Hi I'm using Debian Woody, and i configured a master
DNS server on my network. It suposed to transfer
the master zone to my ISP but it doesn't.
i've tried to investigate my problem from a station situated on the
internet to see what happends. i mention that tried to configure a slave
DNS server on my local network and it works (the zone transfer ocured).
the -x.y.z.t is my ip located on the internet
-172.16.35.137 is my local computer
in /var/log/syslog i see only the logs from my
firewall that i named (DNS-in for the INPUT chain and
DNS-out for the output chain) but as i mentioned i can
see in netstat only the TCP SYN flag when i try telnet
from the outside (from x.y.x.t) no established
conection but i have an outgoing packet logged with
the firewall (with tcpdump i olso see an outgoing
packet from the dns server
this is tcpdump from DNS when i tried to connect to
prt 53 from x.y.z.t:
03:36:10.077870 x.y.z.t.sa-msg-port > ns..domain: S1532033272:1532033272(0) win 5840
<mss
1460,sackOK,timestamp 25289352 0,nop,wscale 0> (DF)[tos 0x10]
03:36:10.078383 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack
1532033273 win 5792 <mss
1460,sackOK,timestamp 1387905 25289352,nop,wscale 0>(DF)
03:36:13.077295 x.y.z.t.sa-msg-port > ns..domain: S1532033272:1532033272(0) win 5840
<mss
1460,sackOK,timestamp 25292352 0,nop,wscale 0> (DF)[tos 0x10]
03:36:13.077711 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack
1532033273 win 5792 <mss
1460,sackOK,timestamp 1388205 25289352,nop,wscale 0>(DF)
03:36:13.328501 ns..domain > x.y.z.t.sa-msg-port: S1617471727:1617471727(0) ack
1532033273 win 5792 <mss
1460,sackOK,timestamp 1388231 25289352,nop,wscale 0>(DF)
this is the firewall log for the same conection
Mar 21 03:41:23 ns kernel: DNS-IN:--log-ip-optionsIN=eth2 OUT= MAC=z.x.c.v.b.n
SRC=x.y.z.t DST=<my DNS IP> LEN=60 TOS=0x10 PREC=0x00TTL=62 ID=48210 DF PROTO=TCP
SPT=1647 DPT=53
WINDOW=5840 RES=0x00 SYN URGP=0 OPT(020405B40402080A0186AC070000000001030300)
Mar 21 03:41:23 ns kernel: DNS-OUT:--log-ip-optionsIN= OUT=eth2 SRC=<my DNS IP>
DST=x.y.z.t LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DFPROTO=TCP SPT=53 DPT=1647
WINDOW=5792 RES=0x00 ACK SYN
URGP=0 OPT (020405B40402080A0015A80B0186AC0701030300)
these are my options in maned.conf
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
allow-query { 172.16.32.0/19; ISP 1-st DNS IP;
ISP 2-nd dns IP; x.y.z.t; 127.0.0.1;};
allow-transfer { ISP 1-st DNS IP; ISP 2-nd dns
IP ; 172.16.35.137; x.y.z.t; };
transfer-source ISP 1-st DNS IP;
notify-source ISP 1-st DNS IP;
transfer-format many-answers;
listen-on port 53 {external IP; 172.16.33.1;
127.0.0.1; };
};
where
-172.16.35.137 is my local computer on witch i tried
to configure a slave zone to see if the zone transfer
happends (it works)
-x.y.z.t is my ip located on the internet
this is the result of nmap started from my local
workstation(172.16.35.137), when the DNS...server had
no firewall(/etc/init.d/iptables clear)
^^^^^^^^^^^
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
199/tcp open smux
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had no firewall(/etc/init.d/iptables clear)
^^^^^^^^^^
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp filtered domain
67/tcp filtered dhcp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
119/tcp filtered nntp
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
199/tcp open smux
445/tcp filtered microsoft-ds
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had the firewall activated (but with
^^^^^^^^^^^^^^^^^^
"iptables -A INPUT -s x.y.z.t -j ACCEPT)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp filtered domain
67/tcp filtered dhcp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
119/tcp filtered nntp
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
199/tcp open smux
411/tcp open rmt
445/tcp filtered microsoft-ds
1026/tcp filtered nterm
1030/tcp filtered iad1
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet, when the DNS ..server had
the firewall activated (but without iptables -A INPUT
-s x.y.z.t -j ACCEPT ) ^^^^^^^
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
and it stays their a very long time without a respons
probably it wil not find anny open port.
next i tried to configure a dns slave on x.y.z.t
and on the slave dns logs i see this message:
Mar 21 03:57:26.590 zone my.zone/IN: refresh: failure
trying master <my master dns IP>#53: timed out
there is no surprise for me since the 53's port is not
accessibe
do i have to confirure something special in my dns options to have acces
at mai 53 port?
please help
and 10x for your time
george
================================================================
"If virtue precede us every step will be safe."
Seneca
Privileged/Confidential Information may be contained in this
message. If youare not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone. In such a case,
you should destroy this message and kindly notify the
sender by reply e-mail.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
