Bind9 DNS server is getting connection timeout

Question

I am setting a DNS server in my lab, where the DNS server (Ubuntu server) and client's(Ubuntu desktop) are in same LAN (vSwitch) and pfsense as firewall for external outgoing traffic. No block rules are defined and everything is wide open on pfsense, so every VM can talk each other and also can access internet.

When I send a query to DNS server from client (172.16.0.2) using nslookup facebook.com 172.16.0.7; I am getting the connection timeout after few seconds.

I also tried by checking the traffic using Wireshark and saw ICMP failures from DNS server to Client as shown in below image. Just to give a try, I added rule on IPtables for ICMP iptables -A INPUT -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT on both client and DNS server, but no use.

Wireshark Image

Is there anything that I am doing wrong or need to open any host based rules or something to make the DNS server work?

named.conf.options file:

acl "trusted" {
    172.16.0.7; #localhost
    172.16.0.1; #GW and FW
    172.16.0.2;
    172.16.0.3;
    172.16.0.0/16;  #complete subnet
};
options {
    directory "/var/cache/bind";
    dump-file "/var/cache/bind/dump.file";
    recursion yes;
    allow-recursion { trusted; };
    listen-on { 172.168.0.7; };
    allow-transfer { none; };

    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //  0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation no;

    //listen-on-v6 { any; };
};

score 0 · Answer 1 · answered Apr 19 '20 at 18:36

The problem was resolved, by removing the line listen-on { 172.168.0.7; }; from the named.conf.options file and restarted the service.

Reference from this post: How to configure bind9 to accept connections from other machines

Does anyone explain what exactly the listen-on does and why it dropped the ICMP packets in my case as described in original post?

Thanks!

score 0 · Accepted Answer · answered Apr 19 '20 at 18:58

0

The problem is not with the use of listen-on in itself, rather with the IP address that you specified.

You had

listen-on { 172.168.0.7; };

Note how that IP address (172.168.0.7) is not the same as 172.16.0.7, which can be seen in the Wireshark screenshot. (Neither is it in the same network as the other addresses in the ACLs.)

answered Apr 19 '20 at 18:58

Håkan Lindqvist

33,741
5
65
90

Correct, its a typo in the config file. I just added it back to the file with corrected IP address. Thanks for catching. – NaniK Apr 19 '20 at 19:09

Bind9 DNS server is getting connection timeout

2 Answers2