Centos – Bind accepts only local connections

bindcentos

I am trying to fix the Bind (named) on CentOS server which only accepts connections from localhost.

My server has local IP 192.168.2.2 and dig works if I run it on same sever where named is installed. But dig executed on backup server which has IP 192.168.2.22 doesn't work.

dig @192.168.2.2 www.mydomain.com # works locally but not on backup server

Both servers are connected to same switch so there are no limits in between. This worked until yesterday when USB key was connected to the server and two module were installed using yum:
libmcrypt-2.5.8-4.el5.centos.x86_64 and php-mcrypt-5.1.6-15.el5.centos.1.x86_64. In /var/log/messages I see some logs that I am not familiar with:

Mar 21 18:34:06 centos hald: mounted /dev/sdc1 on behalf of uid 0
Mar 21 18:38:55 centos kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 21 18:38:55 centos kernel: Netfilter messages via NETLINK v0.30.
Mar 21 18:38:55 centos kernel: ip_conntrack version 2.4 (8192 buckets, 65536 max) - 304 bytes per conntrack
Mar 21 18:38:55 centos kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Mar 21 18:38:55 centos kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Mar 21 18:43:08 centos kernel: Removing netfilter NETLINK layer.
Mar 21 18:43:08 centos kernel: ip_tables: (C) 2000-2006 Netfilter Core Team

I enabled debug logging in Bind but when I try to query it from backup server there is no sign of connection.

This is the netstat -a output:

tcp        0      0 192.168.2.2:53              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN
udp        0      0 0.0.0.0:53                  0.0.0.0:*
udp        0      0 192.168.2.2:53              0.0.0.0:*
udp        0      0 127.0.0.1:53                0.0.0.0:*

And part of named.conf

options {
    directory "/var/named";
    query-source address * port 53;
};

controls {
    inet * allow { localhost; } keys { rndckey; };
};

Any help would be appreciated.

Best Answer

You have something listening on UDP port 53 of 192.168.2.2. Check that you are allowing access to it via your firewall.

iptables -L INPUT -v -n | grep 53

or iptables -L RH-Firewall-1 -v -n | grep 53

Will produce output similar to this

 138K   15M ACCEPT   udp  --  *    *     0.0.0.0/0     0.0.0.0/0       udp dpt:53
  265 13572 ACCEPT   tcp  --  *    *     0.0.0.0/0     0.0.0.0/0       tcp dpt:53

if you are allowing connections. If you are not allowing connections you can do so with

iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT

If this works then save your configuration with

service iptables save

Which will write the current state to /etc/sysconfig/iptables whic is what is loaded when iptables starts.

Related Solutions

Linux – Read only bind-mount

According to this article is it is possible. You do need a recent kernel.

mount --bind -o ro /vital_data /untrusted_container/vital_data

Centos – Bind and Open Ports

What does this print?

$ sudo netstat -ntlp | grep ':953\>'

It should print something like:

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named

or this if you have IPv6 enabled:

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named
tcp        0      0 ::1:953                 :::*                    LISTEN      1234/named

Because it uses only the loopback address, the port is only accessible to users logged on to the server itself, not from elsewhere on the network.

rndc is used to manage the name server, for example "rndc reload" is the preferred way to tell BIND that you changed a zone file and it should re-load them.

On my Debian server (not sure about CentOS) it is also required by /etc/init.d/bind9 to start and stop the service. I think CentOS calls that file /etc/init.d/named. I wouldn't disable it or block it without checking how that script works first.

The full list of commands you can run is in the BIND 9 Administrator's Reference Manual - Administrative Tools.

As to why it uses a TCP port, run "man rndc" for the details:

   rndc communicates with the name server over a TCP connection, sending
   commands authenticated with digital signatures. In the current versions
   of rndc and named, the only supported authentication algorithm is
   HMAC-MD5, which uses a shared secret on each end of the connection.
   This provides TSIG-style authentication for the command request and the
   name server’s response. All commands sent over the channel must be
   signed by a key_id known to the server.

   rndc reads a configuration file to determine how to contact the name
   server and decide what algorithm and key it should use.

So if you're looking to secure it, look into details of the key and the key file. For example, /etc/bind/rndc.key (or /etc/named/rndc.key) should have restricted permissions.

Best Answer

Related Solutions

Linux – Read only bind-mount

Centos – Bind and Open Ports

Related Topic