Bind logs

Discussion in 'Installation/Configuration' started by System_Owner, Aug 20, 2014.

  1. System_Owner

    System_Owner Member

    Can anyone tell me where I can find the BIND logs so I can see if DNS requests are hitting the box?

    The problem Im having is dns resolution from the outside. If I do a nslookup internally on a machine and use the ISPConfig Bind server, dns resolves for the domains Im checking. However, when I do the same dns lookup from outside using my public ip address, I see the traffic hitting the firewall and the firewall is allowing it but the client on the outside is never getting a response.

    So I want to check to see if dns queries are actually hitting the box because I dont see any response failures on the firewall.

    I actually sat here and did a tcpdump on the firewall and I see the ISPConfig DNS server, when it initiates traffic on port 53 going to the internet but when traffic comes into the firewall from the outside I never see a response from the ISPConfig server. I see the firewall forwarding the DNS traffice to the ISPConfig DNS server, but again, no response. I checked the server and I see port 53 listening, after all I can do NSLOOKUP´s against the server internally and they work.

    So Im a bit confused as to why its not working. Should the DNS server point to itself for dns or does that matter, as that server is pointing to for DNS. I know with Windows servers you normally point to itself for dns and then configure a dns forwarder.

    Any ideas??

    Last edited: Aug 20, 2014
  2. System_Owner

    System_Owner Member


    I found the logs in the SYSLOG file in /var/log

    However, Im seeing every DNS request being DENIED by the server. How do I get the server to stop denying DNS requests???

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    are you talking about a domain that you added as dns record on that server trough ispconfig or are you talking about reslving of a external domain from a external client trough your server.
  4. System_Owner

    System_Owner Member


    I´m referring to a dns zone that was created via ISPConfig.

    When a client somewhere out there on the internet does a nslookup query for a record in this zone, I see the request coming into my router, over to my firewall cluster, and then being forwarded to the server. However, the server doesnt log all the named requests, but for the ones that I do see they are always denied at the server.

    Therefore, DNS traffic is getting to the server but the server is not responding or its dropping the packets as being denied and so nothing is sent back to the client.

    Internally if I do a nslookup query from a client on my internal network, it responds without an issue. If I do the "dig @localhost any <domain>" it displays the info of the zone.

    So I baffled as to why external network clients are unable to query the server. Is there a specific ACL I need to add to allow external clients to query?? I have looked at several BIND dns articles and have tried many different things but it still wont work.

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    By default the external access to bind is not blocked, only resolving from external sources is blocked to prevent that you run a open resolver which can be misused for DOS attacks.
    But maybe yu used a OS base image from a provider that changed the defaults.

    Wich OS do you use?

    please check with:

    netstat -ntap

    if bind / named is listening on the external interface.

    As you see requests in the logs, I can assume that the firewall port is open for dns?
  6. System_Owner

    System_Owner Member



    As you can from below, /named is listening:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 x.x.x.x:53* LISTEN 14740/named
    tcp 0 0* LISTEN 14740/named

    As for the firewall port for tcp/udp 53, yes its open.

    It comes in to my router, it then gets port-forwarded to the firewalls. The firewall then takes the udp/53 traffic and nats the destination to the server.

    Here is a copy of one of the firewall logs that clearly shows the firewall is permitting the traffic on the External interface of the firewall and then Xlate the destination to be the SERVER1 and forwards the packets on to the server.

    Log Info

    Product Security Gateway/Management
    Date 21Aug2014
    Time 7:53:32
    Number 3723524
    Type Log
    Origin firewall01


    Source Source191.224.254.37
    Destination DestinationFIREWALL (x.x.x.x) <----External ip of the firewall
    Service domain-udp (53)
    Protocol udp
    Interface External
    Source Port 36705


    Policy Name <policy_name>
    Policy Date Tue Aug 19 23:44:18 2014
    Policy Management CMA


    Action Accept <------------------------ TRAFFIC ACCEPTED ON FIREWALL
    Rule 17
    Current Rule Number 17-<policy_name>
    Rule Name ---
    User ---


    Rule UID {D72AE1C2-CF8A-4D4F-A7A2-B665F58B2015}
    NAT rule number 17
    NAT additional rule number 1
    XlateDst SERVER1 (X.X.X.X) <-------IP of the Server
    Product Family Network
    Information service_id: domain-udp

    When I do the dig for one of the domains I get this:

    ; <<>> DiG 9.9.5-3-Ubuntu <<>> @localhost any <domain>.com
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19984
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4

    ; EDNS: version: 0, flags:; udp: 4096
    ; IN ANY

    <domain>.com. 3600 IN MX 10 mail.<domain>.com.
    <domain>.com. 3600 IN NS ns2.<domain>.com.
    <domain>.com. 3600 IN NS ns1.<domain>.com.
    <domain>.com. 3600 IN SOA ns1.<domain>. admin.<domain>.com. 2014082009 7200 540 604800 86400
    <domain>.com. 3600 IN A X.X.X.X

    mail.<domain>.com. 3600 IN A X.X.X.X
    ns1.<domain>.com. 86400 IN A X.X.X.X
    ns2.<domain>.com. 86400 IN A X.X.X.X

    ;; Query time: 0 msec
    ;; SERVER: ::1#53:):1)
    ;; WHEN: Thu Aug 21 08:05:23 BRT 2014
    ;; MSG SIZE rcvd: 214
  7. System_Owner

    System_Owner Member


    Oh I forgot to mention....Ubuntu 14.04.1 LTS
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the content of:


  9. System_Owner

    System_Owner Member


    Here ya go.

    options {
    directory "/var/cache/bind";

    // forwarders {
    // };

    dnssec-validation auto;

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    allow-recursion { any; };
    allow-recursion-on { any; };
    allow-query { any; };
    allow-query-cache { any; };

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you altered that file already? The current cinfiguration is not secure as it allows everyone to misuse your server for DOS attacks. better cahnge it to:

    options {
    directory "/var/cache/bind";

    // forwarders {
    // };

    dnssec-validation auto;

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    allow-recursion {; };
    allow-recursion-on {; };
    allow-query { any; };


    But beside that, the config should be ok.

    Which exact error do you get in syslog? And can you send me the external IP of this system and the domain name that you created in the dns server (the one that you queried with dig @localhost) by pm?
  11. System_Owner

    System_Owner Member



    PM sent.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The server is defiantely not responding but its not rejected. so it can be a issue on the network or firewall side. Can you try a:

    dig @serverip domain.tld

    on the server where serverip is the address that you have bound to the network interface of the server (e.g. eth0) to see if you get an response there.
  13. System_Owner

    System_Owner Member


    Sending another PM with the results of that.

  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if the domain is not a local zone. can you check in /etc/bind/ if the zone file for this domain has a .err ending and if the domain is listed in the file /etc/bind/named.conf.local
  15. System_Owner

    System_Owner Member



    The zone file is called pri.<domain>.com and it is included in the named.conf.local.

    ISPConfig, when i created the zone, named it with the .com and not the .err.
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats strange, then I dnt understand the:

    ;; WARNING: recursion requested but not available

    as ist suggests that bind tries to query a external server as if he dont know this domain. May you please try to restart the whole server. I had a case in the past where bind was haning in a way that it did not pick up any config changes anymore while not showing errors in the log as well.
  17. System_Owner

    System_Owner Member

    Sure, Ill go ahead and start a reboot.
  18. System_Owner

    System_Owner Member

    bind log

    Ok the server has been rebooted. I dont know if my cellphone is getting a good connection but i dont see any logs for NAMED when i try to do a dns query using my 3g connection.

    Can you try again?

  19. System_Owner

    System_Owner Member


    I PM´d you with a dump from the firewall.

Share This Page