BIND not responding to external calls

Hi.

I recently started using Virtualmin in my VPS (a new one) with centos 6.

Unfortunately I’ve been unable to get BIND to work properly.

If I dig my server I get:

; <<>> DiG 9.9.5-3-Ubuntu <<>> @myserver
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

But if I connect to it by ssh and do dig @localhost I get:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @localhost
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7292
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 509039 IN NS f.root-servers.net.
. 509039 IN NS a.root-servers.net.
. 509039 IN NS e.root-servers.net.
. 509039 IN NS c.root-servers.net.
. 509039 IN NS m.root-servers.net.
. 509039 IN NS g.root-servers.net.
. 509039 IN NS k.root-servers.net.
. 509039 IN NS d.root-servers.net.
. 509039 IN NS j.root-servers.net.
. 509039 IN NS b.root-servers.net.
. 509039 IN NS l.root-servers.net.
. 509039 IN NS i.root-servers.net.
. 509039 IN NS h.root-servers.net.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 12 18:33:23 2014
;; MSG SIZE rcvd: 228

I also checked my firewall and I’m accepting calls on udp port 53:

iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:20
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Also I’m posting netstat -an | grep :53 output:

netstat -an | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 ::1:53 :::* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 ::1:53 :::*

Can you please help me find the error?

Thank you

Howdy,

It doesn’t appear that BIND is listening for external connections, which suggests that the “listen-on” line may be set incorrectly in your /etc/named.conf file.

Could you post the contents of that file?

-Eric

Sure. Here it goes:

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

Howdy,

It looks like the config thinks it should be listening on all interfaces, but BIND is actually only listening on localhost.

That may mean that you just need to restart BIND.

Try running this command:

/etc/init.d/named restart

After doing that, is it working properly? If not, what does this command output:

netstat -an | grep :53

I just restarted named service (service named restart) and it still doesn’t work The output for

netstat -an | grep :53

tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 ::1:53 :::* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 ::1:53 :::*

The VPS is a fresh installation with Virtualmin. I only added a couple of DNS zones (to accommodate my domains) and I added an exception to the firewall to the port 8080 for tomcat purposes. I didn’t touch in anything else.

Hi.

I tried to connect to the server through port 53 using:

telnet myserver 53
Trying myserver…
telnet: Unable to connect to remote host: Connection refused

I thought the problem could be from the ISP but I have another VPS with the same ISP on the same datacenter and it works fine when I try to connect to the port 53.

Any ideas?

What else could be blocking the port besides the firewall?

Thank you

I’m posting named log because I’m guessing it will be helpful to pinpoint the problem. It would be great if someone took the time to analyse it.

reloading configuration succeeded
reloading zones succeeded
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 2402:d800:0:1::5#53
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 2402:d800:0:1::5#53
validating @0x7fee4c00e1c0: mirror.as24220.net A: no valid signature found
validating @0x7fee4c00e1c0: mirror.as24220.net A: no valid signature found
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 2402:d800:0:1::5#53
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
validating @0x7fee4c00e1c0: mirror.as24220.net A: no valid signature found
validating @0x7fee48091c70: mirror.as24220.net A: no valid signature found
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 2402:d800:0:1::5#53
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
validating @0x7fee50127210: mirror.as24220.net A: no valid signature found
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
validating @0x7fee4c00e1c0: mirror.as24220.net A: no valid signature found
error (broken trust chain) resolving ‘mirror.as24220.net/A/IN’: 116.66.160.37#53
received control channel command ‘stop’
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on 127.0.0.1#53
no longer listening on ::1#53
exiting
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
managed-keys-zone ./IN: loaded serial 239
running
received control channel command ‘stop’
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on 127.0.0.1#53
no longer listening on ::1#53
exiting
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
managed-keys-zone ./IN: loaded serial 247
running
received control channel command ‘stop’
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on 127.0.0.1#53
no longer listening on ::1#53
exiting
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
managed-keys-zone ./IN: loaded serial 293
running

Thank Zeus for old archived topics ! I had a similar problem, though the cause was different, and this topic allowed me to solve it.