name server setup

[david at thekramers.net (David Kramer)]

So I've been trying to implement
http://www.linuxdocs.org/HOWTOs/DNS-HOWTO.html

I updated to the latest bind, bind-devel, and bind-utils.

Setting up all the files seemed easy, but I couldn't get the tests
working.

dig -x 127.0.0.1 worked, but
dig anyothermachine.tld   does not:

[root at kramer /etc]# dig pegasystems.com
; <<>> DiG 8.3 <<>> pegasystems.com
;; res options: init recurs defnam dnsrch
;; res_nsend to server default -- 127.0.0.1: Connection timed out

So I go to check on the status:

[root at kramer /etc]# /sbin/service named status
named 8.2.3-REL Sat Jan 27 05:11:05 EST 2001
prospector at porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.3/src/bin/named
config (/etc/named.conf) last loaded at age: Tue Oct  2 21:13:45 2001
number of zones allocated: 64
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is initialising itself

It says it is still initializing itself, but it's been running for several
minutes.

Last symptom, and this might be the kicker.  The site mentions a way to
get an updated root.hints from a root server.  Now the one on the web page
wasn't working, so I copied the one off of blu.org.  Then I tried their
command:

[root at kramer /etc]# dig @e.root-servers.net
; <<>> DiG 8.3 <<>> @e.root-servers.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server e.root-servers.net  192.203.230.10: Connection refused

DOH!  I can ping that machine, too, so I know it's reachable.

Then I found this in /var/log/messages:

Oct  2 21:40:07 kramer named[4887]: starting (/etc/named.conf).  named
8.2.3-REL Sat Jan 27 05:11:05 EST 2001
^Iprospector at porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.3/src/bin/named
Oct  2 21:40:07 kramer named[4887]: hint zone "" (IN) loaded (serial 0)
Oct  2 21:40:07 kramer named[4887]: master zone "0.0.127.in-addr.arpa"
(IN) loaded (serial 1)
Oct  2 21:40:07 kramer named[4887]: listening on [127.0.0.1].53 (lo)
Oct  2 21:40:07 kramer named[4887]: listening on [65.96.156.60].53 (eth0)
Oct  2 21:40:07 kramer named[4887]: listening on [192.168.1.1].53 (eth1)
Oct  2 21:40:07 kramer named[4887]: Forwarding source address is
[0.0.0.0].53
Oct  2 21:40:07 kramer named: named startup succeeded
Oct  2 21:40:07 kramer named[4888]: group = 25
Oct  2 21:40:07 kramer named[4888]: user = named
Oct  2 21:40:07 kramer named[4888]: Ready to answer queries.
Oct  2 21:40:07 kramer named[4888]: sysquery: sendto([192.5.5.241].53):
Operation not permitted
Oct  2 21:51:34 kramer named[4888]: ns_forw: sendto([192.5.5.241].53):
Operation not permitted

Operation not permitted?  I have port 53 open on my firewall:

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT


Sorry if this is lengthy.  I'm just trying to round up all the evidence.


Any clues?  Thanks.  For now I've restored my resolv.com to look at AT&T's
nameservers.

-------------------------------------------------------------------
DDDD   David Kramer                           http://thekramers.net
DK KD
DKK D  Imagine an alternate history where William S. Burroughs was
DK KD  actually interested in mainframe hardware design.
DDDD                                                     Bob Bruhin

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).