-1

I have Windows Server 2012 R2 with RRAS running a NAT. I have Ubuntu Server 15.10 running VestaCP with a bind9 DNS Server. I've forwarded common ports to the VM through RRAS NAT, like 80 and 53(DNS UDP & TCP) I've also allowed these ports through the Windows Firewall.

The problem i'm having is that for some reason the DNS Server isn't working. I've setup my host records pointing to my IP, and setup A records for the nameserver addresses. But nothing seems to want to work. I've setup the A records on the DNS server, so as soon as something gets through it'll see the nameserver A records. When i check DNS propigation, and check the RRAS Mapping Table, it shows all the DNS servers coming in on private & public port 53, but running on lots of different remote ports. Is it possible something is blocking the outgoing packets?

Mooticus
  • 81
  • 1
  • 1
  • 9
  • Are you configuring an Authoritative DNS server using BIND? Have you created the zone files properly? If you are not sure you can post your bind config. – Diamond Nov 18 '15 at 00:17
  • How do you know your DNS isn't working? What zones do you have? How are those related to your RRAS? What about port forwarding, are you sure it works? Explain better your setup obfuscating IP's and domains. Explain whyt you tried and how too. – Fredi Nov 18 '15 at 00:20
  • DNS isb't working properly because if you do a lookup of 'craftmitopia.com' for both A record, and NS records, it's not showing up anything. This brings me to believe it's something wrong with the DNS Server. I've ran Vesta on it's own Virtual Server before, not under Windows, and it's setup fine. This time it's not getting my DNS settings, like it previously has. RRAS is forwarding the port, and letting them through, i'm thinking it could be the RRAS NAT port forwarding that's blocking the outgoing ports. – Mooticus Nov 18 '15 at 00:27

1 Answers1

1

The nameserver for craftmitopia.com. seems to be responding, just not in a desirable way. It doesn't appear to be a firewall problem.

Following the chain of delegations (dig +trace +add used in this case) you see this:

craftmitopia.com.       172800  IN      NS      ns1.craftmitopia.com.
craftmitopia.com.       172800  IN      NS      ns2.craftmitopia.com.
ns1.craftmitopia.com.   172800  IN      A       221.121.158.87
ns2.craftmitopia.com.   172800  IN      A       221.121.158.87
couldn't get address for 'ns1.craftmitopia.com': not found
couldn't get address for 'ns2.craftmitopia.com': not found

So, looking into what is happening when resolving the names of the nameservers, one will see:

$ dig @221.121.158.87 ns1.craftmitopia.com. +norec

; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> @221.121.158.87 ns1.craftmitopia.com. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51812
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.craftmitopia.com.          IN      A

;; Query time: 326 msec
;; SERVER: 221.121.158.87#53(221.121.158.87)
;; WHEN: Wed Nov 18 06:21:14 UTC 2015
;; MSG SIZE  rcvd: 49

$

Ie, your nameserver is responding with SERVFAIL. Probably some form of misconfiguration or invalid zone data that prevents it from operating properly.

Check your logs and/or named-checkconf -zj output for details.

It's also notable that while you have two NS records with different names, these "nameservers" both have the same address so there is no actual redundancy. You will want to fix this as well.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • I've been working on this problem all day, and i've figured out it's something wrong with the BIND server. It's running under the bind username, but it's saying permission denied when it's trying to open up the master file that Vesta creates. – Mooticus Nov 18 '15 at 06:45