Cannot resolve host as non-root user

Question

I recently setup a VPS server running Centos 6.5 together with Web Host Manager. My current problem is that I can't resolve hostname either by nslookup or ping on the command line. But when I login using root I can ping and perform nslookups etc

When logged in as non root user I perform the following commands and get no results:

user@server [~]# ping google.com
ping: unknown host google.com

user@server [~]# nslookup google.com 
;; connection timed out; trying next origin

user@server [~]# ping 74.125.230.226
ping: icmp open socket: Operation not permitted

user@server [~]# nslookup 74.125.230.226
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

Yet when I login as root, all of the above commands work as expected:

root@server [~]# ping google.com
PING google.com (74.125.230.224) 56(84) bytes of data.
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=1 ttl=52 time=198 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=2 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=3 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=4 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=5 ttl=52 time=198 ms

nslookup google.com
Server:         196.7.7.7
Address:        196.7.7.7#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.230.233
Name:   google.com
Address: 74.125.230.238
Name:   google.com
Address: 74.125.230.227
Name:   google.com
Address: 74.125.230.229
Name:   google.com
Address: 74.125.230.225
Name:   google.com
Address: 74.125.230.228
Name:   google.com
Address: 74.125.230.232
Name:   google.com
Address: 74.125.230.224
Name:   google.com
Address: 74.125.230.226
Name:   google.com
Address: 74.125.230.231
Name:   google.com
Address: 74.125.230.230

I can read both file /etc/resolv.conf and /etc/nsswitch.conf with non root user,

I run Apache with suExec, mod security, se linux is set to permissive.

When running certain command from a website I get message such as:

Curl/fopen php gives the following message

* , referer: http://www.domain
Hostname was NOT found in DNS cache, referer: http://www.domain
getaddrinfo(3) failed

I'm quite new to setting up servers, and for the life of me I can't figure out what the problem is.

UPDATE:

Contents of /etc/resolv.conf

nameserver 196.7.7.7
nameserver 196.7.8.9

IPTABLES OUTPUT - iptables -nvL -t filter

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1546  201K cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1533  200K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  561 94135 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023,2082:2083,3306,2086:2087,2095:2096,30000:32760
  689 59006 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023
    0     0 ACCEPT     tcp  --  *      *       41.76.213.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       41.86.112.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       197.242.159.6        0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.150.150      0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       196.33.227.219       0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.144.0/21     0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     tcp  --  *      *       196.33.227.0/24      0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  278 46670 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    2    72 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    3   116 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  588  112K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  569  111K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    7   604 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner GID match 12
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20
    3   180 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    9   640 out-bad    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 110,143,995,80,443,21
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.155.155
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.144.144
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 LOG flags 8 level 4 prefix `out-new:'
    8   568 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 8 level 4 prefix `out-new:'
    9   640 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain acctboth (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain cP-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2078
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2077
    9   492 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:26
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2086
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2087
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2095
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2096
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2083
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

Chain out-bad (1 references)
 pkts bytes target     prot opt in     out     source               destination

What virtualization is in use? Install and run `virt-what` if you don't know. — Michael Hampton, Oct 15 '14 at 18:55
What's resolv.conf content ? Btw seems you lack the setuid bit on the ping command. — Xavier Lucas, Oct 15 '14 at 19:49
@XavierLucas - I've updated the question with the contents of resolv.conf — Elitmiar, Oct 15 '14 at 19:54
Show permissions of ping and nslookup binaries. Also do you have iptables running ? — Xavier Lucas, Oct 15 '14 at 19:55
@XavierLucas - IP Tables are running. If I stats /usr/bin/nslookup I get Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) same goes for ping — Elitmiar, Oct 15 '14 at 19:59
@XavierLucas - I've disabled the IPTables, which solved the problem with apache, how to I know which rule in IPTables would cause the problem with Apache not being able to resolve host names — Elitmiar, Oct 15 '14 at 20:04

Xavier Lucas · Accepted Answer · 2014-10-15T20:40:00.593

3

That's a lot of rules and quite restrictive. Find the rule creating this :

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0

To also match your "normal" user id or/and apache user id and adapt it to accept outgoing UDP traffic port 53.

For instance for user "apache", right after the previous rule add :

/sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT

edited Oct 15 '14 at 20:40

answered Oct 15 '14 at 20:17

Xavier Lucas

12,815
2
44
50

Thank, just not to familiar with IPTables, how would I go about to accept outgoing UDP traffic on port 53? iptables -A OUTPUT -p udp --dport 53 -j ACCEPT – Elitmiar Oct 15 '14 at 20:34
@Roland I updated my answer with an example. – Xavier Lucas Oct 15 '14 at 20:40
Thank you for the updated answer, since I run WHM Apache suExec runs the userid rather than apache as nobody 'not sure if Im making sense' , so not to sure what the apache user would be – Elitmiar Oct 15 '14 at 20:49
Solved the problem by inserting the following rule iptables -I OUTPUT 12 -p udp --dport 53 -j ACCEPT above the 41 3008 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable rule, and seemed to do the trick, are there any negative implecations of applying a rule to affect all users – Elitmiar Oct 15 '14 at 21:05

score 2 · Answer 2 · answered Oct 15 '14 at 21:08

2

Hmmm...I suspect bad permissions on the /etc/resolv.conf file.

answered Oct 15 '14 at 21:08

mdpc

11,698
28
51
65

1

This was the problem for me ... permissions on /etc/resolv.conf were set to 0600, should be 0644. Seven years later, but thanks @mdpc ... – NoobSkywalker Mar 08 '21 at 15:49

Cannot resolve host as non-root user

2 Answers2