bind configuration help

Kevin Darcy kcd at chrysler.com
Tue Nov 10 22:46:42 UTC 2009 

Laurent CARON wrote:
> On 10/11/2009 23:07, Błażej Ślusarek wrote:
>> Hello,
>
> Hi
>
>> I'd like to ask for help in setting up my DNS server. When I start the
>> server, everything is fine, but only for some time. After the "some
>> time" passes, my external domain name cannot be resolved from anywhere
>> on the Internet. When I restart the Named, everything is back to
>> normal after few seconds, again for the "some time". 

"Cannot be resolved" =
    timeout?
    SERVFAIL?
    referral?

What do your logs say?
>> Here are some
>> fragments of my DNS configuration:
>>
>> ***
>> options {
>>      directory "/var/bind";
>>      forward first;
>>      forwarders {
>>          some.ip;
>>      };
>>      allow-query { any; };
>>      allow-recursion { any; };
>
> bad
Agreed.

Normally I'd tell the OP that they should provide a real domain name if 
they want help.

But in this case, it's probably best not to reveal that information 
until the open recursion is turned off.
>
>>      listen-on-v6 { none; };
>>      listen-on { 127.0.0.1; internal.ip; external.ip; };
>>
>> zone "my.domain.name" IN {
>>      type master;
>>      file "pri/costam.zone";
>>      allow-update { none; };
>>      //allow-transfer { slaves; };
>>      allow-transfer { any; };
>
> bad
Debatable. YMMV.


>
>>      notify yes;
>> };
>> ***
>> I've got no clue what could be the cause of this behavior. The server
>> should provide service to internal and external networks and allow
>> zone transfers. I'd also like to ask for correct iptables
>> configuration for the above dns settings. I'm quite not sure that if I
>> have the "forwarders" option, I have to enable port 53 in FORWARD
>> chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are
>> necessary for the zone transfer to work?
Regardless of whether zone transfers are allowed or not, you should have 
UDP/TCP destination port 53 allowed inbound (query), and TCP/UDP source 
port 53 allowed outbound (response). The source ports for inbound, and 
the destination ports for outbound, will be ephemeral or 53. If your 
firewall is "stateful", the destination port for a response should be 
the same as the source port of the original query (a stateful firewall 
should already understand this).

                                                                 - Kevin

More information about the bind-users mailing list