I've set up a BIND DNS server on centos 7. I've created the master zone record, it is the following:
$ttl 38400 loool.ro. IN SOA ns1.loool.ro. owner.yahoo.com. ( 1421842090 10800 3600 604800 38400 ) loool.ro. IN NS loool.ro. loool.ro. IN A 86.34.156.51 loool.ro. IN MX 10 loool.ro. loool.ro. IN NS ns1.loool.ro. ns1.loool.ro. IN A 86.34.156.51
The 86.34.156.51 is a public IP address, I can access the server via. The port 53 is opened, checked with free online port checker. The named.service is listening on port 53. The domain name is registered and the ns1 too. But when I check with a dnslookup tool, the ns1.loool.ro answer doesn't come, timeout after 3 sec.
The BIND server config file is the following:
options { listen-on port 53 { any; }; #listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-transfer { none; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; also-notify { }; allow-query { any; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "loool.ro" { type master; file "/var/named/loool.ro.hosts"; };
If I check with dig from localhost the answer comes and correct, but from an other host doesn't come. If I set the allow-query from any to localhost, the messages.log file logs the denied querys and IP address, so the querys arrive.
On named.service start the messages.log shows the following:
Jan 21 14:31:35 servera named[38627]: using default UDP/IPv4 port range: [1024, 65535]
Jan 21 14:31:35 servera named[38627]: using default UDP/IPv6 port range: [1024, 65535]
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface em1, 10.10.10.100#53
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface em1, 86.34.156.51#53
With allow-query=localhost shows the following:
Jan 21 14:30:55 servera named[38403]: client 109.99.188.88#54374 (loool.ro): query 'loool.ro/A/IN' denied Jan 21 14:31:08 servera named[38403]: client 74.125.17.211#53668 (loool.ro): query 'loool.ro/AAAA/IN' denied
What is the problem? If the allow-query is any, there isn't any error log on messages.log. This will be a network config issue or the problem is with the linux(port or selinux) and the BIND server(misconfig)? Does BIND drops the queries?
Dig:
loool.ro. 0 IN NS ns1.loool.ro. ;;
Received 71 bytes from 192.162.16.20#53(sec-dns-a.rotld.ro) in 88 ms
loool.ro. 38400 IN A 86.34.156.51
loool.ro. 38400 IN NS ns1.loool.ro.
loool.ro. 38400 IN NS loool.ro.
;; Received 101 bytes from 10.10.10.100#53(ns1.loool.ro) in 1 ms
As Andrew B suggested, I've captured the packets on the localhost(where the dns server is located), here is the result, I hope somebody knows what is the problem or what's wrong here :
$tcpdump -i em1 -vvv -s 0 -l -n port 53 tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 82.79.24.76.14761 > 10.10.10.100.domain: [udp sum ok] 3532 [1au] A? loool.ro. ar: . OPT UDPsize=4096 OK (37) 22:50:49.723204 IP (tos 0x0, ttl 64, id 63258, offset 0, flags [none], proto UDP (17), length 115) 10.10.10.100.domain > 82.79.24.76.14761: [udp sum ok] 3532*- q: A? loool.ro. 1/1/2 loool.ro. [10h40m] A 86.34.156.51 ns: loool.ro. [10h40m] NS ns1.loool.ro. ar: ns1.loool.ro. [10h40m] A 86.34.156.51, . OPT UDPsize=4096 OK (87) 22:50:49.987990 IP (tos 0x0, ttl 64, id 35514, offset 0, flags [DF], proto UDP (17), length 72) 10.10.10.100.52857 > 193.231.100.130.domain: [udp sum ok] 2042+ PTR? 38.124.41.103.in-addr.arpa. (44)