3

I have a dedicated server that I can't seem to get my domain name to resolve correctly with bind. I tried many internet searches and compared different config files, but I can't seem to figure it out. I only have one ip address and gateway address.

dig @localhost www.euphorics.net

    ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @localhost www.euphorics.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58762
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.euphorics.net.     IN  A

;; ANSWER SECTION:
www.euphorics.net.  3600    IN  A   38.130.218.68

;; AUTHORITY SECTION:
euphorics.net.      3600    IN  NS  ns2.euphorics.net.
euphorics.net.      3600    IN  NS  ns1.euphorics.net.

;; ADDITIONAL SECTION:
ns1.euphorics.net.  3600    IN  A   38.130.218.68
ns2.euphorics.net.  3600    IN  A   38.130.218.68

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 19 08:24:26 EDT 2016
;; MSG SIZE  rcvd: 130

/etc/named.conf

    //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; 38.130.218.68; };
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-transfer { 38.130.218.68; };      # disable zone transfers by default
        allow-query     { trusted; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

acl "trusted" {
        127.0.0.1;    # ns1 - can be set to localhost
        38.130.218.68;    # ns2
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";

/etc/named/named.conf.local

    zone "euphorics.net" {
    type master;
    file "/etc/named/zones/db.euphorics.net"; # zone file path
};

zone "130.38.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.38.130";  # 10.128.0.0/16 subnet
};

/etc/named/zones/db.euphorics.net

    $TTL 3600
@       IN      SOA     ns1.euphorics.net. admin.euphorics.net. (
                              3         ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL

; name servers - NS records
euphorics.net.          IN      NS      ns1.euphorics.net.
euphorics.net.          IN      NS      ns2.euphorics.net.

; name servers - A records
@                                   A       38.130.218.68
www                                 A       38.130.218.68
ns1.euphorics.net.          IN      A       38.130.218.68
ns2.euphorics.net.          IN      A       38.130.218.68

Also I added port 53 tcp/udp to firewalld and also to iptables. I even turned off my firewall to see if that would help, but it didn't. Rebooted bind / server, still no go.

sly1x
  • 33
  • 1
  • 1
  • 4
  • 2
    you have only allowed certain IP addresses to query for your domain through acl --- allow-query { trusted; }; And in acl, only 2 addresses are allowed --- acl "trusted" { 127.0.0.1; # ns1 - can be set to localhost 38.130.218.68; # ns2 }; please check and change the ACL – Gaurav Kansal Oct 19 '16 at 10:58
  • I am getting Query, status: REFUSED while querying from your server. – Gaurav Kansal Oct 19 '16 at 11:04

3 Answers3

3

You have only allowed certain IP addresses in acl list

acl "trusted" { 127.0.0.1; # ns1 - can be set to localhost 38.130.218.68; # ns2 };

And in allow-query tag, you have called 'trusted' acl, where only local ips are allowed to query.

allow-query { trusted; };

Ideally, for a authoritative server, whole internet should be allowed to query for your domain otherwise, people will not be able to resolve your domain.

In dig query, i am getting Query, status: REFUSED while querying from your server.

Gaurav Kansal
  • 618
  • 9
  • 24
2

@sly1x.... Your server is now acting as open resolver as shown below --

*Kansals-MacBook:~ Kansal$ dig nkn.in @38.130.218.68 +short 180.149.57.82 Kansals-MacBook:~ Kansal$*

Your server may be used to generate DDoS attack on others.

As best practice, it is not advisable to run open resolver, unless and until you have the expertise to do the same.

Either do the following settings in options portion of bind configuration

recursion no;

OR use acl for selectively allowing recursion.

Gaurav Kansal
  • 618
  • 9
  • 24
  • Yeah, I enabled recursion and set acl back to trusted. Never really messed up with bind before since digital ocean / linode already had these things configured.... – sly1x Oct 19 '16 at 20:05
  • I'm sorry I set recursion to no, rebooted server. Thanks for the advice, I can't however connect to the domain name unless the allow-query is set to any. Is this ok or do I need to find an alternative to this solution? – sly1x Oct 19 '16 at 20:14
  • 1
    allow-query set to any is required on authoritative servers. – Gaurav Kansal Oct 20 '16 at 02:33
  • It's worth noting that leaving out `allow-query` entirely allows queries to authoritative zones without also having the side-effect of changing what is allowed when it comes to recursion. Do see the `allow-*` settings in the manual (specifically how these interact when you start overriding some of them): http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#access_control – Håkan Lindqvist Oct 20 '16 at 05:50
-3

Set 

acl recurseallow { 127.0.0.1; 38.130.218.68; 192.168.0.0/24; }; //local network maybe?
allow-query     { any; };
recursion { recurseallow; };

About the zone file, try this :

$ttl 60 //for testing purpose. After that set it above 3600
@       IN  SOA ns1.euphorics.net. root.euphorics.net. (
                    2016101901 ; serial
                    10800      ; refresh (3 hours)
                    60       ; retry (30 minutes) // after finishing testing, set it above 3600
                    604800     ; expire (1 week )
                    38400     ; minimum (1 day)
                    )

           NS      ns1.euphorics.net.
           NS      ns2.euphorics.net.
            A      38.130.218.68
        IN  A   38.130.218.68
ns1     IN  A   38.130.218.68
ns2     IN  A   38.130.218.68
www     IN  A   38.130.218.68
Str82DHeaD
  • 582
  • 4
  • 7
  • 1
    This is not good advice from a security point of view! The default value for [`recursion`](http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#boolean_options) is `yes`, so commenting out `recursion yes`; leaves it at `yes`. This in combination with overriding [`allow-query`](http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#access_control) to `any` (do look at the manual for how the `allow-*` settings interact when you start overriding one but not the others!) means that you're now running a wide-open recursor! – Håkan Lindqvist Oct 19 '16 at 17:34
  • @Lindqvist... Exactly and an open resolver may be used for generating DDoS attack. – Gaurav Kansal Oct 19 '16 at 17:44
  • @Lindqvist you're about right! I missed to point that recursion must be done to certain acl list. Edited : added missing point. Not good if you haven't slept in 24 hours guys... – Str82DHeaD Oct 20 '16 at 06:23