Hi debian-firewall people, i'm running Debian 3.0r2 on an AMD Athlon box 158.75.6.40 with apache, twiki running fine and i've tried installing a name server on it using bind 9.2.1 in order to add the CNAME cosmo.torun.pl (which i've registered).
PROBLEM: http://www.isc.org/index.pl?/sw/bind/FAQ.php > I can query the nameserver from the nameserver but not from other machines. > Why? Same problem as in this FAQ but the recommended solution (opening up iptables) has no effect. ssh from outside works fine (when iptables and hosts.allow are open). traceroute from a remote machine fails. So the problem is maybe not just a bind9 problem, but i don't know what step to take next. :( Any help would be nice boud HYPOTHESIS: Something is blocking both UDP and TCP packets - probably something i did by installing the harden package a long time ago or when reading http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/index.en.html or maybe some kernel option? But i haven't found anything. SYSTEM, PACKAGES: - kernel 2.4.18-14.3 compiled from source (including patch for CAN-2004-0554 http://linuxreviews.org/news/2004/06/11_kernel_crash/) - Debian 3.0r2 - AMD Athlon harden-environment 0.1.4 harden-localflaws 0.1.4 harden-remoteflaws 0.1.4 harden-tools 0.1.4 harden 0.1.4 - removed but not purged harden-servers 0.1.4 - removed but not purged bind9 9.2.1-2.woody bind9-host 9.2.1-2.woody SECURITY: /etc/hosts.allow has named: ALL -> but problem occurs even with ALL: ALL iptables firewall is open: /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT -> but problem occurs even when firewall is totally open /sbin/iptables -F /sbin/iptables -F -t filter /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT OPENING UP BIND; i've tried putting the following in named.conf: allow-query { any; }; allow-recursion { any; }; allow-transfer { any; }; It doesn't help. ATTEMPTED DIAGNOSIS: i've put 53 as the port number in named.conf: query-source address * port 53; dig on localhost gives all the zone information from my local installation but dig on remote machines which tries to get information directly from my nameserver (158.75.6.40) gives, e.g.: dig @158.75.6.40 cosmo.torun.pl any ; <<>> DiG 8.3 <<>> @158.75.6.40 cosmo.torun.pl any ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server 158.75.6.40: Connection timed out dig @158.75.6.40 cosmo.torun.pl any ; <<>> DiG 9.2.1 <<>> @158.75.6.40 cosmo.torun.pl any ;; global options: printcmd ;; connection timed out; no servers could be reached dig +tcp @158.75.6.40 cosmo.torun.pl any ;; Connection to 158.75.6.40#53(158.75.6.40) for cosmo.torun.pl failed: host unreachable. dig +tcp @158.75.6.40 -x 158.75.6.40 PTR ;; Connection to 158.75.6.40#53(158.75.6.40) for 40.6.75.158.in-addr.arpa. failed: host unreachable. dig from a remote machine without specifying the server finds the information delegated by torun.pl but nothing from my own nameserver, whose A record is adjani.astro.uni.torun.pl . /var/log/syslog output Sep 3 22:48:01 adjani named[20589]: starting BIND 9.2.1 Sep 3 22:48:01 adjani named[20589]: using 1 CPU Sep 3 22:48:01 adjani named[20591]: loading configuration from '/etc/bind/named.conf' Sep 3 22:48:01 adjani named[20591]: no IPv6 interfaces found Sep 3 22:48:01 adjani named[20591]: listening on IPv4 interface lo, 127.0.0.1#53 Sep 3 22:48:01 adjani named[20591]: listening on IPv4 interface eth0, 158.75.6.40#53 Sep 3 22:48:01 adjani named[20591]: command channel listening on 127.0.0.1#953 Sep 3 22:48:01 adjani named[20591]: zone 0.in-addr.arpa/IN: loaded serial 1 Sep 3 22:48:01 adjani named[20591]: zone 127.in-addr.arpa/IN: loaded serial 1 Sep 3 22:48:01 adjani named[20591]: zone 6.75.158.in-addr.arpa/IN: loaded serial 2004081302 Sep 3 22:48:01 adjani named[20591]: zone 196.168.192.in-addr.arpa/IN: loaded serial 2004090201 Sep 3 22:48:01 adjani named[20591]: zone 255.in-addr.arpa/IN: loaded serial 1 Sep 3 22:48:01 adjani named[20591]: zone localhost/IN: loaded serial 1 Sep 3 22:48:01 adjani named[20591]: zone cosmo.torun.pl/IN: loaded serial 2004090301 Sep 3 22:48:01 adjani named[20591]: running DOES NETWORKING FUNCTION GENERALLY? ssh is OK - When i open up both iptables and /etc/hosts.allow, i can ssh in from remote machines with no problem. traceroute (sorry, it doesn't have a version number, the man page says 6 December 2000) from another machine gives up after 30 (or 100) steps. traceroute to other machines on the same LAN works after about 11 or so steps. So IMHO it seems unlikely that an intervening machine is blocking. netstat -tapu|grep named tcp 0 0 adjani.astro.uni:domain *:* LISTEN 20450/named tcp 0 0 localhost:domain *:* LISTEN 20450/named tcp 0 0 localhost:953 *:* LISTEN 20450/named udp 0 0 *:domain *:* 20450/named udp 0 0 adjani.astro.uni:domain *:* 20450/named udp 0 0 localhost:domain *:* 20450/named KERNEL HACKING sysctl -A |grep bind gives net/ipv4/ip_nonlocal_bind = 0 so i tried sysctl -w net/ipv4/ip_nonlocal_bind=1 Some other sysctl -A lines which might be relevant: net/ipv4/conf/eth0/arp_filter = 0 net/ipv4/conf/eth0/tag = 0 net/ipv4/conf/eth0/log_martians = 0 net/ipv4/conf/eth0/bootp_relay = 0 net/ipv4/conf/eth0/proxy_arp = 0 net/ipv4/conf/eth0/accept_source_route = 1 net/ipv4/conf/eth0/send_redirects = 1 net/ipv4/conf/eth0/rp_filter = 1 net/ipv4/conf/eth0/shared_media = 1 net/ipv4/conf/eth0/secure_redirects = 1 net/ipv4/conf/eth0/accept_redirects = 1 net/ipv4/conf/eth0/mc_forwarding = 0 net/ipv4/conf/eth0/forwarding = 0 net/ipv4/ip_no_pmtu_disc = 0 net/ipv4/ip_autoconfig = 0 net/ipv4/ip_default_ttl = 64 net/ipv4/ip_forward = 0 OTHER HOWTOs WHICH I'VE READ: i've read through the DNS-HOWTO many times /usr/share/doc/HOWTO/en-html/DNS-HOWTO-5.html
