Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outside IPs can't query my DNS server

Status
Not open for further replies.

ryho

Technical User
Jul 19, 2013
3
US
I am currently working on setting up BIND on a personal server that I run in my apartment. Here is every thing I have tried/tested to get it working. If I change the DNS server of my laptop to my server's IP, I can go to my site properly, and dig can get the A record of my website from my server without recursion when I query it manually, and it shows that my server is authoritative for that domain. However when I switched the name servers of my domain to my DNS server with up the proper glue record, no IPs other than a few local ones can query my DNS server, so I have since switched back to using my registrar's DNS.

This online tool ( which can test undelegated nameservers says that it can't query my server's DNS because it times out.

I used an online port tester site to check if my ISP is blocking port 53. It says it cant see a service from my laptop, but it can see a service on port 53 when I access it while proxying through my server, so I do not think that my ISP is blocking port 53.

I am using a BIND config file for an authoritative only server copied verbatim from the latest BIND manual, with my domain substituted. it does have allow-query { any; };, and this isn't over ridden in the section for my zone. I have used the BIND command line tools to test my config file and my zone file, and it says they are both fine.

I am not currently using any firewall, I don't need port forwarding because all my devices get their own public IPs, and my ISP has no IPv6 support to complicate things.

I'm not sure what else could be causing this issue, and I do not know how to debug it much further. Suggestions about this? How do I find out if my ISP is affecting DNS traffic beyond a simple port check tool? Is there a problem with my zone file (below) or with hosting the DNS server on the same IP that the site is hosted on? I could easily host them on different public IPs.

$ORIGIN mydomain.co.
$TTL 23h
mydomain.co. IN SOA ns.mydomain.co. webmaster.mydomain.co. ( 2013070201 1d 2h 4w 1h )
mydomain.co. IN MX 10 mail.mydomain.co.
mydomain.co. IN A [my IP]
ns IN A [my IP]
www IN CNAME mydomain.co.
mail IN A [my IP]
*.mydomain.co. IN A [my IP]
mydomain.co. IN NS ns
mydomain.co. IN NS slv1.1and1.com.
 
What do you have set for the permissions within bind, e.g. allow-recusion and allow-query.

Generally speaking, you don't want the public to be able to use your name server to resolve anything other than domains use host (allow recursion set to no) because this will result in your DNS server being abused.
 
I had allow recursion set to none and allow query to all.

Thanks for the suggestion, but I figured out the problem already. My ISP is blocking incoming DNS queries from outside their network. That's why the test showed that it could see my service, because it is t blocking the whole port, just certain requests. It also doesn't block DNS requests between computers on its network, so that's why it was working on the neighbors wifi.

Do you know if you can have success with convincing an ISP that this is dumb? Especially considering the 12TB of torrents they were completely fine with me seeding in a single month. Incoming DNS queries seem like a pretty small fish. Or is there anyway to get around this?
 
I had allow recursion set to none and allow query to all.
This should allow resolution of systems for which your DNS is the master, e.g. your own domain. There shouldn't be any problems with this.
Do you know if you can have success with convincing an ISP that this is dumb?
I agree that it is dumb. Are we talking about residential service? If so, you may be facing two problems. One, some ISPs make it part of the TOS that your not allowed to run a public facing server. Having domain lookups for said servers may be construed as a "business" or an activity in support of running said servers. Two, 99.99% of residential customers won't use anything other than standard application and non privileged ports because they won't do things like run email or DNS servers. Compromised hosts, however, will make use of these ports to conduct attacks. Consequently, it is an easy out to block these ports to reduce their need to deal with problems correctly while having minimal impact on their customer base.

If you are using business grade service, then they should not be blocking ports, period.
 
Yes, this is a residential internet service. I'm doing all of this just for a personal project. I haven't seen the terms of service for my Internet because I live in a large apartment complex. If they come knocking on my door, I'll say hey I never agreed to these rules, you can't give me shit for not following them.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top