THE SETUP: Baiscly what's happening is that I have a static ip address for my dsl. I'm using a cisco 877 adsl router as my router and my dsl modem all in one. I do not at this time have any access list on there so everything is permit any any. I do have nat or better pat aka hide-nat setup on the router; meaning it looks like this: ip nat inside source static tcp 172.30.115.75 53 76.225.177.54 53 extendable ip nat inside source static udp 172.30.115.75 53 76.225.177.54 53 extendable With regard to port 53 being for my dns. (i know this is setup correctly to forward all incoming request from my wan ip address to my internal server address because I have other statements doing this for other services and it works. So all dns traffic should be forwarded to my dns server. I also have apache2 setup and running 2 different web pages; which are correctly registered and pointing to my server for dns. I have bind 9.4.2 chrooted running on my debian lenny box (i know lenny is testing, and there is a small chance that could be my problem, but continuing on...
The Problem: The problem is that my dns server is not resolving ANY quarys or quaries however you want to spell it. (forgive me i'm horrible at spelling) I've been using www.network-tools.com advanced dns search/quary to try and get a response back from my server and I get nothing but time out or failed. When I run ngrep I watch as the server recieves the quary from my router which got it from the web site, then I watch my server send back a reply and somewhere it's dropped and never reaches the web site. I ran wireshark once, and although I am not sure if this is still happening I did see something once in the capture file describing "BAD CHECKSUM" for both udp and tcp. After searching online, tcp is required, udp is not required but reccommended for security. I can sort of see how it could be a bad checksum but the nat translation should correct that shouldn't it? I am not even sure if the checksum issue IS what's causing my dns server or my router to drop the packets on their way out. But that's the only potential error I have to go off of. I have recently used ethtool and turned off checksum offloading on my NIC, but still no help. The problem may be something completely different I'm just not sure what to do at this point. I found this online and it may very well be exactly what is happening, but I do not have a packet.c anywhere that I can locate on my system therefore, I am unable to edit it and correct the source. http://permalink.gmane.org/gmane.linux.debian.devel.bugs.general/375502 Please any help regarding this is greatly appreciated. I have been working on this for months now without being able to figure out the next step. Regards, -Shawn
sorry it's taken so long for a response, we moved/bought a house and ip changed thus a lot of config stuff, you requested output of netstat -tap here it is: shinra:/# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:afpovertcp *:* LISTEN 4054/afpd tcp 0 0 *:swat *:* LISTEN 4063/inetd tcp 0 0 localhost:mysql *:* LISTEN 3798/mysqld tcp 0 0 *:netbios-ssn *:* LISTEN 4145/smbd tcp 0 0 *:ircd *:* LISTEN 4020/dancer-ircd tcp 0 0 *op3 *:* LISTEN 26753/dovecot tcp 0 0 *:imap2 *:* LISTEN 26753/dovecot tcp 0 0 shinra.x90its.co:domain *:* LISTEN 3684/named tcp 0 0 localhost:domain *:* LISTEN 3684/named tcp 0 0 *:smtp *:* LISTEN 4127/master tcp 0 0 localhost:5433 *:* LISTEN 3906/postgres tcp 0 0 localhost:953 *:* LISTEN 3684/named tcp 0 0 *:microsoft-ds *:* LISTEN 4145/smbd tcp 0 0 shinra.x90:microsoft-ds 172.30.115.99:3481 ESTABLISHED 3355/smbd tcp6 0 0 [::]:6668 [::]:* LISTEN 4004/bitlbee tcp6 0 0 [::]:www [::]:* LISTEN 4388/apache2 tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 3684/named tcp6 0 0 [::]:https [::]:* LISTEN 3715/sshd tcp6 0 148 shinra.x90its.com:https XX.XX.XX.X%214484:11498 ESTABLISHED 27883/sshd: d0cipx
the following is my output from the commands you ask for: d0cipx@shinra:~$ cat /etc/hosts 127.0.0.1 localhost 172.30.115.75 shinra.x90its.com shinra 172.30.115.65 navix.x90its.com navix 172.30.115.50 cloud.x90its.com cloud # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts d0cipx@shinra:~$ sudo ifconfig eth1 Link encap:Ethernet HWaddr 00:17:31:37:9b:7d inet addr:172.30.115.75 Bcast:172.30.115.255 Mask:255.255.255.0 inet6 addr: fe80::217:31ff:fe37:9b7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1136508 errors:0 dropped:0 overruns:0 frame:0 TX packets:887406 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:824963071 (786.7 MiB) TX bytes:106781983 (101.8 MiB) Interrupt:16 eth2 Link encap:Ethernet HWaddr 00:1b:11:c0:7e:8d UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:19 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:29202 errors:0 dropped:0 overruns:0 frame:0 TX packets:29202 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11352687 (10.8 MiB) TX bytes:11352687 (10.8 MiB)
Looks ok. I'm getting a REFUSED when I try to query your BIND: Code: http2:~# dig @shinra.x90its.com google.com ; <<>> DiG 9.3.4 <<>> @shinra.x90its.com google.com ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: [B][COLOR="Red"]REFUSED[/COLOR][/B], id: 11366 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; Query time: 149 msec ;; SERVER: 99.173.163.70#53(99.173.163.70) ;; WHEN: Sun May 18 16:39:47 2008 ;; MSG SIZE rcvd: 28 http2:~# What's in your named.conf?
this is may named.conf file: shinra:/chroot/named/etc/bind# cat named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; zone "x90its.com" { type master; file "/etc/bind/x90its.db"; forwarders {}; allow-query { any; }; }; zone "burrellfishing.com" { type master; file "/etc/bind/burrellfishing.db"; forwarders {}; allow-query { any; }; }; zone "swamphawglures.com" { type master; file "/etc/bind/swamphawglures.db"; forwarders {}; allow-query { any; }; }; include "/etc/bind/named.conf.local";
i have changed my configs a little to roughly match how it's done on the below link: http://www.debian-administration.org/articles/355 my new named.conf file looks like this: shinra:/chroot/named/etc/bind# cat named.conf include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/etc/bind/named.conf.local"; my named.conf.local file: shinra:/chroot/named/etc/bind# cat named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; acl internals { 127.0.0.0/8; 10.10.10.0/24; 172.30.115.0/24; }; view "internal" { match-clients { internals; }; match-destinations { internals; }; recursion yes; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; zone "x90its.com" { type master; file "/etc/bind/internal/int.x90its.db"; }; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion no; zone "." { type hint; file "/etc/bind/db.root"; }; zone "x90its.com" { type master; file "/etc/bind/external/ext.x90its.db"; forwarders {}; allow-query { any; }; }; zone "burrellfishing.com" { type master; file "/etc/bind/external/burrellfishing.db"; forwarders {}; allow-query { any; }; }; zone "swamphawglures.com" { type master; file "/etc/bind/external/swamphawglures.db"; forwarders {}; allow-query { any; }; }; }; my named.conf.options file: shinra:/chroot/named/etc/bind# cat named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. query-source address * port 53; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. //forwarders { // 68.94.156.1; // 68.94.157.1; //}; auth-nxdomain no; # conform to RFC1035 //listen-on-v6 { any; }; listen-on port 53 { any; }; };
basicly i just had a buddy who works at redhat jump on my server, the files that i have posted on here have been modified very slightly and bind is up and running resolving local quaries on the lan, and there are absolutely no errors anywhere. the problem is that i still havn't got anywhere, it's still pointing back to a network issue, i can run ngrep -d any 53 go to www.network-tools.com and do their advanced dns lookup on my server. my server will show (by using ngrep) the request come into the server and the server send back the info but the web site says "timed out" rather than the info that the server attempted to send back it's looking more and more like either an issue with my router/config and worse case is with isp. sbcglobal who uses at&t if anyone can think of anything else or need any more information from me just ask. thank you everyone for staying with me this far.
