Okay i understand that i am one from may users that writing here about that but it doesn't work even when i read all the threads . So here is my situation: Server standalone behind router i opened port 53 to server so dns queries can go thru : cat named.conf Code: // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; cat named.conf.options Code: cat named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-query { any; }; allow-recursion { 127.0.0.1; }; allow-query-cache { any; }; listen-on { any; }; }; iptables -L Code: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-postfix-sasl tcp -- anywhere anywhere multiport dports smtp fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix-sasl (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere dig myhost.com Code: ; <<>> DiG 9.9.5-3-Ubuntu <<>> myhost.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64473 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;myhost.com. IN A ;; Query time: 1 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Oct 13 22:14:21 EEST 2014 ;; MSG SIZE rcvd: 42 netstat -tap | grep named Code: tcp 0 0 192.168.1.101:domain *:* LISTEN 3933/named tcp 0 0 localhost:domain *:* LISTEN 3933/named tcp 0 0 localhost:953 *:* LISTEN 3933/named tcp6 0 0 [::]:domain [::]:* LISTEN 3933/named tcp6 0 0 localhost:953 [::]:* LISTEN 3933/named grep named /var/log/syslog Code: Oct 12 18:52:11 myhost named[28696]: client 66.249.66.121#62131 (myhost.com): query (cache) 'myhost.com/A/IN' denied Oct 12 18:52:12 myhost named[28696]: client 74.125.46.18#59853 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:12 myhost named[28696]: client 74.125.74.144#45484 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:12 myhost named[28696]: client 74.125.46.84#39630 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:12 myhost named[28696]: client 111.175.223.222#48446 (cdftnbmgmjp.www.17175.com): query (cache) 'cdftnbmgmjp.www.17175.com/A/IN' denied Oct 12 18:52:12 myhost named[28696]: client 11.27.118.222#35604 (czykawgatzj.www.17175.com): query (cache) 'czykawgatzj.www.17175.com/A/IN' denied Oct 12 18:52:15 myhost named[28696]: client 93.183.205.110#25700 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied Oct 12 18:52:15 myhost named[28696]: client 93.183.205.110#24021 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.46.83#59038 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.74.148#53230 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.46.84#58975 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 173.194.98.148#47421 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 173.194.98.144#57333 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.46.18#46128 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.46.82#34046 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.74.147#39999 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:16 myhost named[28696]: client 74.125.74.146#53566 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:17 myhost named[28696]: client 93.183.205.110#41689 (ns1.myhost.com): query (cache) 'ns1.myhost.com/AAAA/IN' denied Oct 12 18:52:17 myhost named[28696]: client 93.183.205.110#2369 (ns1.myhost.com): query (cache) 'ns1.myhost.com/AAAA/IN' denied Oct 12 18:52:17 myhost named[28696]: client 88.93.228.117#37681 (gvtjmkaaqil.www.17175.com): query (cache) 'gvtjmkaaqil.www.17175.com/A/IN' denied Oct 12 18:52:17 myhost named[28696]: client 126.65.53.183#12347 (epuwtgaethr.www.17175.com): query (cache) 'epuwtgaethr.www.17175.com/A/IN' denied Oct 12 18:52:18 myhost named[28696]: client 56.217.205.159#15699 (yqmtzumvxsz.wap.liuxinsangcen.com): query (cache) 'yqmtzumvxsz.wap.liuxinsangcen.com/A/IN' denied Oct 12 18:52:18 myhost named[28696]: client 111.62.165.196#33346 (qontennxdqv.wap.liuxinsangcen.com): query (cache) 'qontennxdqv.wap.liuxinsangcen.com/A/IN' denied Oct 12 18:52:18 myhost named[28696]: client 123.210.26.90#4096 (kcpsbjaylsv.www.17175.com): query (cache) 'kcpsbjaylsv.www.17175.com/A/IN' denied Oct 12 18:52:18 myhost named[28696]: client 74.107.8.130#39768 (nocdefghiwxlz.hk.apple.nextmedia.com): query (cache) 'nocdefghiwxlz.hk.apple.nextmedia.com/A/IN' denied Oct 12 18:52:18 myhost named[28696]: client 15.16.151.122#45978 (bnvjdqkvaoe.www.17175.com): query (cache) 'bnvjdqkvaoe.www.17175.com/A/IN' denied Oct 12 18:52:19 myhost named[28696]: client 107.91.87.109#11301 (upwywqfrzmd.www.17175.com): query (cache) 'upwywqfrzmd.www.17175.com/A/IN' denied Oct 12 18:52:21 myhost named[28696]: client 93.183.205.110#63728 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:21 myhost named[28696]: client 93.183.205.110#21926 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:22 myhost named[28696]: client 74.125.74.82#55828 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:22 myhost named[28696]: client 74.125.74.82#62151 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:22 myhost named[28696]: client 74.125.74.20#54126 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied Oct 12 18:52:24 myhost named[28696]: client 120.213.248.69#59377 (tpqllzssljz.www.17175.com): query (cache) 'tpqllzssljz.www.17175.com/A/IN' denied Oct 12 18:52:24 myhost named[28696]: client 93.183.205.110#51904 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied The question is: What's wrong in there ?
The line: allow-recursion { 127.0.0.1; }; in named.conf.options configures your server to allow recursive queries only from localhost, not from outside.