No response from localhost with "allow-query { any; };"

Petr Menšík pemensik at redhat.com
Tue Sep 1 14:57:39 UTC 2020 

Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

If the server should listen on all interfaces, just use:
  listen-on { any; };

If it has addresses on which it should not listen, just add localhost;
to current listen-on.

It might be able to respond to:

dig @91.216.35.21 -b 127.0.0.1 localhost

Which would be technically from localhost, but I guess you are looking
for listen-on change.

Cheers,
Petr

On 9/1/20 4:41 PM, Axel Rau wrote:
> Thanks for answering:
> 
> root at ns5:/ # dig NS lrau.net @91.216.35.21
> 
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> root at ns5:/ # dig NS lrau.net @localhost
> 
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> root at ns5:/ # sockstat -p 53
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     cron       59891 5  dgram  -> /var/run/log
> root     sendmail   59197 3  dgram  -> /var/run/log
> bind     named      47812 3  dgram  -> /var/run/log
> bind     named      47812 137 udp4  91.216.35.21:53       *:*
> bind     named      47812 138 udp4  91.216.35.21:53       *:*
> bind     named      47812 139 udp4  91.216.35.21:53       *:*
> bind     named      47812 140 udp4  91.216.35.21:53       *:*
> bind     named      47812 141 udp4  91.216.35.21:53       *:*
> bind     named      47812 142 udp4  91.216.35.21:53       *:*
> bind     named      47812 143 udp4  91.216.35.21:53       *:*
> bind     named      47812 144 udp4  91.216.35.21:53       *:*
> bind     named      47812 145 udp4  91.216.35.21:53       *:*
> bind     named      47812 146 udp4  91.216.35.21:53       *:*
> bind     named      47812 147 udp4  91.216.35.21:53       *:*
> bind     named      47812 148 udp4  91.216.35.21:53       *:*
> bind     named      47812 149 udp4  91.216.35.21:53       *:*
> bind     named      47812 150 udp4  91.216.35.21:53       *:*
> bind     named      47812 151 udp4  91.216.35.21:53       *:*
> bind     named      47812 152 udp4  91.216.35.21:53       *:*
> bind     named      47812 154 tcp4  91.216.35.21:53       *:*
> bind     named      47812 155 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 156 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 157 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 158 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 159 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 160 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 161 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 162 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 163 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 164 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 165 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 166 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 167 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 168 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 169 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 170 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 172 tcp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 512 udp4  91.216.35.21:53       *:*
> bind     named      47812 513 udp6  2a05:bec0:26:5::71:53 *:*
> root     rsyslogd   45747 0  dgram  /var/run/log
> root     rsyslogd   45747 1  dgram  -> /var/run/log
> root at ns5:/ #
> 
> 
>> Am 01.09.2020 um 16:14 schrieb Ondřej Surý <ondrej at isc.org>:
>>
>> Hi Axel,
>>
>> the `nc` commands you used for testing neither proves that
>> it’s that specific `named` listening on that port nor DNS
>> daemon at all.  FWIW it could be a dummy UDP/TCP server
>> and you would not know.
>>
>> First you need to use a tool from your operating system
>> to check what is listening on those ports, and then use
>> `dig` (or other DNS debugging tool) to send actual DNS
>> queries.
>>
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>>> On 1. 9. 2020, at 16:11, Axel Rau <Axel.Rau at chaos1.de> wrote:
>>>
>>> Hi!
>>>
>>> this is a new server, which answers external queries, sends notifies and pushes axfrs.
>>> It does not answer any query from localhost nor shows any notifies from master in the logs.
>>>
>>> From local:
>>> root at ns5:/ # nc -v localhost 53
>>> Connection to localhost 53 port [tcp/domain] succeeded!
>>> ^C
>>> root at ns5:/ # nc -vu localhost 53
>>> Connection to localhost 53 port [udp/domain] succeeded!
>>>
>>> From master server:
>>> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
>>> ^C
>>> [hermes:local/etc/namedb] root#	nc -vu ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>>>
>>>
>>> Any help greatly appreciated,
>>> Axel
>>>
>>> PS:
>>>
>>> part of named.conf:
>>> 	allow-notify {
>>> 		hermes-ns5;
>>> 	};
>>> 	allow-transfer {
>>> 		full-trusted;
>>> 		ns5-ping;
>>> 		ns4-he;
>>> 		management-hosts;
>>> 	};
>>> 	allow-query { any; };
>>> 	allow-query-cache { recursive-users; };
>>> 	allow-recursion { recursive-users; };
>>>
>>>
>>> root at ns5:/usr/local/etc/namedb/working/slave # named -V
>>> BIND 9.16.5 (Stable Release) <id:c00b458>
>>> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
>>> built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
>>> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
>>> compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
>>> linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
>>> compiled with libxml2 version: 2.9.10
>>> linked to libxml2 version: 20910
>>> compiled with json-c version: 0.14
>>> linked to json-c version: 0.15
>>> compiled with zlib version: 1.2.11
>>> linked to zlib version: 1.2.11
>>> threads support is enabled
>>>
>>> default paths:
>>> named configuration:  /usr/local/etc/namedb/named.conf
>>> rndc configuration:   /usr/local/etc/namedb/rndc.conf
>>> DNSSEC root key:      /usr/local/etc/namedb/bind.keys
>>> nsupdate session key: /var/run/named/session.key
>>> named PID file:       /var/run/named/pid
>>> named lock file:      /var/run/named/named.lock
>>>
>>> ---
>>> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> 
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200901/0e49e4ff/attachment.bin>

More information about the bind-users mailing list