[tclug-list] DNS connection refused

Thu Jul 3 10:46:25 CDT 2008

Might want to try this:

acl bogusnets { 
    0.0.0.0/8;
    169.254.0.0/16;
    224.0.0.0/3;
};

acl internalnet {
        127.0.0.1;
        192.168.1.0/24;
        };

acl mynet {
        127.0.0.1;
        192.168.1.0/24;
        };

acl thisdns {
         127.0.0.1;
         192.168.1.whaever your DNS server is;
        };

in options section:

        allow-notify {
                mynet;
        };
        allow-query {
                mynet;
        };
        allow-recursion {
                mynet;
        };
        blackhole {
                bogusnets;
        };
        listen-on {
                thisdns;
        };
        listen-on-v6 {
                none;
        };
        query-source address * port 53;
        version "!BIND!";

James wrote:
> Howdy,
>  
> I have Fedora 9 installed and would like to use it as the DNS system 
> in the house.
>  
> The setup is as follows
>  
> options {
>         listen-on port 53 { 127.0.0.1 <http://127.0.0.1>; };
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { localhost; };
>         recursion yes;
>         forwarders {
>                 68.87.77.130 <http://68.87.77.130>;
>                 68.87.72.130 <http://68.87.72.130>;
>                 };
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca <http://named.ca>";
> };
>
> include "/etc/named.rfc1912.zones";
>  
> zone "home.local" {
>         type master;
>         file "/var/named/home.local.hosts";
>         };
>
> zone "1.168.192.in-addr.arpa" {
>         type master;
>         file "1.168.192.in-addr.arpa.zone";
>         allow-update { key "rndckey"; };
>         notify yes;
>  
> I have the files in /var/named setup and configured. From the DNS 
> system I can type
> nslookup 43p and get the following
> [root at fc9 named]# vi /etc/named.conf
> [root at fc9 named]# nslookup 43p
> Server:         127.0.0.1 <http://127.0.0.1>
> Address:        127.0.0.1#53 <http://127.0.0.1#53>
> Name:   43p.home.local
> Address: 192.168.1.52 <http://192.168.1.52>
>  
> From a windows system I get the following
> C:\Users\dalan>nslookup 43p
> Server:  UnKnown
> Address:  192.168.1.50:53 <http://192.168.1.50:53>
> *** UnKnown can't find 43p: Query refused
>  
> From the AIX system I get
> (43p-aix) [dalan] nslookup 43p
> *** Can't find server name for address 192.168.1.50:Query refused
> *** Default servers are not available
> (43p-aix) [dalan]
> I have shut off the firewall and SE-Linux on the Fedora system. I'm 
> not sure why the fedora system is blocking/refusing the request coming 
> from another system.
> I even put the following entries in iptables.
> SERVER_IP="192.168.1.50 <http://192.168.1.50>"
> iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP 
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m 
> state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 
> -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP 
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport 
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m 
> state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 
> -m state --state ESTABLISHED -j ACCEPT
>  
> I still have the same effect.
>  
> Running the following shows that the system is refusing the connection.
> /usr/sbin/tcpdump -X port 53
>
> [root at fc9 named]# /usr/sbin/tcpdump -X port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 21:39:38.512926 IP aix.sparish.local.52686 > fc9.sparish.local.domain: 
> 46304+ PTR? 50.1.168.192.in-addr.arpa. (43)
>         0x0000:  4500 0047 ac22 0000 1e11 6ccd c0a8 0134  E..G."....l....4
>         0x0010:  c0a8 0132 cdce 0035 0033 7c2c b4e0 0100  ...2...5.3|,....
>         0x0020:  0001 0000 0000 0000 0235 3001 3103 3136  .........50.1.16
>         0x0030:  3803 3139 3207 696e 2d61 6464 7204 6172  
> 8.192.in-addr.ar <http://8.192.in-addr.ar>
>         0x0040:  7061 0000 0c00 01                        pa.....
> 21:39:38.519048 IP fc9.sparish.local.domain > aix.sparish.local.52686: 
> 46304 Refused- 0/0/0 (43)
>         0x0000:  4500 0047 0000 4000 4011 b6ef c0a8 0132  
> E..G.. at .@......2 <mailto:E..G.. at .@......2>
>         0x0010:  c0a8 0134 0035 cdce 0033 fc26 b4e0 8105  ...4.5...3.&....
>         0x0020:  0001 0000 0000 0000 0235 3001 3103 3136  .........50.1.16
>         0x0030:  3803 3139 3207 696e 2d61 6464 7204 6172  
> 8.192.in-addr.ar <http://8.192.in-addr.ar>
>         0x0040:  7061 0000 0c00 01                        pa.....
>  
> Any help would be welcome
>  
> Thanks
> ------------------------------------------------------------------------
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>   