# DNS Server Unreachable (SOLVED)

## toneus

Yesterday I noticed that I fell off the grid. I was no longer getting email (Hosted by GoDaddy), delivered to the mailservers. My investigations lead me to believe that my DNS (hosted at home) is not reachable from the net.

Do I need to add something to my allow-query section of named.conf? (below)

Any assistance would be greatly appreciated.

My Static IP - 74.184.154.193

My Modems internal IP - 192.168.1.1

My DNS server - 192.168.1.69

```
zeus personal # whois chiaffredo.org | grep 'Name Server'

Name Server:NS.CHIAFFREDO.ORG

Name Server:NS2.CHIAFFREDO.ORG

```

My Netgear Modem/Router has a firewall port 53 tcp/udp rule that is forwarding to 192.168.1.69. This configuration has not changed. But I don't see this port listed as open when I nmap the external nor internal IPs for the Modem/Router.

```
zeus personal # nmap  74.184.154.193

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-14 12:16 EST

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for 74.184.154.193

Host is up (0.014s latency).

Not shown: 996 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

5001/tcp open  commplex-link

5100/tcp open  admd

```

I'm not sure why, but namp is reporting that the port is not open, but natstat shows tcp on 53 LISTENING.

```
zeus personal # nmap --dns-servers 192.168.1.69 192.168.1.69

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-14 11:24 EST

Nmap scan report for www.chiaffredo.org (192.168.1.69)

Host is up (0.0000060s latency).

Not shown: 994 closed ports

PORT    STATE SERVICE

22/tcp  open  ssh

80/tcp  open  http

139/tcp open  netbios-ssn

443/tcp open  https

445/tcp open  microsoft-ds

631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

zeus personal # netstat -an | grep LISTEN

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     

tcp6       0      0 :::139                  :::*                    LISTEN     

tcp6       0      0 :::80                   :::*                    LISTEN     

tcp6       0      0 :::22                   :::*                    LISTEN     

tcp6       0      0 :::631                  :::*                    LISTEN     

tcp6       0      0 :::443                  :::*                    LISTEN     

tcp6       0      0 :::445                  :::*                    LISTEN

```

named.conf

```
acl "xfer" {

        /* Deny transfers by default except for the listed hosts.

         * If we have other name servers, place them here.

         */

        75.25.156.121;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

        127.0.0.0/8;

        ::1/128;

        192.168.1.0/24;

};

options {

        directory "/var/bind";

        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 { ::1; };

        listen-on { 127.0.0.1; };

        allow-query {

                /*

                 * Accept queries from our "trusted" ACL.  We will

                 * allow anyone to query our master zones below.

                 * This prevents us from becoming a free DNS server

                 * to the masses.

                 */

                trusted;

        };

        allow-query-cache {

                /* Use the cache for the "trusted" ACL. */

                trusted;

        };

        allow-recursion {

                /* Only trusted addresses are allowed to use recursion. */

                trusted;

        };

        allow-transfer {

                /* Zone tranfers are denied by default. */

                none;

        };

        allow-update {

                /* Don't allow updates, e.g. via nsupdate. */

                none;

        };

        /*

        * If you've got a DNS server around at your upstream provider, enter its

        * IP address here, and enable the line below. This will make you benefit

        * from its cache, thus reduce overall DNS traffic in the Internet.

        *

        * Uncomment the following lines to turn on DNS forwarding, and change

        *  and/or update the forwarding ip address(es):

        */

/*

        forward first;

        forwarders {

        //      123.123.123.123;        // Your ISP NS

        //      124.124.124.124;        // Your ISP NS

        //      4.2.2.1;                // Level3 Public DNS

        //      4.2.2.2;                // Level3 Public DNS

                8.8.8.8;                // Google Open DNS

                8.8.4.4;                // Google Open DNS

        };

*/

        //dnssec-enable yes;

        //dnssec-validation yes;

        /* if you have problems and are behind a firewall: */

        //query-source address * port 53;

};

logging {

        channel default_log {

                file "/var/log/named/named.log" versions 5 size 50M;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        category default { default_log; };

        category general { default_log; };

};

include "/etc/bind/rndc.key";

controls {

        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

        type hint;

        file "/var/bind/root.cache";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        notify no;

};

zone "chiaffredo.org" IN {

        type master;

        file "personal/chiaffredo.org";

};

```

Dig from inside

```
zeus named # dig ns.chiaffredo.org chiaffredo.org

; <<>> DiG 9.7.1 <<>> ns.chiaffredo.org chiaffredo.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29785

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:

;ns.chiaffredo.org.             IN      A

;; ANSWER SECTION:

ns.chiaffredo.org.      600     IN      A       74.184.154.193

;; AUTHORITY SECTION:

chiaffredo.org.         600     IN      NS      ns.chiaffredo.org.

chiaffredo.org.         600     IN      NS      ns2.chiaffredo.org.

;; ADDITIONAL SECTION:

ns2.chiaffredo.org.     600     IN      A       75.25.156.121

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Dec 14 12:32:56 2010

;; MSG SIZE  rcvd: 99

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62924

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;chiaffredo.org.                        IN      A

;; ANSWER SECTION:

chiaffredo.org.         600     IN      A       74.184.154.193

;; AUTHORITY SECTION:

chiaffredo.org.         600     IN      NS      ns2.chiaffredo.org.

chiaffredo.org.         600     IN      NS      ns.chiaffredo.org.

;; ADDITIONAL SECTION:

ns.chiaffredo.org.      600     IN      A       74.184.154.193

ns2.chiaffredo.org.     600     IN      A       75.25.156.121

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Dec 14 12:32:56 2010

;; MSG SIZE  rcvd: 115

```

Dig of my email server

```
zeus named # dig ns.chiaffredo.org email.chiaffredo.org

; <<>> DiG 9.7.1 <<>> ns.chiaffredo.org email.chiaffredo.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9414

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:

;ns.chiaffredo.org.             IN      A

;; ANSWER SECTION:

ns.chiaffredo.org.      600     IN      A       74.184.154.193

;; AUTHORITY SECTION:

chiaffredo.org.         600     IN      NS      ns.chiaffredo.org.

chiaffredo.org.         600     IN      NS      ns2.chiaffredo.org.

;; ADDITIONAL SECTION:

ns2.chiaffredo.org.     600     IN      A       75.25.156.121

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Dec 14 12:38:27 2010

;; MSG SIZE  rcvd: 99

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45445

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:

;email.chiaffredo.org.          IN      A

;; ANSWER SECTION:

email.chiaffredo.org.   600     IN      CNAME   email.secureserver.net.

email.secureserver.net. 3600    IN      CNAME   email.where.secureserver.net.

email.where.secureserver.net. 300 IN    A       64.202.189.148

;; AUTHORITY SECTION:

where.secureserver.net. 3600    IN      NS      gns2.secureserver.net.

where.secureserver.net. 3600    IN      NS      gns3.secureserver.net.

where.secureserver.net. 3600    IN      NS      gns1.secureserver.net.

;; Query time: 410 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Dec 14 12:38:28 2010

;; MSG SIZE  rcvd: 173

```

Last edited by toneus on Tue Dec 14, 2010 8:15 pm; edited 1 time in total

----------

## albright

just a wild guess: does 192.168.1.69 have another ip as

well (like a second nic)? If so, maybe 192.168.1.69

should be added to the listen-on line.

----------

## toneus

I do have an onboard nic and a separate network card. Only one is wired and online at this time. That definitely has not changed in months.

Added the server's IP to listen-on, and restarted named.

```
options {

        directory "/var/bind";

        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 { ::1; };

        listen-on { 127.0.0.1; 192.168.1.69; };

...

```

Now I'm getting several query denied messages. But still no successful response from DNS Check (http://www.checkdns.net/quickcheckdomainf.aspx).

```
14-Dec-2010 13:33:52.117 security: info: client 12.130.136.12#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:33:53.191 security: info: client 12.130.136.12#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:33:56.260 security: info: client 12.130.136.12#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:33:56.279 security: info: client 12.130.136.12#53: query 'ns2.chiaffredo.org/A/IN' denied

14-Dec-2010 13:33:56.822 security: info: client 81.92.120.13#7764: query 'chiaffredo.org/MX/IN' denied

14-Dec-2010 13:33:57.114 security: info: client 81.92.120.13#4953: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:33:57.117 security: info: client 81.92.120.13#53001: query 'ns.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:17.249 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:17.249 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:17.249 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:17.250 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:19.312 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:21.403 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:21.404 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:21.404 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:21.581 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:21.691 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:21.801 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:23.718 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:23.965 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:24.155 security: info: client 12.130.136.14#53: query 'ns2.chiaffredo.org/AAAA/IN' denied

14-Dec-2010 13:34:24.368 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:24.444 security: info: client 66.220.144.154#23918: query 'chiaffredo.org/MX/IN' denied

14-Dec-2010 13:34:26.067 security: info: client 66.220.146.247#49199: query 'chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:26.315 security: info: client 66.220.144.132#23650: query 'chiaffredo.org/A/IN' denied

14-Dec-2010 13:34:26.342 security: info: client 12.130.136.14#53: query 'ns.chiaffredo.org/A/IN' denied

14-Dec-2010 13:35:04.497 security: info: client 75.25.156.121#15498: query (cache) 'goadv.org/SOA/IN' denied

14-Dec-2010 13:35:04.976 security: info: client 75.25.156.121#54329: query (cache) 'goadv.org/SOA/IN' denied

14-Dec-2010 13:35:29.578 security: info: client 65.54.237.137#60429: query 'chiaffredo.org/MX/IN' denied

14-Dec-2010 13:35:35.819 security: info: client 65.54.237.156#55879: query 'chiaffredo.org/A/IN' denied

14-Dec-2010 13:35:36.001 security: info: client 207.46.116.29#63625: query 'chiaffredo.org/A/IN' denied

```

----------

## Princess Nell

The router is forwarding to - zeus = 192.168.1.69? Yet named.conf says your server is only listening on the loopback interface, which netstat confirms; it is not listening on 192.168.1.69. The loopback interface is only available locally.

You need to allow queries, but not recursion, by everyone, as forwarding retains the source address. Right now, you only allow queries originating on localhost and localnet, which will only work for queries originating on the modem/router, not those being forwarded by it.

----------

## toneus

Princess Nell,

Thank you!

I added the address to listen-on, is this what your referring to for not listening on .69? Does this look correct now?

```
        listen-on { 127.0.0.1; 192.168.1.69; };

```

I changed allow-query, allow-query-cache, and allow-transfer, and that seems to have helped as now I'm getting email. Are these appropriate now?

The previous settings of trusted were defaults, and must have been the result of a recent emerge. I didn't notice these as differences in etc-update (I use side by side vi diff).

```
        allow-query {

                /*

                 * Accept queries from our "trusted" ACL.  We will

                 * allow anyone to query our master zones below.

                 * This prevents us from becoming a free DNS server

                 * to the masses.

                 */

                any;

        };

        allow-query-cache {

                /* Use the cache for the "trusted" ACL. */

                any;

        };

        allow-recursion {

                /* Only trusted addresses are allowed to use recursion. */

                trusted;

        };

        allow-transfer {

                /* Zone tranfers are denied by default. */

                75.25.156.121;

        };

        allow-update {

                /* Don't allow updates, e.g. via nsupdate. */

                none;

        };

```

----------

## toneus

I just checked what an re-emerge of bind would do. Didn't see much risk, so figured I would give it a go. What do you know, right there at the end of the emerge are several notes.

I apparently didn't see these when I performed the latest emerge Update.

So I think there are several things that changed with named.conf, and the various directories that I did not see because bind was updated as part of a larger emerge and the following notes were not seen.

Thanks, for the help. I seem to be out of the woods for now.

Toneus

```
 * Messages for package net-dns/bind-9.7.2_p3-r1:

 * 

 * If you're in vserver enviroment, you're probably want to

 * disable threads support because of linux capabilities dependency

 * 

 * 

 * NOTE: /var/bind/named.ca has been renamed to /var/bind/named.cache

 * you may need to fix your named.conf!

 * 

 * NOTE: If you upgrade from <net-dns/bind-9.4.3_p5-r1, you may encounter permission problems

 * To fix the permissions do:

 * chown root:named /{etc,var}/bind /var/{run,log}/named /var/bind/{sec,pri}

 * chown root:named /var/bind/named.cache /var/bind/pri/{127,localhost}.zone /etc/bind/{bind.keys,named.conf}

 * chmod 0640 /var/bind/named.cache /var/bind/pri/{127,localhost}.zone /etc/bind/{bind.keys,named.conf}

 * chmod 0750 /etc/bind /var/bind/pri

 * chmod 0770 /var/{run,log}/named /var/bind/{,sec}

```

----------

