.g. eth0) to see if you get an response there.
Seems as if the domain is not a local zone. can you check in /etc/bind/ if the zone file for this domain has a .err ending and if the domain is listed in the file /etc/bind/named.conf.local
bind Till, The zone file is called pri.<domain>.com and it is included in the named.conf.local. ISPConfig, when i created the zone, named it with the .com and not the .err.
Thats strange, then I dnt understand the: ;; WARNING: recursion requested but not available as ist suggests that bind tries to query a external server as if he dont know this domain. May you please try to restart the whole server. I had a case in the past where bind was haning in a way that it did not pick up any config changes anymore while not showing errors in the log as well.
bind log Ok the server has been rebooted. I dont know if my cellphone is getting a good connection but i dont see any logs for NAMED when i try to do a dns query using my 3g connection. Can you try again? Thanks.
