problem with 9.2.1

Jim Reid jim at rfc1035.com
Tue Nov 12 22:48:33 UTC 2002 

>>>>> "david" == david doherty <ddhcl at hotmail.com> writes:

    david> I am running BIND 9.2.1 in a chrooted jail. My zone files
    david> and named.conf load successfully and no errors are reported
    david> from either.  The problem I have is that although I can
    david> successfully lookup hosts, both forward and reverse, for
    david> those zones which I am authoritative for, I cannot resolve
    david> external lookups, i.e. www.isc.org, with either nslookup or
    david> dig. I know that 9.2.1 does not need the db.cache file and
    david> I have all but ruled out any firewall/router acls
    david> preventing the lookups. The debugging output from nslookup
    david> does not give me any indication as to why there is no
    david> success.

That's hardly suprising. Firstly nslookup is abysmal. Don't use it. The
tool is an utter waste of time and disk space. Secondly, it's the name
server's resolver debugging you need to enable, not whatever garbage
nslookup is doing. ie It's what the name server is looking up and which
servers it is querying that matter. You just can't get that information
from nslookup.

    david> I am unsure if there could be anything in the
    david> named.conf that could be causing this. Has anyone came
    david> across this before, could it be the chrooted environment ?

People have come across this before. It's not likely to be anything
to do with running named chrooted. The name server's resolver
behaviour does not depend on the file system or its access permissions.

The overwhelming explanation for these problems is a firewall or
router that is preventing DNS traffic betweeb your name server and the
outside. This tends to be caused by overlooking the fact that by
default BIND[89] uses a random unprivileged port number when making
queries and the router/firewall expects this stuff to have a source
and destination port number of 53. Either you fix the firewall/router
or else use a query-source clause to force the name server to use port
X for the source of any queries it makes. Where X is 53 or whatever
port number the firewall deigns to pass.

Try running tcpdump and watching for the DNS traffic to/from your name
server, ideally on both sides of the perimiter firewall/router. This
will give you a clue about where things are going wrong.

More information about the bind-users mailing list