Bind: Connection Timed Out

Issues related to configuring your network
ilikefishdou
Posts: 4
Joined: 2018/01/31 01:10:47

Bind: Connection Timed Out

Postby ilikefishdou » 2018/01/31 01:32:20

I'm pulling my hair out wondering why this isn't working! I've built a caching/forwarding only server using bind on centos 7. Whenever I try to run a query against it from a client (a mac) I get connection timed out, no servers could be reached. I am able to resolve everything from the server itself, and I have that server pointed to itself in its DNS settings.

It's on a Minimal install of CentOS 7, so there's no IPTables running on it to block it.

I've confirmed that the IP address is open on 53 with Netstat:

Code: Select all

[root@ns1 ~]# netstat -lnp | grep named
tcp        0      0 192.168.254.250:53      0.0.0.0:*               LISTEN      1741/named         
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1741/named         
tcp6       0      0 ::1:953                 :::*                    LISTEN      1741/named         
udp        0      0 192.168.254.250:53      0.0.0.0:*                           1741/named


I've gone through and paired down the named.conf to just about nothing:

Code: Select all

[root@ns1 ~]# cat /etc/named.conf

options {
   listen-on port 53 { 192.168.254.250; };
   directory    "/var/named";
   dump-file    "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   forwarders { 8.8.8.8; };
   forward only;

        dnssec-enable yes;
        dnssec-validation yes;

   /* Path to ISC DLV key */
   bindkeys-file "/etc/named.iscdlv.key";

   managed-keys-directory "/var/named/dynamic";

   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";
};

logging {
   category lame-servers
   {
      null;
   };

   channel named_file
   {
      file "/var/log/bind/named.log" versions 99 size 10m;
      print-time yes;                
      print-category yes;
      print-severity yes;
   };

   channel log_requests
   {
      file "/var/log/bind/queries.log" versions 99 size 30m;
      print-time yes;
      print-category yes;
      print-severity yes;
   };

   category queries
   {
      log_requests;
   };

   category default
   {
      named_file;
   };

};

zone "." IN {
   type hint;
   file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.conf.local";


I've created the conf.local and db files for the zones, even though I don't need any zones since I only want this to be a forwarding/caching server

Code: Select all

[root@ns1 ~]# cat /etc/named.conf.local
zone "name-gst.com" {
   type master;
   file "/var/named/db.name-gst.com";
};

zone "168.192.in-addr.arpa" {
   type master;
   file "/var/named/db.168.192";
};


Code: Select all

[root@ns1 ~]# cat /var/named/db.name-gst.com
$TTL   604800
@   IN   SOA   ns1.name-gst.com. root.name-gst.com. (
      3      ; Serial
      604800      ; Refresh
      86400      ; Retry
      2419200      ; Expire
      604800 )    ; Negative Cache TTL

; name servers - NS records
@   IN   NS   ns1

; name server - A records

ns1   IN   A   192.168.254.250


; generic A records

gateway   IN   A   192.168.0.1


Code: Select all

[root@ns1 ~]# cat /var/named/db.168.192
$TTL   604800
@   IN   SOA   ns1.name-gst.com. root.name-gst.com. (
      3      ; Serial
      604800      ; Refresh
      86400      ; Retry
      2419200      ; Expire
      604800   )   ; Negative Cache TTL

; name servers - NS records
@   IN   NS   ns1.

; PTR records
250.254   IN   PTR   ns1.      ; 192.168.254.250


I have confirmed with tcpdump that the client is getting to the host:

Code: Select all

[root@ns1 ~]# tcpdump -vvv -s 0 -l -n port 53 -i ens160 | grep www.msn.com
tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
    192.168.130.220.55463 > 192.168.254.250.domain: [udp sum ok] 10956+ A? www.msn.com. (29)
    192.168.130.220.55463 > 192.168.254.250.domain: [udp sum ok] 10956+ A? www.msn.com. (29)
    192.168.130.220.55463 > 192.168.254.250.domain: [udp sum ok] 10956+ A? www.msn.com. (29)


I just don't know what else to do to get this thing to answer clients.

I originally had:
allow-query { any; };
allow-recursion { any; };

but it didn't seem to make a difference.

Thanks!

User avatar
TrevorH
Forum Moderator
Posts: 21767
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind: Connection Timed Out

Postby TrevorH » 2018/01/31 01:39:08

Opened tcp and udp ports 53 on the firewall? If using firewalld then use firewall-cmd --add-service=DNS or use iptables to add rules if not using firewalld.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Devourer
Posts: 5
Joined: 2018/01/29 10:15:59

Re: Bind: Connection Timed Out

Postby Devourer » 2018/01/31 08:26:34

What bind logs looks like ?
Netstat isn't providing full view. Do telnet xx.bb.ccc.zzz 53 from client to server, you can use nc for that too, also try same from server ---> to outside world.
Worth to run tcpdump on server with host ip.addr.xx.xx flag and see if it is receiving query from client.

ilikefishdou
Posts: 4
Joined: 2018/01/31 01:10:47

Re: Bind: Connection Timed Out

Postby ilikefishdou » 2018/01/31 17:32:01

Son of a b! I didn't even think about firewalld running. I was looking for iptables, and since it was a minimal install of centos I figured it didn't have anything installed.

I stopped firewalld and low and behold, a result!

Thanks for the suggestions everyone!