Bind9 on debian don't work

Submitted by ramonwap on Sat, 10/17/2015 - 05:41

hello, i'm install new server with debian 7, but port 53 for bind/named always closed. i'm trying with centos 6 , port 53 for bind open

Status: 
Active

Comments

Submitted by andreychek on Sat, 10/17/2015 - 09:49

Howdy -- if you're using a VPS, you may be seeing a difference in the provider's configuration between those two distros.

What is the output of these two commands on your Debian server:

netstat -anlp | grep :53
iptables -L -n

Submitted by ramonwap on Sat, 10/17/2015 - 10:30

i'm trying 2 dedicated, but same result for debian 7/8. if i'm install other control panel (ex: ispconfig) and centos 6 with virtualmin, port 53 is open.

root@server:~# netstat -anlp | grep :53 tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5189/named tcp6 0 0 ::1:53 :::* LISTEN 5189/named udp 0 0 127.0.0.1:53 0.0.0.0:* 5189/named udp6 0 0 ::1:53 :::* 5189/named

root@server:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Submitted by andreychek on Sat, 10/17/2015 - 10:47

It looks like it's only listening on the local interface.

What is the output of this command:

/sbin/ifconfig

And can you paste in the contents of this file:

/etc/bind/named.conf.options

Submitted by ramonwap on Sat, 10/17/2015 - 12:52

root@server:~# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 70:54:d2:1a:8c:21 inet addr:37.59.28.xxx Bcast:37.59.28.255 Mask:255.255.255.0 inet6 addr: fe80::7254:d2ff:fe1a:8c21/64 Scope:Link inet6 addr: 2001:41d0:b:d8::/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:30884 errors:0 dropped:4 overruns:0 frame:0 TX packets:14881 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:30502760 (29.0 MiB) TX bytes:4346652 (4.1 MiB) Interrupt:20 Memory:fe500000-fe520000

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:355 errors:0 dropped:0 overruns:0 frame:0 TX packets:355 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:56221 (54.9 KiB) TX bytes:56221 (54.9 KiB)

root@server:~# cat /etc/bind/named.conf.options options { directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 {
            ::1;
            };
    listen-on {
            127.0.0.1;
            };
    allow-recursion { 127.0.0.1; ::1; };

};

Submitted by andreychek on Sat, 10/17/2015 - 11:09

It looks like that's the problem there -- try changing the "listen-on" parameter to be "0.0.0.0", and then restart BIND.

Submitted by ramonwap on Sat, 10/17/2015 - 11:20

done to change to 0.0.0.0 and restart bind9, but port 53 still closed bro andreychek :(

Submitted by andreychek on Sat, 10/17/2015 - 11:31

Has Bind been restarted? If not, the new config won't be active.

If so, what is the output of the above netstat command again?

Submitted by ramonwap on Sat, 10/17/2015 - 11:39

yes, i restart bind9.

i'm copy from my old virtualmin debian 7 to this server, seem resolve.

options { directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable 
// nameservers, you probably want to use them as forwarders.  
// Uncomment the following block, and insert the addresses replacing 
// the all-0's placeholder.

// forwarders {
//  0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys.  See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
listen-on-v6 {
    any;
    };

};

thank you bro andreychek :)

Submitted by ramonwap on Sat, 10/17/2015 - 12:51

this output from netstat // root@server:~# netstat -anlp | grep :53 // tcp 0 0 37.59.28.xxx:53 0.0.0.0:* LISTEN 9940/named // tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9940/named // tcp6 0 0 :::53 :::* LISTEN 9940/named // udp 0 0 37.59.28.xxx:53 0.0.0.0:* 9940/named // udp 0 0 127.0.0.1:53 0.0.0.0:* 9940/named // udp6 0 0 :::53 :::* 9940/named