[ale] Can't connect to port 53
Michael H. Warfield
mhw at WittsEnd.com
Fri Jan 18 11:48:17 EST 2013
On Fri, 2013-01-18 at 09:38 -0500, Jim Lynch wrote:
> Hi, Mike,
> Thanks. I hate to admit it here 'cause I know general consensus here
> about webmin and gui's in general, but I was trying to generate a zone
> using webmin/dns. It obviously didn't do what I thought it should. As
> I said before I gotta do a bit more digging so I understand this stuff a
> bit better. You're example helps a lot. Thanks for that.
Ok... That tells me a couple of important things.
If you are generating a zone file, you must be setting up an
authoritative name server.
Even if you set up a proper zone file and have that configured
correctly, you still must configure the name server itself to listen on
the network. That's not in the zone file at all. That's part of the
global named.conf configuration.
Since you are able to telnet to localhost on port 53 you're obviously on
the machine hosting the nameserver so you should be able to
edit /etc/named.conf and inspect its content.
I should also point out as well that telnet to port 53 is TCP where as
most DNS is going to operate over UDP with TCP as a fallback for larger
transfers like zone transfers. The name server will listen on both TCP
and UDP sockets for the same addresses but also be sure your firewall
rules are consistent for TCP and UDP.
AFA nslookup goes... Another poster was correct in that nslookup
deprecated and discouraged by the original authors (ISC - Internet
Systems Consortium).
The reason for this is that nslookup uses its own peculiar internal
resolver and operates differently from "host" and "dig" as well as
normal name resolution lookups. It may present results which are
inconsistent with the behavior of those two supported tools and other
applications doing name lookups. It may work perfectly fine in most
simple cases but it has been stated that its behavior can be
"inconsistent" (due to its use of that internal resolver). It hasn't
been updated in ages and may not support some of the newer DNS features,
either.
From ISC:
http://www.isc.org/software/bind/documentation/arm95#id2547410
--
Due to its arcane user interface and frequently inconsistent behavior,
we do not recommend the use of nslookup. Use dig instead.
--
Example...
[mhw at canyon ~]$ nslookup www.ip6.wittsend.com
Server: 127.0.0.1
Address: 127.0.0.1#53
*** Can't find www.ip6.wittsend.com: No answer
[mhw at canyon ~]$ host www.ip6.wittsend.com
www.ip6.wittsend.com has IPv6 address 2001:4830:3000:2:204:8ff:fe00:1151
www.ip6.wittsend.com mail is handled by 10 remus.ip6.wittsend.com.
[mhw at canyon ~]$
Regards,
Mike
> Jim.
> On 01/17/2013 06:34 PM, Michael H. Warfield wrote:
> > By default, BIND is only going to listen on localhost:
> >
> > IPv4: 127.0.0.1
> > IPv6: ::1
> >
> > Try doing a "netstat -nta" | grep :53
> >
> > Then see what it says.
> >
> > If you want BIND to listen on the network in general, you'll have to set
> > up the listen-on and listen-on-v6 options. Make sure, if this is expose
> > to the network, that you have RESTRICTED recursion (your local host
> > and/or your local networks).
> >
> > Examples from one of my nameserver's /etc/named.conf file:
> >
> > ACL for my local networks and stuff for recursion:
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130118/b7d60331/attachment.sig>
More information about the Ale
mailing list