can only query locally

Ronan Flood ronan at noc.ulcc.ac.uk
Thu Sep 23 15:09:55 UTC 2004 

"Tommy" <tomnospam at lugh.boley.org> wrote:

> I have a small domain. My isp is supposed to provide secondary dns.

The delegation from the .org servers is

boley.org.              86400   IN      NS      ns53.worldnic.com.
boley.org.              86400   IN      NS      ns54.worldnic.com.


> I can't seem to make queries off the localhost.
> 
> By default dig seems to be going to my secondary.

It should go to whatever is set in your /etc/resolv.conf file.


> [tom at lugh tom]$ dig puck.boley.org
> 
> ; <<>> DiG 9.2.1 <<>> puck.boley.org
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26865
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;puck.boley.org.                        IN      A
> 
> ;; ANSWER SECTION:
> puck.boley.org.         7200    IN      A       216.254.88.2
> 
> ;; Query time: 634 msec
> ;; SERVER: 216.254.95.2#53(216.254.95.2)
> ;; WHEN: Wed Sep 22 10:30:28 2004
> ;; MSG SIZE  rcvd: 48
> 
> 
> This a actually wrong puck is 216.254.88.3

The two worldnic.com servers say its 216.254.88.2


> Making a query from the dns server shows
> tom at lugh tom]$ dig @lugh.boley.org  puck.boley.org
> 
> ; <<>> DiG 9.2.1 <<>> @lugh.boley.org puck.boley.org
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62072
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> ;puck.boley.org.                        IN      A
> 
> ;; ANSWER SECTION:
> puck.boley.org.         86400   IN      A       216.254.88.3
> 
> ;; AUTHORITY SECTION:
> boley.org.              86400   IN      NS      lugh.boley.org.
> boley.org.              86400   IN      NS      216.254.88.2.
> boley.org.              86400   IN      NS      216.254.95.2.

The second and third NS records are incorrect: the last field
must be a name, not an IP address.


> ;; ADDITIONAL SECTION:
> lugh.boley.org.         86400   IN      A       216.254.88.2
> 
> ;; Query time: 5 msec
> ;; SERVER: 127.0.0.1#53(lugh.boley.org)
> ;; WHEN: Wed Sep 22 10:31:23 2004
> ;; MSG SIZE  rcvd: 134
> 
> 
> But if I go to another domain and query myself I get no contact
> 
> shell2.speakeasy.net% dig @lugh.boley.org puck.boley.org
> 
> ; <<>> DiG 9.2.4rc5 <<>> @lugh.boley.org puck.boley.org
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> shell2.speakeasy.net%
> 

> But I thought it odd that it marked lugh with the 127...ip
> so I tried it with the full ip to be sure
> [root at lugh named]# nmap 216.254.88.2
> 
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on boley.org (216.254.88.2):
> (The 1592 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain

That's TCP; DNS queries normally use UDP.  I can't contact your
nameserver on either.

You mentioned iptables in your first message.  Are you allowing
traffic to/from port 53, at least UDP?  Queries from your server
will be going out to port 53 on remote servers from (usually) a
high port, and the responses back will come from port 53 to
the originating high port.  Queries from outside will come from
high ports to port 53 on your server, and the responses back will
go from port 53 to the originating high port.  You have to allow
both directions.

-- 
                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the bind-users mailing list