Re: cache does truely in local and doesn't work in remote
On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote: On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: Dear all, I installed bind in Debian/lenny, and i run the following command on server: /// root@shared:/etc/bind# dig @localhost yahoo.com ; DiG 9.7.3 @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 3600IN A 72.30.38.140 yahoo.com. 3600IN A 98.138.253.109 yahoo.com. 3600IN A 98.139.183.24 ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns6.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. yahoo.com. 172800 IN NS ns8.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 172800 IN A 202.43.223.170 ns8.yahoo.com. 172800 IN A 202.165.104.22 ;; Query time: 136 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Sep 2 17:09:03 2012 ;; MSG SIZE rcvd: 233 According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? Two things that might be the issue: 1. Doe the BIND configuration (named.conf) enable BIND on your external interface? 2. Does a firewall allow access to port 53/UDP? There are other possibilities, depending on thins like you network configuration. Make sure that you can ping the server from the remote system. And, please do not run an open recursive server. (Don't know that you are trying to, but it looked quite possible.) Would you like explain more? A recursive DNS server that is available to the world can be used as an amplifier for DDOS attacks. It is generally considered unacceptable to allow public access to recursive servers. If you have the resources of a Google, you can build tools to monitor for this and prevent this, but it is not trivial and does not work with stock BIND or any other free DNS server of which I am aware. Further, if the server is authoritative for some zones and is also does recursion, it is far more vulnerable to cache poisoning attacks, so the bast common practice is to run separate authoritative and recursive servers and limit recursion to internal, and customer systems. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Tue, 2012-09-04 at 09:51 -0700, Kevin Oberman wrote: On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote: On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: Dear all, I installed bind in Debian/lenny, and i run the following command on server: /// root@shared:/etc/bind# dig @localhost yahoo.com ; DiG 9.7.3 @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 3600IN A 72.30.38.140 yahoo.com. 3600IN A 98.138.253.109 yahoo.com. 3600IN A 98.139.183.24 ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns6.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. yahoo.com. 172800 IN NS ns8.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 172800 IN A 202.43.223.170 ns8.yahoo.com. 172800 IN A 202.165.104.22 ;; Query time: 136 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Sep 2 17:09:03 2012 ;; MSG SIZE rcvd: 233 According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? Two things that might be the issue: 1. Doe the BIND configuration (named.conf) enable BIND on your external interface? 2. Does a firewall allow access to port 53/UDP? There are other possibilities, depending on thins like you network configuration. Make sure that you can ping the server from the remote system. And, please do not run an open recursive server. (Don't know that you are trying to, but it looked quite possible.) Would you like explain more? A recursive DNS server that is available to the world can be used as an amplifier for DDOS attacks. It is generally considered unacceptable to allow public access to recursive servers. If you have the resources of a Google, you can build tools to monitor for this and prevent this, but it is not trivial and does not work with stock BIND or any other free DNS server of which I am aware. Further, if the server is authoritative for some zones and is also does recursion, it is far more vulnerable to cache poisoning attacks, so the bast common practice is to run separate authoritative and recursive servers and limit recursion to internal, and customer systems. It's beautiful idea...thank you. signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: Dear all, I installed bind in Debian/lenny, and i run the following command on server: /// root@shared:/etc/bind# dig @localhost yahoo.com ; DiG 9.7.3 @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 3600IN A 72.30.38.140 yahoo.com. 3600IN A 98.138.253.109 yahoo.com. 3600IN A 98.139.183.24 ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns6.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. yahoo.com. 172800 IN NS ns8.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 172800 IN A 202.43.223.170 ns8.yahoo.com. 172800 IN A 202.165.104.22 ;; Query time: 136 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Sep 2 17:09:03 2012 ;; MSG SIZE rcvd: 233 According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? Two things that might be the issue: 1. Doe the BIND configuration (named.conf) enable BIND on your external interface? 2. Does a firewall allow access to port 53/UDP? There are other possibilities, depending on thins like you network configuration. Make sure that you can ping the server from the remote system. And, please do not run an open recursive server. (Don't know that you are trying to, but it looked quite possible.) -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote: On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: Dear all, I installed bind in Debian/lenny, and i run the following command on server: /// root@shared:/etc/bind# dig @localhost yahoo.com ; DiG 9.7.3 @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 3600IN A 72.30.38.140 yahoo.com. 3600IN A 98.138.253.109 yahoo.com. 3600IN A 98.139.183.24 ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns6.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. yahoo.com. 172800 IN NS ns8.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 172800 IN A 202.43.223.170 ns8.yahoo.com. 172800 IN A 202.165.104.22 ;; Query time: 136 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Sep 2 17:09:03 2012 ;; MSG SIZE rcvd: 233 According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? Two things that might be the issue: 1. Doe the BIND configuration (named.conf) enable BIND on your external interface? 2. Does a firewall allow access to port 53/UDP? There are other possibilities, depending on thins like you network configuration. Make sure that you can ping the server from the remote system. And, please do not run an open recursive server. (Don't know that you are trying to, but it looked quite possible.) Would you like explain more? --mohsen signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
In article mailman.161.1346605971.11945.bind-us...@lists.isc.org, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? My guess is you need to open TCP and UDP port 53 on a firewall somewhere. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Sun, 2012-09-02 at 13:59 -0400, Barry Margolin wrote: In article mailman.161.1346605971.11945.bind-us...@lists.isc.org, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? My guess is you need to open TCP and UDP port 53 on a firewall somewhere. I think my config has problem because my server is open port and when i use iptables -L , i see all of port are open, then i run : root@shared:/etc/bind# nmap localhost Starting Nmap 5.00 ( http://nmap.org ) at 2012-09-02 18:24 UTC Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http 3306/tcp open mysql Above result equal with : root@debian:/home/mohsen# nmap 184.22.226.205 Starting Nmap 6.00 ( http://nmap.org ) at 2012-09-02 22:52 IRDT Nmap scan report for 184-22-226-205.static.hostnoc.net (184.22.226.205) Host is up (0.37s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not known So, Firewall isn't drop my packets. --mohsen signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
At 11:29 02-09-2012, Mohsen Pahlevanzadeh wrote: second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not known dig example.com @184.22.226.205 gives the following: ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 13 msec ;; SERVER: 184.22.226.205#53(184.22.226.205) ;; MSG SIZE rcvd: 29 The nameserver is listening on 184.22.226.205 for DNS queries and it is responding. In a previous message, you did the following: root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 Verify the IP address you should be using for DNS. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Sep 2, 2012, at 2:29 PM, Mohsen Pahlevanzadeh wrote: On Sun, 2012-09-02 at 13:59 -0400, Barry Margolin wrote: In article mailman.161.1346605971.11945.bind-us...@lists.isc.org, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? My guess is you need to open TCP and UDP port 53 on a firewall somewhere. I think my config has problem because my server is open port and when i use iptables -L , i see all of port are open, then i run : root@shared:/etc/bind# nmap localhost Starting Nmap 5.00 ( http://nmap.org ) at 2012-09-02 18:24 UTC Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): You are nmap'ing the loopback interface. Try nmap your external IP -- probably will be the same, bit… Also, nmap shows you open *TCP* ports, not UDP. Better than this would be to run netstat (like netstat -aln | grep 53 ) and see if it is listening on UDP 53. Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http 3306/tcp open mysql Above result equal with : root@debian:/home/mohsen# nmap 184.22.226.205 Starting Nmap 6.00 ( http://nmap.org ) at 2012-09-02 22:52 IRDT Nmap scan report for 184-22-226-205.static.hostnoc.net (184.22.226.205) Host is up (0.37s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not known So, Firewall isn't drop my packets. Actually that doesn't really show anything about your firewall -- telnet does't understand the IP:port syntax, so it tried to resolve the name 184.22.226.205:53, it doesn't try connect to port 53 on 184.22.226.205. If you want to try telnet to port 53 on 184.22.226.205, you need telnet 184.22.226.205 53 (a space, not a colon). W --mohsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
On Sun, 2012-09-02 at 15:49 -0400, Warren Kumari wrote: On Sep 2, 2012, at 2:29 PM, Mohsen Pahlevanzadeh wrote: On Sun, 2012-09-02 at 13:59 -0400, Barry Margolin wrote: In article mailman.161.1346605971.11945.bind-us...@lists.isc.org, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: According to result, my bind work truly, But when i the same command on my machine , i get the following result: / root@debian:/home/mohsen# dig yahoo.com @184.22.226.206 ; DiG 9.8.1-P1 yahoo.com @184.22.226.206 ;; global options: +cmd ;; connection timed out; no servers could be reached What do i set to solve it? My guess is you need to open TCP and UDP port 53 on a firewall somewhere. I think my config has problem because my server is open port and when i use iptables -L , i see all of port are open, then i run : root@shared:/etc/bind# nmap localhost Starting Nmap 5.00 ( http://nmap.org ) at 2012-09-02 18:24 UTC Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): You are nmap'ing the loopback interface. Try nmap your external IP -- probably will be the same, bit… Also, nmap shows you open *TCP* ports, not UDP. Better than this would be to run netstat (like netstat -aln | grep 53 ) and see if it is listening on UDP 53. Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http 3306/tcp open mysql Above result equal with : root@debian:/home/mohsen# nmap 184.22.226.205 Starting Nmap 6.00 ( http://nmap.org ) at 2012-09-02 22:52 IRDT Nmap scan report for 184-22-226-205.static.hostnoc.net (184.22.226.205) Host is up (0.37s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http second nmap is from my machine , not server. Then i run telnet from my machine and then i get : root@debian:/home/mohsen# telnet 184.22.226.205:53 telnet: could not resolve 184.22.226.205:53/telnet: Name or service not Sorry for a BIG AND COMIC MISTAKE known So, Firewall isn't drop my packets. Actually that doesn't really show anything about your firewall -- telnet does't understand the IP:port syntax, so it tried to resolve the name 184.22.226.205:53, it doesn't try connect to port 53 on 184.22.226.205. If you want to try telnet to port 53 on 184.22.226.205, you need telnet 184.22.226.205 53 (a space, not a colon). W --mohsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup. I added allow-query{any;}; and relaod server via rndc, Now everything is OKThank you guys --mohsen signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache does truely in local and doesn't work in remote
In article mailman.166.1346621028.11945.bind-us...@lists.isc.org, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: I added allow-query{any;}; and relaod server via rndc, Now everything is OKThank you guys If it were an allow-query problem, you should have gotten a REFUSED status when you tried your outside query. The error said No servers could be reached, that's why I thought it was a communication problem. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users