Dns Port Problems (fwd)

To: <debian-firewall@lists.debian.org>
Subject: Dns Port Problems (fwd)
From: George Roman <rgeorge@rdstm.ro>
Date: Sun, 21 Mar 2004 21:00:33 +0200 (EET)
Message-id: <[🔎] Pine.LNX.4.33.0403212100000.7624-100000@mail.rdstm.ro>

George Roman
Technical Support
RDS Timisoara Branch - Network Operations Center
Tel: +4 0256 200 033
Fax: +4 0256 294 510
www.rdsnet.ro
================================================================

"If virtue precede us every step will be safe."
					Seneca


Privileged/Confidential Information may be contained in this
message. If youare not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone. In such a case,
you should  destroy this message and kindly notify the
sender by reply e-mail.


---------- Forwarded message ----------
Date: Sun, 21 Mar 2004 20:35:20 +0200 (EET)
From: George Roman <rgeorge@rdstm.ro>
To: debian-user@lists.debian.org
Subject: Dns Port Problems




Hi I'm using Debian Woody, and i configured a master
DNS server on my network. It suposed to transfer
the master zone to my ISP but it doesn't.
i've tried to investigate my problem from a station situated on the
internet to see what happends. i mention that tried to configure a slave
DNS server on my local network and it works (the zone transfer ocured).

the -x.y.z.t is my ip located on the internet
    -172.16.35.137 is my local computer


in /var/log/syslog i see only the logs from my
firewall that i named (DNS-in for the INPUT chain and
DNS-out for the output chain) but as i mentioned i can
see in netstat only the TCP SYN flag when i try telnet
from the outside (from x.y.x.t) no established
conection but i have an outgoing packet logged with
the firewall (with tcpdump i olso see an outgoing
packet from the dns server

this is tcpdump from DNS when i tried to connect to
prt 53 from x.y.z.t:

03:36:10.077870 x.y.z.t.sa-msg-port > ns..domain: S1532033272:1532033272(0) win 5840 <mss
1460,sackOK,timestamp 25289352 0,nop,wscale 0> (DF)[tos 0x10]
03:36:10.078383 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1387905 25289352,nop,wscale 0>(DF)
03:36:13.077295 x.y.z.t.sa-msg-port > ns..domain: S1532033272:1532033272(0) win 5840 <mss
1460,sackOK,timestamp 25292352 0,nop,wscale 0> (DF)[tos 0x10]
03:36:13.077711 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1388205 25289352,nop,wscale 0>(DF)
03:36:13.328501 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1388231 25289352,nop,wscale 0>(DF)


this is the firewall log for the same conection

Mar 21 03:41:23 ns kernel: DNS-IN:--log-ip-optionsIN=eth2 OUT= MAC=z.x.c.v.b.n
SRC=x.y.z.t DST=<my DNS IP> LEN=60 TOS=0x10 PREC=0x00TTL=62 ID=48210 DF PROTO=TCP SPT=1647 DPT=53
WINDOW=5840 RES=0x00 SYN URGP=0 OPT(020405B40402080A0186AC070000000001030300)

Mar 21 03:41:23 ns kernel: DNS-OUT:--log-ip-optionsIN= OUT=eth2 SRC=<my DNS IP>
DST=x.y.z.t LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DFPROTO=TCP SPT=53 DPT=1647 WINDOW=5792 RES=0x00 ACK SYN
URGP=0 OPT (020405B40402080A0015A80B0186AC0701030300)



these are my options in maned.conf

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        allow-query { 172.16.32.0/19; ISP 1-st DNS IP;
ISP 2-nd dns IP; x.y.z.t; 127.0.0.1;};
        allow-transfer { ISP 1-st DNS IP; ISP 2-nd dns
IP ; 172.16.35.137; x.y.z.t;  };
        transfer-source ISP 1-st DNS IP;
        notify-source ISP 1-st DNS IP;
        transfer-format many-answers;
        listen-on port 53 {external IP; 172.16.33.1;
127.0.0.1; };
};

where
-172.16.35.137 is my local computer on witch i tried
to configure a slave zone to see if the zone transfer
happends (it works)

-x.y.z.t is my ip located on the internet


this is the result of nmap started from my local
workstation(172.16.35.137), when the DNS...server had
no firewall(/etc/init.d/iptables clear)
^^^^^^^^^^^


Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
23/tcp     open        telnet
25/tcp     open        smtp
37/tcp     open        time
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
113/tcp    open        auth
199/tcp    open        smux
2401/tcp   open        cvspserver



this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had no firewall(/etc/init.d/iptables clear)
	     ^^^^^^^^^^

Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
23/tcp     open        telnet
25/tcp     open        smtp
37/tcp     open        time
53/tcp     filtered    domain
67/tcp     filtered    dhcp
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
113/tcp    open        auth
119/tcp    filtered    nntp
135/tcp    filtered    loc-srv
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
161/tcp    filtered    snmp
162/tcp    filtered    snmptrap
199/tcp    open        smux
445/tcp    filtered    microsoft-ds
2401/tcp   open        cvspserver



this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had the firewall activated (but with
		 ^^^^^^^^^^^^^^^^^^
"iptables -A INPUT -s x.y.z.t -j ACCEPT)

Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
23/tcp     open        telnet
25/tcp     open        smtp
37/tcp     open        time
53/tcp     filtered    domain
67/tcp     filtered    dhcp
80/tcp     open        http
110/tcp    open        pop-3
111/tcp    open        sunrpc
113/tcp    open        auth
119/tcp    filtered    nntp
135/tcp    filtered    loc-srv
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
161/tcp    filtered    snmp
162/tcp    filtered    snmptrap
199/tcp    open        smux
411/tcp    open        rmt
445/tcp    filtered    microsoft-ds
1026/tcp   filtered    nterm
1030/tcp   filtered    iad1
2401/tcp   open        cvspserver



this is the result of nmap started from the station
situated on the internet, when the DNS ..server had
the firewall activated (but without iptables -A INPUT
-s x.y.z.t -j ACCEPT )     ^^^^^^^

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )

and it stays their a very long time without a respons
probably it wil not find anny open port.



next i tried to configure a dns slave on x.y.z.t

and on the slave dns logs i see this message:

Mar 21 03:57:26.590 zone my.zone/IN: refresh: failure
trying master <my master dns IP>#53: timed out

there is no surprise for me since the 53's port is not
accessibe


do i have to confirure something special in my dns options to have acces
at mai 53 port?


please help
and 10x for your time

george


================================================================

"If virtue precede us every step will be safe."
					Seneca


Privileged/Confidential Information may be contained in this
message. If youare not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone. In such a case,
you should  destroy this message and kindly notify the
sender by reply e-mail.
Reply to:
Prev by Date: Re: pppoe speed problem
Next by Date: Dns Port Problems (fwd)
Previous by thread: Re: pppoe speed problem
Next by thread: Dns Port Problems (fwd)
Index(es):
- Date
- Thread