can only query locally
Ronan Flood
ronan at noc.ulcc.ac.uk
Thu Sep 23 15:09:55 UTC 2004
"Tommy" <tomnospam at lugh.boley.org> wrote:
> I have a small domain. My isp is supposed to provide secondary dns.
The delegation from the .org servers is
boley.org. 86400 IN NS ns53.worldnic.com.
boley.org. 86400 IN NS ns54.worldnic.com.
> I can't seem to make queries off the localhost.
>
> By default dig seems to be going to my secondary.
It should go to whatever is set in your /etc/resolv.conf file.
> [tom at lugh tom]$ dig puck.boley.org
>
> ; <<>> DiG 9.2.1 <<>> puck.boley.org
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26865
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;puck.boley.org. IN A
>
> ;; ANSWER SECTION:
> puck.boley.org. 7200 IN A 216.254.88.2
>
> ;; Query time: 634 msec
> ;; SERVER: 216.254.95.2#53(216.254.95.2)
> ;; WHEN: Wed Sep 22 10:30:28 2004
> ;; MSG SIZE rcvd: 48
>
>
> This a actually wrong puck is 216.254.88.3
The two worldnic.com servers say its 216.254.88.2
> Making a query from the dns server shows
> tom at lugh tom]$ dig @lugh.boley.org puck.boley.org
>
> ; <<>> DiG 9.2.1 <<>> @lugh.boley.org puck.boley.org
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62072
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;puck.boley.org. IN A
>
> ;; ANSWER SECTION:
> puck.boley.org. 86400 IN A 216.254.88.3
>
> ;; AUTHORITY SECTION:
> boley.org. 86400 IN NS lugh.boley.org.
> boley.org. 86400 IN NS 216.254.88.2.
> boley.org. 86400 IN NS 216.254.95.2.
The second and third NS records are incorrect: the last field
must be a name, not an IP address.
> ;; ADDITIONAL SECTION:
> lugh.boley.org. 86400 IN A 216.254.88.2
>
> ;; Query time: 5 msec
> ;; SERVER: 127.0.0.1#53(lugh.boley.org)
> ;; WHEN: Wed Sep 22 10:31:23 2004
> ;; MSG SIZE rcvd: 134
>
>
> But if I go to another domain and query myself I get no contact
>
> shell2.speakeasy.net% dig @lugh.boley.org puck.boley.org
>
> ; <<>> DiG 9.2.4rc5 <<>> @lugh.boley.org puck.boley.org
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
> shell2.speakeasy.net%
>
> But I thought it odd that it marked lugh with the 127...ip
> so I tried it with the full ip to be sure
> [root at lugh named]# nmap 216.254.88.2
>
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on boley.org (216.254.88.2):
> (The 1592 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 53/tcp open domain
That's TCP; DNS queries normally use UDP. I can't contact your
nameserver on either.
You mentioned iptables in your first message. Are you allowing
traffic to/from port 53, at least UDP? Queries from your server
will be going out to port 53 on remote servers from (usually) a
high port, and the responses back will come from port 53 to
the originating high port. Queries from outside will come from
high ports to port 53 on your server, and the responses back will
go from port 53 to the originating high port. You have to allow
both directions.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list