I can't get my BIND DNS to answer remote queries

Chris Buxton cbuxton at menandmice.com
Wed Apr 9 17:01:19 UTC 2008 

Check your software firewall, such as iptables. Does it permit DNS  
queries?

It's quite common for firewall default configs to allow anything over  
the loopback interface but otherwise block all ports.

Chris Buxton
Professional Services
Men & Mice

On Apr 9, 2008, at 5:13 AM, Victor Lemos Soares E. de Souza wrote:
> Hello,
> I have a machine running BIND 9. I've configured a zone on the  
> server and I in fact can do queries at this local machine (using  
> dig). But when I do the same (dig) query from a remote machine in  
> the same network, I get ";; connection timed out; no servers could  
> be reached".
> Here are my zone file:
> $TTL 12345
> vas.lab. IN SOA server.vas.lab. teste.vas.lab. (
>                        1       ; Serial
>                        12345   ; Refresh
>                        12345   ; Retry
>                        12345   ; Expire
>                        12345 ) ; Negative caching TTL
> vas.lab.                IN NS           server.vas.lab.
> server.vas.lab.         IN A            127.0.0.1
> teste           IN A            10.20.90.7
>
> BIND syslog:
>
> Apr  8 16:41:13 rede_externa1 named[8186]: starting BIND 9.4.1-P1 -u  
> root -t /var/lib/named
> Apr  8 16:41:13 rede_externa1 named[8186]: found 1 CPU, using 1  
> worker thread
> Apr  8 16:41:13 rede_externa1 named[8186]: loading configuration  
> from '/etc/named.conf'
> Apr  8 16:41:13 rede_externa1 named[8186]: listening on IPv4  
> interface lo, 127.0.0.1#53
> Apr  8 16:41:13 rede_externa1 kernel: process `named' is using  
> obsolete setsockopt SO_BSDCOMPAT
> Apr  8 16:41:13 rede_externa1 named[8186]: listening on IPv4  
> interface eth0, 10.8.128.2#53
> Apr  8 16:41:13 rede_externa1 named[8186]: listening on IPv4  
> interface eth3, 10.20.91.23#53
> Apr  8 16:41:13 rede_externa1 named[8186]: listening on IPv4  
> interface eth2, 10.20.90.23#53
> Apr  8 16:41:13 rede_externa1 named[8186]: listening on IPv4  
> interface eth1, 10.8.132.2#53
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 127.IN-ADDR.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 254.169.IN-ADDR.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 2.0.192.IN-ADDR.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 255.255.255.255.IN-ADDR.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 
> .IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 
> .IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> D.F.IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 8.E.F.IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> 9.E.F.IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> A.E.F.IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: automatic empty zone:  
> B.E.F.IP6.ARPA
> Apr  8 16:41:13 rede_externa1 named[8186]: command channel listening  
> on 127.0.0.1#953
>
> Local Query and response :
>
> [root at vas8-pro2-mas named]# dig vas.lab
>
> ; <<>> DiG 9.4.1-P1 <<>> vas.lab
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6315
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,  
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;vas.lab.                       IN      A
>
> ;; AUTHORITY SECTION:
> vas.lab.                12345   IN      SOA     server.vas.lab.  
> teste.vas.lab. 1 12345 12345 12345 12345
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Apr  9 09:04:48 2008
> ;; MSG SIZE  rcvd: 74
>
>
> REMOTE query and 'no' response :
>
> [root at vas8-pro4-mpg ~]# dig vas.lab
>
> ; <<>> DiG 9.4.1-P1 <<>> vas.lab
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
> NOTICE: The remote machine /etc/resolv.conf is configured as :
>
> [root at vas8-pro4-mpg ~]# more /etc/resolv.conf
> nameserver 10.8.128.2
> nameserver 10.20.90.23
>
> Ps: as you can see, both nameserver IP addresses leads to the same  
> DNS server.
>
> I also tried :
> [root at vas8-pro4-mpg ~]# dig @10.8.128.2 vas.lab
>
> ; <<>> DiG 9.4.1-P1 <<>> @10.8.128.2 vas.lab
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
>
> And :
> [root at vas8-pro4-mpg ~]# dig @10.20.90.23 vas.lab
>
> ; <<>> DiG 9.4.1-P1 <<>> @10.20.90.23 vas.lab
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
> And as I was doing this remote queries, I started wireshark on both  
> host and server and I could see that the DNS queries where going out  
> of the host machine and arriving at the server machine, but it still  
> didn't respond.
> Does anyone know where the problem is or at least where it can be?
>
> Thanks a lot,
>
>
> Victor Lemos Soares Evangelista de Souza
>
>
>
>
>
>      Abra sua conta no Yahoo! Mail, o único sem limite de espaço  
> para armazenamento!
> http://br.mail.yahoo.com/
>

More information about the bind-users mailing list