I have a DNS server up and running with configured single DNS zone for example.com
The following command, ran on the server returns the configured DNS Zone records:
# dig example.com @ns1.example.com
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 10800 IN A 10.0.0.1
;; AUTHORITY SECTION:
example.com. 10800 IN NS ns2.example.com.
example.com. 10800 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 10800 IN A 10.0.0.1
ns2.example.com. 10800 IN A 10.0.0.1
My /etc/hosts file:
127.0.0.1 example.com www.example.com
127.0.0.1 ns1.example.com ns2..example.com
When I try to query the DNS server from other server I get:
$ dig example.com @10.0.0.1
;; connection timed out; no servers could be reached
The actual public IP address of the server is substituted with 10.0.0.1
I believe that most probably the issue is caused by iptables filtration, since the DNS service responds to local queries.
Here are my iptables rules:
Chain INPUT (policy DROP 14 packets, 1498 bytes)
num pkts bytes target prot opt in out source destination
1 259 157K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 325 26717 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 287K 149M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 14721 872K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5 165 7988 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 48 packets, 2949 bytes)
num pkts bytes target prot opt in out source destination
1 259 157K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 292K 46M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
3 16605 1195K ACCEPT udp -- * * 0.0.0.0/0 8.8.8.8 udp dpt:53
4 130 9822 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
5 430 18880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 342 148K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
I have tried to allow incoming/outgoing connections on port 53 both TCP and UDP using the following rules, but unfortunately the DNS service is still not reachable from the Internet:
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m conntrack --cstate NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
Here is a TCPDUMP:
[root@localhost ~]# tcpdump port 53 and host {my_ip}
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:03:43.011650 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679618 ecr 0,nop,wscale 6], length 0
08:03:44.006447 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679718 ecr 0,nop,wscale 6], length 0
08:03:46.006615 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396679918 ecr 0,nop,wscale 6], length 0
08:03:50.016643 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396680319 ecr 0,nop,wscale 6], length 0
08:03:58.026589 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396681120 ecr 0,nop,wscale 6], length 0
08:04:14.066598 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396682724 ecr 0,nop,wscale 6], length 0
08:04:46.186714 IP {my_ip} > {server_hostname}.domain: Flags [S], seq 3026720770, win 29200, options [mss 1460,sackOK,TS val 396685936 ecr 0,nop,wscale 6], length 0
7 packets captured
7 packets received by filter
0 packets dropped by kernel
Any hints will be appreciated 🙂
Best Answer
I think i got your problem, iptables rules corresponding to OUTPUT chain is blocking udp 53 port traffic from interface which has been assigned 10.0.0.1 ip.
Please use the following command to allow outgoing DNS requests.
First update
Please check if bind is listening on all interface i.e named.conf has listen-on { any; };