[ale] Dns Port Problems
george roman
thewolfro at yahoo.com
Sun Mar 21 20:42:32 EST 2004
Hi I'm using Debian Woody, and i configured a master
DNS server on my network. It suposed to transfer
the master zone to my ISP but it doesn't.
i've tried to investigate my problem from a station
situated on the
internet to see what happends. i mention that tried to
configure a
slave
DNS server on my local network and it works (the zone
transfer ocured).
the -x.y.z.t is my ip located on the internet
-172.16.35.137 is my local computer
in /var/log/syslog i see only the logs from my
firewall that i named (DNS-in for the INPUT chain and
DNS-out for the output chain) but as i mentioned i can
see in netstat only the TCP SYN flag when i try telnet
from the outside (from x.y.x.t) no established
conection but i have an outgoing packet logged with
the firewall (with tcpdump i olso see an outgoing
packet from the dns server
this is tcpdump from DNS when i tried to connect to
prt 53 from x.y.z.t:
03:36:10.077870 x.y.z.t.sa-msg-port > ns..domain:
S1532033272:1532033272(0) win 5840 <mss
1460,sackOK,timestamp 25289352 0,nop,wscale 0>
(DF)[tos 0x10]
03:36:10.078383 ns..domain > x.y.z.t.sa-msg-port:
S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1387905 25289352,nop,wscale
0>(DF)
03:36:13.077295 x.y.z.t.sa-msg-port > ns..domain:
S1532033272:1532033272(0) win 5840 <mss
1460,sackOK,timestamp 25292352 0,nop,wscale 0>
(DF)[tos 0x10]
03:36:13.077711 ns..domain > x.y.z.t.sa-msg-port:
S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1388205 25289352,nop,wscale
0>(DF)
03:36:13.328501 ns..domain > x.y.z.t.sa-msg-port:
S1617471727:1617471727(0) ack 1532033273 win 5792 <mss
1460,sackOK,timestamp 1388231 25289352,nop,wscale
0>(DF)
this is the firewall log for the same conection
Mar 21 03:41:23 ns kernel:
DNS-IN:--log-ip-optionsIN=eth2 OUT=
MAC=z.x.c.v.b.n
SRC=x.y.z.t DST=<my DNS IP> LEN=60 TOS=0x10
PREC=0x00TTL=62 ID=48210 DF
PROTO=TCP SPT=1647 DPT=53
WINDOW=5840 RES=0x00 SYN URGP=0
OPT(020405B40402080A0186AC070000000001030300)
Mar 21 03:41:23 ns kernel: DNS-OUT:--log-ip-optionsIN=
OUT=eth2 SRC=<my
DNS IP>
DST=x.y.z.t LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0
DFPROTO=TCP SPT=53
DPT=1647 WINDOW=5792 RES=0x00 ACK SYN
URGP=0 OPT (020405B40402080A0015A80B0186AC0701030300)
these are my options in maned.conf
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
allow-query { 172.16.32.0/19; ISP 1-st DNS IP;
ISP 2-nd dns IP; x.y.z.t; 127.0.0.1;};
allow-transfer { ISP 1-st DNS IP; ISP 2-nd dns
IP ; 172.16.35.137; x.y.z.t; };
transfer-source ISP 1-st DNS IP;
notify-source ISP 1-st DNS IP;
transfer-format many-answers;
listen-on port 53 {external IP; 172.16.33.1;
127.0.0.1; };
};
where
-172.16.35.137 is my local computer on witch i tried
to configure a slave zone to see if the zone transfer
happends (it works)
-x.y.z.t is my ip located on the internet
this is the result of nmap started from my local
workstation(172.16.35.137), when the DNS...server had
no firewall(/etc/init.d/iptables clear)
^^^^^^^^^^^
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
199/tcp open smux
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had no firewall(/etc/init.d/iptables clear)
^^^^^^^^^^
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp filtered domain
67/tcp filtered dhcp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
119/tcp filtered nntp
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
199/tcp open smux
445/tcp filtered microsoft-ds
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet(x.y.z.t), when the DNS
..server had the firewall activated (but with
^^^^^^^^^^^^^^^^^^
"iptables -A INPUT -s x.y.z.t -j ACCEPT)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp filtered domain
67/tcp filtered dhcp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
119/tcp filtered nntp
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
199/tcp open smux
411/tcp open rmt
445/tcp filtered microsoft-ds
1026/tcp filtered nterm
1030/tcp filtered iad1
2401/tcp open cvspserver
this is the result of nmap started from the station
situated on the internet, when the DNS ..server had
the firewall activated (but without iptables -A INPUT
-s x.y.z.t -j ACCEPT ) ^^^^^^^
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
it can't scan my ports because I have a rule against
it.
next i tried to configure a dns slave on x.y.z.t
and on the slave dns logs i see this message:
Mar 21 03:57:26.590 zone my.zone/IN: refresh: failure
trying master <my master dns IP>#53: timed out
there is no surprise for me since the 53's port is not
accessibe
do i have to confirure something special in my dns
options to have
acces
at mai 53 port?
please help
and 10x for your time
george
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
More information about the Ale
mailing list