bind9 zone info not visible outside of localhost (IP problem?)
Hi debian-firewall people,
i'm running Debian 3.0r2 on an AMD Athlon box 158.75.6.40 with apache, twiki
running fine and i've tried installing a name server on it using bind
9.2.1 in order to add the CNAME cosmo.torun.pl (which i've registered).
PROBLEM:
http://www.isc.org/index.pl?/sw/bind/FAQ.php
> I can query the nameserver from the nameserver but not from other machines. Why?
Same problem as in this FAQ but the recommended solution (opening up iptables)
has no effect.
ssh from outside works fine (when iptables and hosts.allow are open).
traceroute from a remote machine fails.
So the problem is maybe not just a bind9 problem, but i don't know
what step to take next. :(
Any help would be nice
boud
HYPOTHESIS:
Something is blocking both UDP and TCP packets - probably something i
did by installing the harden package a long time ago or when reading
http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/index.en.html
or maybe some kernel option? But i haven't found anything.
SYSTEM, PACKAGES:
- kernel 2.4.18-14.3 compiled from source (including patch for CAN-2004-0554
http://linuxreviews.org/news/2004/06/11_kernel_crash/)
- Debian 3.0r2
- AMD Athlon
harden-environment 0.1.4
harden-localflaws 0.1.4
harden-remoteflaws 0.1.4
harden-tools 0.1.4
harden 0.1.4 - removed but not purged
harden-servers 0.1.4 - removed but not purged
bind9 9.2.1-2.woody
bind9-host 9.2.1-2.woody
SECURITY:
/etc/hosts.allow has
named: ALL
-> but problem occurs even with ALL: ALL
iptables firewall is open:
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
-> but problem occurs even when firewall is totally open
/sbin/iptables -F
/sbin/iptables -F -t filter
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
OPENING UP BIND;
i've tried putting the following in named.conf:
allow-query { any; };
allow-recursion { any; };
allow-transfer { any; };
It doesn't help.
ATTEMPTED DIAGNOSIS:
i've put 53 as the port number in named.conf:
query-source address * port 53;
dig on localhost gives all the zone information from my local installation
but dig on remote machines which tries to get information directly
from my nameserver (158.75.6.40) gives, e.g.:
dig @158.75.6.40 cosmo.torun.pl any
; <<>> DiG 8.3 <<>> @158.75.6.40 cosmo.torun.pl any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server 158.75.6.40: Connection timed out
dig @158.75.6.40 cosmo.torun.pl any
; <<>> DiG 9.2.1 <<>> @158.75.6.40 cosmo.torun.pl any
;; global options: printcmd
;; connection timed out; no servers could be reached
dig +tcp @158.75.6.40 cosmo.torun.pl any
;; Connection to 158.75.6.40#53(158.75.6.40) for cosmo.torun.pl
failed: host unreachable.
dig +tcp @158.75.6.40 -x 158.75.6.40 PTR
;; Connection to 158.75.6.40#53(158.75.6.40) for
40.6.75.158.in-addr.arpa. failed: host unreachable.
dig from a remote machine without specifying the server finds the
information delegated by torun.pl but nothing from my own nameserver,
whose A record is adjani.astro.uni.torun.pl .
/var/log/syslog output
Sep 3 22:48:01 adjani named[20589]: starting BIND 9.2.1
Sep 3 22:48:01 adjani named[20589]: using 1 CPU
Sep 3 22:48:01 adjani named[20591]: loading configuration from '/etc/bind/named.conf'
Sep 3 22:48:01 adjani named[20591]: no IPv6 interfaces found
Sep 3 22:48:01 adjani named[20591]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 3 22:48:01 adjani named[20591]: listening on IPv4 interface eth0, 158.75.6.40#53
Sep 3 22:48:01 adjani named[20591]: command channel listening on 127.0.0.1#953
Sep 3 22:48:01 adjani named[20591]: zone 0.in-addr.arpa/IN: loaded serial 1
Sep 3 22:48:01 adjani named[20591]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 3 22:48:01 adjani named[20591]: zone 6.75.158.in-addr.arpa/IN: loaded serial 2004081302
Sep 3 22:48:01 adjani named[20591]: zone 196.168.192.in-addr.arpa/IN: loaded serial 2004090201
Sep 3 22:48:01 adjani named[20591]: zone 255.in-addr.arpa/IN: loaded serial 1
Sep 3 22:48:01 adjani named[20591]: zone localhost/IN: loaded serial 1
Sep 3 22:48:01 adjani named[20591]: zone cosmo.torun.pl/IN: loaded serial 2004090301
Sep 3 22:48:01 adjani named[20591]: running
DOES NETWORKING FUNCTION GENERALLY?
ssh is OK - When i open up both iptables and /etc/hosts.allow, i can ssh in
from remote machines with no problem.
traceroute (sorry, it doesn't have a version number, the man page says
6 December 2000) from another machine gives up after 30 (or 100) steps.
traceroute to other machines on the same LAN works after about 11 or
so steps. So IMHO it seems unlikely that an intervening machine is blocking.
netstat -tapu|grep named
tcp 0 0 adjani.astro.uni:domain *:* LISTEN 20450/named
tcp 0 0 localhost:domain *:* LISTEN 20450/named
tcp 0 0 localhost:953 *:* LISTEN 20450/named
udp 0 0 *:domain *:* 20450/named
udp 0 0 adjani.astro.uni:domain *:* 20450/named
udp 0 0 localhost:domain *:* 20450/named
KERNEL HACKING
sysctl -A |grep bind gives
net/ipv4/ip_nonlocal_bind = 0
so i tried
sysctl -w net/ipv4/ip_nonlocal_bind=1
Some other sysctl -A lines which might be relevant:
net/ipv4/conf/eth0/arp_filter = 0
net/ipv4/conf/eth0/tag = 0
net/ipv4/conf/eth0/log_martians = 0
net/ipv4/conf/eth0/bootp_relay = 0
net/ipv4/conf/eth0/proxy_arp = 0
net/ipv4/conf/eth0/accept_source_route = 1
net/ipv4/conf/eth0/send_redirects = 1
net/ipv4/conf/eth0/rp_filter = 1
net/ipv4/conf/eth0/shared_media = 1
net/ipv4/conf/eth0/secure_redirects = 1
net/ipv4/conf/eth0/accept_redirects = 1
net/ipv4/conf/eth0/mc_forwarding = 0
net/ipv4/conf/eth0/forwarding = 0
net/ipv4/ip_no_pmtu_disc = 0
net/ipv4/ip_autoconfig = 0
net/ipv4/ip_default_ttl = 64
net/ipv4/ip_forward = 0
OTHER HOWTOs WHICH I'VE READ:
i've read through the DNS-HOWTO many times
/usr/share/doc/HOWTO/en-html/DNS-HOWTO-5.html
Reply to: