DNS Resolver problem

Discussion in 'Server Operation' started by extr3mal, Oct 13, 2014.

  1. extr3mal

    extr3mal Member

    Okay i understand that i am one from may users that writing here about that but it doesn't work even when i read all the threads . So here is my situation:
    Server standalone behind router i opened port 53 to server so dns queries can go thru :
    cat named.conf
    Code:
    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local
    
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    
    cat named.conf.options
    Code:
    cat named.conf.options
    options {
            directory "/var/cache/bind";
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
            // forwarders {
            //      0.0.0.0;
            // };
    
            //========================================================================
            // If BIND logs error messages about the root key being expired,
            // you will need to update your keys.  See https://www.isc.org/bind-keys
            //========================================================================
            dnssec-validation auto;
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { any; };
            forwarders { 8.8.8.8; 8.8.4.4; };
            allow-query { any; };
            allow-recursion { 127.0.0.1; };
            allow-query-cache { any; };
            listen-on { any; };
    
    };
    
    iptables -L
    Code:
     iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-postfix-sasl  tcp  --  anywhere             anywhere             multiport dports smtp
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-postfix-sasl (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-pureftpd (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    dig myhost.com
    Code:
    ; <<>> DiG 9.9.5-3-Ubuntu <<>> myhost.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64473
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;myhost.com.                 IN      A
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Mon Oct 13 22:14:21 EEST 2014
    ;; MSG SIZE  rcvd: 42
    
    netstat -tap | grep named
    Code:
    tcp        0      0 192.168.1.101:domain    *:*                     LISTEN      3933/named
    tcp        0      0 localhost:domain        *:*                     LISTEN      3933/named
    tcp        0      0 localhost:953           *:*                     LISTEN      3933/named
    tcp6       0      0 [::]:domain             [::]:*                  LISTEN      3933/named
    tcp6       0      0 localhost:953           [::]:*                  LISTEN      3933/named
    
    grep named /var/log/syslog
    Code:
    Oct 12 18:52:11 myhost named[28696]: client 66.249.66.121#62131 (myhost.com): query (cache) 'myhost.com/A/IN' denied
    Oct 12 18:52:12 myhost named[28696]: client 74.125.46.18#59853 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:12 myhost named[28696]: client 74.125.74.144#45484 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:12 myhost named[28696]: client 74.125.46.84#39630 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:12 myhost named[28696]: client 111.175.223.222#48446 (cdftnbmgmjp.www.17175.com): query (cache) 'cdftnbmgmjp.www.17175.com/A/IN' denied
    Oct 12 18:52:12 myhost named[28696]: client 11.27.118.222#35604 (czykawgatzj.www.17175.com): query (cache) 'czykawgatzj.www.17175.com/A/IN' denied
    Oct 12 18:52:15 myhost named[28696]: client 93.183.205.110#25700 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied
    Oct 12 18:52:15 myhost named[28696]: client 93.183.205.110#24021 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.46.83#59038 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.74.148#53230 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.46.84#58975 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 173.194.98.148#47421 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 173.194.98.144#57333 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.46.18#46128 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.46.82#34046 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.74.147#39999 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:16 myhost named[28696]: client 74.125.74.146#53566 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:17 myhost named[28696]: client 93.183.205.110#41689 (ns1.myhost.com): query (cache) 'ns1.myhost.com/AAAA/IN' denied
    Oct 12 18:52:17 myhost named[28696]: client 93.183.205.110#2369 (ns1.myhost.com): query (cache) 'ns1.myhost.com/AAAA/IN' denied
    Oct 12 18:52:17 myhost named[28696]: client 88.93.228.117#37681 (gvtjmkaaqil.www.17175.com): query (cache) 'gvtjmkaaqil.www.17175.com/A/IN' denied
    Oct 12 18:52:17 myhost named[28696]: client 126.65.53.183#12347 (epuwtgaethr.www.17175.com): query (cache) 'epuwtgaethr.www.17175.com/A/IN' denied
    Oct 12 18:52:18 myhost named[28696]: client 56.217.205.159#15699 (yqmtzumvxsz.wap.liuxinsangcen.com): query (cache) 'yqmtzumvxsz.wap.liuxinsangcen.com/A/IN' denied
    Oct 12 18:52:18 myhost named[28696]: client 111.62.165.196#33346 (qontennxdqv.wap.liuxinsangcen.com): query (cache) 'qontennxdqv.wap.liuxinsangcen.com/A/IN' denied
    Oct 12 18:52:18 myhost named[28696]: client 123.210.26.90#4096 (kcpsbjaylsv.www.17175.com): query (cache) 'kcpsbjaylsv.www.17175.com/A/IN' denied
    Oct 12 18:52:18 myhost named[28696]: client 74.107.8.130#39768 (nocdefghiwxlz.hk.apple.nextmedia.com): query (cache) 'nocdefghiwxlz.hk.apple.nextmedia.com/A/IN' denied
    Oct 12 18:52:18 myhost named[28696]: client 15.16.151.122#45978 (bnvjdqkvaoe.www.17175.com): query (cache) 'bnvjdqkvaoe.www.17175.com/A/IN' denied
    Oct 12 18:52:19 myhost named[28696]: client 107.91.87.109#11301 (upwywqfrzmd.www.17175.com): query (cache) 'upwywqfrzmd.www.17175.com/A/IN' denied
    Oct 12 18:52:21 myhost named[28696]: client 93.183.205.110#63728 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:21 myhost named[28696]: client 93.183.205.110#21926 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:22 myhost named[28696]: client 74.125.74.82#55828 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:22 myhost named[28696]: client 74.125.74.82#62151 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:22 myhost named[28696]: client 74.125.74.20#54126 (www.myhost.com): query (cache) 'www.myhost.com/A/IN' denied
    Oct 12 18:52:24 myhost named[28696]: client 120.213.248.69#59377 (tpqllzssljz.www.17175.com): query (cache) 'tpqllzssljz.www.17175.com/A/IN' denied
    Oct 12 18:52:24 myhost named[28696]: client 93.183.205.110#51904 (ns2.myhost.com): query (cache) 'ns2.myhost.com/AAAA/IN' denied
    
    The question is: What's wrong in there ?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The line:

    allow-recursion { 127.0.0.1; };

    in named.conf.options configures your server to allow recursive queries only from localhost, not from outside.
     

Share This Page