DNS Config

[IRLASCHU]

Hi everyone,

I'm seeing alot of trafic for DNS querys from 127.0.0.1. I've setup two Bind Servers in Chroot to support 1 domain at the moment. The Servers should not allow recursion unless from side the own box I presume? Could someone double check the config please and advise on any further changes if needed. I two dns servers are behind a Cisco PIX506E Firewall so I presum it cannot handle the new randam DNS Querys? I've set the config as static on port 53.

Alexander

 

[IRLASCHU]

options {
directory "/var/named";
version "Change is the only constant.";
allow-query { any; };
query-source port 53;
allow-recursion { internal; };
listen-on { any; };
listen-on-v6 { none; };
allow-transfer { none; };
zone-statistics yes;
};

logging {
category "default" { "debug"; };
category "general" { "debug"; };
category "database" { "debug"; };
category "security" { "debug"; };
category "config" { "debug"; };
category "resolver" { "debug"; };
category "xfer-in" { "debug"; };
category "xfer-out" { "debug"; };
category "notify" { "debug"; };
category "client" { "debug"; };
category "unmatched" { "debug"; };
category "network" { "debug"; };
category "update" { "debug"; };
category "queries" { "debug"; };
category "dispatch" { "debug"; };
category "dnssec" { "debug"; };
category "lame-servers" { "debug"; };
channel "debug" {
file "log/bind.log" versions 3 size 50m;
print-time yes;
print-category yes;
};
};

acl internal { 127.0.0.1; };

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

zone "dubaschu.eu" IN {
type slave;
file "zones/external/domain.db.zone";
masters { 172.16.0.51; };
};

zone "122.253.80.IN-ADDR.ARPA" IN {
type slave;
file "zones/external/122.253.80.in-addr.arpa.db";
masters { 172.16.0.51; };
};

 

[IRLASCHU]

When I runa report at checkdns.net I get:

1)
Found NS record: ns1.dubaschu.eu[80.253.122.61], was resolved to IP address by U.NIC.eu
Found NS record: ns0.dubaschu.eu[80.253.122.60], was resolved to IP address by U.NIC.eu
Domain has 2 DNS server(s)

2)

Error fetching SOA from ns1.dubaschu.eu [80.253.122.61], request timed out. Probably DNS server is offline.
Error fetching SOA from ns0.dubaschu.eu [80.253.122.60], request timed out. Probably DNS server is offline.
0 server(s) are alive
No DNS servers alive, tests stopped

I can see with a nslookup externaly each DNS Server but can no longer get SOA. What can be the couse?

Thanks,

Alexander

 

[elgrandeperro]

what is in:

zones/external/domain.db.zone

 

[IRLASCHU]

$TTL 38400
@ IN SOA ns0.dubaschu.eu. alexander.x.schumann.gmail.com. (
200903120 ; Serial YYYYMMDDnn
86400 ; Refresh ( 24 hours )
7200 ; Retry ( 2 hours )
3600000 ; Expire ( 1000 hours )
172800 ) ; Minimum ( 2 days )
;
; Name Servers
;
dubaschu.eu. IN NS ns0.dubaschu.eu.
IN NS ns1.dubaschu.eu.

;
; Addresses for canonical names
;
localhost.dubaschu.eu. IN A 127.0.0.1
ns0.dubaschu.eu. IN A 80.253.122.60
ns1.dubaschu.eu. IN A 80.253.122.61
dubaschu.eu. IN A 80.253.122.60
dubaschu.eu. IN A 80.253.122.61

 

[IRLASCHU]

and in 122.253.80.in-addr.arpa.db:

TTL 38400
122.253.80.in-addr.arpa. IN SOA ns0.dubaschu.eu. alexander.x.schumann.gmail.com. (
2009031001 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
122.253.80.in-addr.arpa. IN NS ns0.dubaschu.eu.
122.253.80.in-addr.arpa. IN NS ns1.dubaschu.eu.

;
; Addresses point to canonical
;
60.122.253.80.in-addr.arpa. IN PTR ns0.dubaschu.eu.
61.122.253.80.in-addr.arpa. IN PTR ns1.dubaschu.eu.

 

[elgrandeperro]

If you are serving up dubaschu.edu, it must have query enabled for any (for all zones you master).

 

[elgrandeperro]

strike that, you have allow-query any!
is port 53 allowed into your server?

 

[IRLASCHU]

At the Cisco Pix506E Firewall yes.

Alexander

 

[IRLASCHU]

Todays dump of the log:
10-Mar-2009 21:52:45.326 queries: client 172.16.0.52#60432: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 00:22:23.337 queries: client 172.16.0.52#50655: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 03:14:15.342 queries: client 172.16.0.52#35441: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 06:02:02.347 queries: client 172.16.0.52#58117: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 08:29:42.352 queries: client 172.16.0.52#42687: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 11:16:14.357 queries: client 172.16.0.52#55562: query: 122.253.80.IN-ADDR.ARPA IN SOA -E
11-Mar-2009 11:49:22.351 queries: client 172.16.0.52#36501: query: dubaschu.eu IN SOA -E
11-Mar-2009 13:54:48.363 queries: client 172.16.0.52#40287: query: 122.253.80.IN-ADDR.ARPA IN SOA -E

But yet it fails.

Alexander

 

[elgrandeperro]

First, I don't think you need the query-source, which is a risk for cache poisoning. I believe you only need this is you are xfering or forwarding across a firewall. I doesn't appear your are doing this.

I tried to get your SOA and it is still failing. If you don't see the log messages from your external trials, something is still blocking it. A good test is to tcpdump/snoop port 53 on the DNS servers and rerun your dns validator and see if it is querying your servers (or look through the pix logs).

You can use a dnstest service to remotely look back at your DNS service like

http://www.simpledns.com/lookup.aspx

 

[IRLASCHU]

I removed the query-source and checked the firewall.

I then ran the command tcpdump port 53 and nothing!

Then I ran tcpdump (With no other option)
and got the following. I'm not understanding this. This seems to indacate that traffic DNS traffic is flowing, no?


17:11:51.281058 IP ns0.dubaschu.eu.41269 > CON2.NIPR.MIL.domain: 49612% [1au] A? pac1r.nipr.mil. (43)
17:11:51.283579 IP ns0.dubaschu.eu.15055 > CON2.NIPR.MIL.domain: 42771% [1au] AAAA? pac1r.nipr.mil. (43)
17:11:51.401061 IP 172.16.0.171.mmpft > ns0.dubaschu.eu.ssh: . ack 750580 win 64699
17:11:51.408165 IP CON2.NIPR.MIL.domain > ns0.dubaschu.eu.45940: 45726*- 1/6/7 A CON1R.NIPR.MIL (269)
17:11:51.408194 IP CON2.NIPR.MIL.domain > ns0.dubaschu.eu.11442: 58976*- 0/1/1 (99)
17:11:51.408194 IP ns0.dubaschu.eu.64474 > CON1R.NIPR.MIL.domain: 2130 [1au] PTR? 4.36.112.192.in-addr.arpa. (54)
17:11:51.414004 IP CON2.NIPR.MIL.domain > ns0.dubaschu.eu.30571: 61933*- 0/1/1 (99)
17:11:51.415171 IP CON2.NIPR.MIL.domain > ns0.dubaschu.eu.15055: 42771*- 0/1/1 (99)
17:11:51.562060 IP ns0.dubaschu.eu.ssh > 172.16.0.171.mmpft: P 750580:750840(260) ack 3709 win 8576
17:11:51.562106 IP ns0.dubaschu.eu.33190 > m3.NSTLD.COM.domain: 52091 [1au] PTR? 53.2.63.128.in-addr.arpa. (53)
17:11:51.599512 IP m3.NSTLD.COM.domain > ns0.dubaschu.eu.33190: 52091- 0/3/1 (118)
17:11:52.027362 IP ns0.dubaschu.eu.32980 > c2.NSTLD.COM.domain: 48395 [1au] PTR? 30.94.12.192.in-addr.arpa. (54)
17:11:52.113340 IP 172.16.0.171.mmpft > ns0.dubaschu.eu.ssh: . ack 751360 win 65535
17:11:52.113352 IP ns0.dubaschu.eu.56211 > d3.NSTLD.COM.domain: 65352 [1au] PTR? 32.162.41.192.in-addr.arpa. (55)
17:11:52.219279 IP ns0.dubaschu.eu.17822 > l2.NSTLD.COM.domain: 38357 [1au] PTR? 32.162.41.192.in-addr.arpa. (55)

 

[IRLASCHU]

I have unblocked at the fireall level Port 53 (Domain) at UDP level.

I also tryed TCP-UDP but made no diffreance even thugh TCP is thre backup protocal.

 

[elgrandeperro]

I believe these are DNS requests from you. snoop, and request something using dig or nslookup from your server.

What you need to check is dns requests INBOUND to your server for the domain ducaschu.eu (which you are auth for.)