Hi any one, I'had this problem: Went i write the comand # dig www.xxx.com @192.168.XXX.XXX ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.xxx.com @192.168.XXX.XXX ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28283 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.xxx.com. IN A ;; ANSWER SECTION: www.xxx.com. 86400 IN A XXX.XXX.XXX.XXX ;; AUTHORITY SECTION: xxx.com. 86400 IN NS ns1.xxx.com. xxx.com. 86400 IN NS ns2.xxx.com. ;; Query time: 0 msec ;; SERVER: 192.168.XXX.XXX#53(192.168.XXX.XXX) ;; WHEN: Mon Jul 12 21:52:11 2010 ;; MSG SIZE rcvd: 83 and whent I' write the comand # dig www.xxx.com @XXX.XXX.XXX.XXX (IP name server) ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.xxx.com @XXX.XXX.XXX.XXX ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 54142 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.xxx.com. IN A ;; Query time: 1 msec ;; SERVER: XXX.XXX.XXX.XXX#53(XXX.XXX.XXX.XXX) ;; WHEN: Mon Jul 12 22:05:46 2010 ;; MSG SIZE rcvd: 31 in the panel ISPconfig give me the error Server MyDNS: out of line Can you help me any one? CENTOS 5.5 and ISPcongif 3.0
Looks as if your dns server is not listening on localhost (IP 127.0.0.1). Please post the output of the command: netstat -tap | grep dns
netstat -tap # netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name tcp 0 0 *:imaps *:* LIST EN 2856/dovecot tcp 0 0 *op3s *:* LIST EN 2856/dovecot tcp 0 0 localhost.localdomain:10024 *:* LIST EN 2902/amavisd (maste tcp 0 0 localhost.localdomain:10025 *:* LIST EN 2959/master tcp 0 0 *:mysql *:* LIST EN 2818/mysqld tcp 0 0 *op3 *:* LIST EN 2856/dovecot tcp 0 0 localhost.local:dyna-access *:* LIST EN 2734/clamd tcp 0 0 *:imap *:* LIST EN 2856/dovecot tcp 0 0 *:sunrpc *:* LIST EN 2393/portmap tcp 0 0 web.xxx.com:domain *:* LIST EN 2365/named tcp 0 0 *:ftp *:* LIST EN 3006/pure-ftpd (SER tcp 0 0 *:918 *:* LIST EN 2432/rpc.statd tcp 0 0 localhost.localdomain:ipp *:* LIST EN 2718/cupsd tcp 0 0 *:smtp *:* LIST EN 2959/master tcp 0 0 localhost.localdomain:rndc *:* LIST EN 2365/named tcp 0 0 *:imaps *:* LIST EN 2856/dovecot tcp 0 0 *op3s *:* LIST EN 2856/dovecot tcp 0 0 *op3 *:* LIST EN 2856/dovecot tcp 0 0 *:imap *:* LIST EN 2856/dovecot tcp 0 0 *:webcache *:* LIST EN 2990/httpd tcp 0 0 *:http *:* LIST EN 2990/httpd tcp 0 0 *:tproxy *:* LIST EN 2990/httpd tcp 0 0 *:ftp *:* LIST EN 3006/pure-ftpd (SER tcp 0 0 localhost6.localdoma:domain *:* LIST EN 2365/named tcp 0 0 *:ssh *:* LIST EN 2705/sshd tcp 0 0 localhost6.localdomain:rndc *:* LIST EN 2365/named tcp 0 0 *:https *:* LIST EN 2990/httpd tcp 0 2520 web.xxx.com:ssh xx.Red-217-127-xxx.sta:nirp ESTA BLISHED 19937/0
DNS repli Ok in localhost Good de comand dig repli OK now in localhost: dig www.xxxxx.com @localhost BUT NOT IN EXTERNAL ANSWER: IN INTERNET REQUEST. dig www.xxxxx.com @IP of ns1. port in firewall is OK 53 tcp - udp NAT port in ruter OK 53 tcp - udp I work a lot hours and nothing. Some one can help my. thank.
I see this in the reg system of tab monitor ul 13 17:17:00 web named[31628]: client 66.249.xxx.xxx#59173: query (cache) 'something.org/A/IN' denied Jul 13 17:17:04 web named[31628]: client 66.249.xxx.xxx#51912: query (cache) 'something.org/A/IN' denied Jul 13 17:18:41 web named[31628]: client 210.19.xxx.xxx#1026: query 'any.com/MX/IN' denied Jul 13 17:18:46 web named[31628]: client 218.248.xxx.xxx#3946: query 'any.com/MX/IN' denied Jul 13 17:18:52 web named[31628]: client 218.248.xxx.xxx#26147: query 'any.com/MX/IN' denied
It looks like you haven't allowed authoritative requests from off your network. I don't use MyDNS or whatever ISPConfig uses for DNS, but if it's bind, have a look in your config at the options statement and check your external facing interface is in the listen-on list, and that allow-query (if it exists) lists who should be able to access it. Usually, you would want "any;" for a publically accessable authoritative name server.
post the named.conf # vi /var/named/chroot/etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named/chroot/var/named"; dump-file "/var/named/chroot/var/named/data/cache_dump.db"; statistics-file "/var/named/chroot/var/named/data/named_stats.txt"; memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; recursion yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; "/var/named/chroot/etc/named.conf" 29L, 938C
need confirmation Hi matty, I need to ask something. I have a VPS that I use as nameserver and webserver My website on my VPS can't be accessed before. I have registered my nameserver to my domain provider and assigns the domain nameserver to my nameserver. I waited for a week and it doesn't work At first I think it's because my nameserver (in this case my VPS) have to be added in the global registry of my domain provider, according to some howto article. So I tried to contact my domain provider, but they say I must ask the VPS provider and the VPS provider says I must ask the domain provider. Then, I also found out that in order to check the DNS is running and accessible, one should be able to telnet to the server IP at port 53. I tried this but can't connect. After I read this thread, you suggest to change the parameter in named.conf. I tried it and it works like a charm. My website can be accessed now. What I want to ask is : Is it OK to make this change? I mean secure or anything? Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter Thanks.
Yes, it's fine for a server that needs zones to be publically accessable. It's important to understand a couple of concepts about name servers. When you host a zone, the name server becomes an authoritative name server. That is, your name servers are the only ones in the world that can answer queries authoritatively (meaning it has the exact, non-cached answer) for that zone. Because we're running ISPConfig, we probably want everyone in the world to be able to ask our nameservers about the the zones we host, so that they can see the sites and services we host. To enable that, we need to set bind to allow-queries from any(where). allow-query { any; }; The other main function of name servers is to do the work querying other name servers that host other peoples zones, so that we can connect to their sites and services. This is a function known as recursion. That is, we ask our name server to find out the address of a site, and it then goes and makes multiple queries until it obtains an answer (or fails) and then passes that answer back to your computer. It's best practice to only allow your name server to perform recursive lookups for computers you control or trust, and not allow everybody on the 'net to use your name server in that way. So you tell bind who is allowed to do recursion. In this example, use your own networks, and don't forget to allow localhost so the nameserver can access its own service. An ISP would probably allow the IP ranges of its user base. allow-recursion { 192.168.0.0/24; 192.168.3.0/24; localhost; }; The other parameter I mentioned, listen-on, tells bind to only answer queries it receives on the specified network interfaces. If it is left as localhost/127.0.0.1, it will ignore queries from anywhere but itself. listen-on { any; }; Advanced users may have a need to do things a little different to the examples above, but these will suit 99% of us that use ISPConfig to host publicly accessable DNS zones and web/email servers. There's quite a few perfect server guides. I'm sure falko and till would appreciate feedback that could be used to improve them. Could you point out which one you used?
nice explanation Thanks a lot. That explains everything that have happened. I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko : http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-2 But I think almost all the guide still used named.conf which point their query to localhost or 127.0.0.1 Maybe they hope that we'll be able to change it according to our needs, but some people still doesn't know about this concept. Thank you everyone!
This tutorial is for ISPConfig 2 and therefore incompatible with ISPConfig 3. For ISPConfig 3, you should've used this guide: http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-3
this is my named.conf now. Is run OK for internet request // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named/chroot/var/named"; dump-file "/var/named/chroot/var/named/data/cache_dump.db"; statistics-file "/var/named/chroot/var/named/data/named_stats.txt"; memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt"; allow-query {any; }; recursion no; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.root"; }; include "/var/named/chroot/etc/named.conf.local"; This configuration run OK for a littel internet web server. Falko, this is a security problem? This is a security hole? My server run in CentOS 5.5 and last estable ispConfig 3. Wich the configutation of the guide http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-3 don't run OK for the internet request. Don't show the web pages. Why?
wrong url Sorry Falko, I posts the wrong url, I use the ISPconfig 3 really. This is the url: http://www.howtoforge.com/perfect-server-centos-5.5-x86_64-ispconfig-3 But, as you can see the problem is still the same. Do you think matty is right? The listen-on port 53 and allow-query needs to be set to { any; } ? I don't know, maybe you have the right answer. Anyway, thanks.
