Hi all, My CentOS 5 nameserver is seemingly unable to be queried by anything but itself (localhost, 127.0.0.1). From any other machine, including the primary which *does* transfer zone files correctly to this machine (which is secondary), requests time out. I've put SELinux into permissive mode, so I don't think that's an issue. /var/named/chroot/etc/named.conf begins thus: ====================================options { directory "/var/named/slaves"; listen-on { localhost; 127.0.0.1; 64.135.16.15; }; }; ==================================== I've placed a copy of resolv.conf in /etc/ as well as /var/named/chroot/etc as a result of seeing this message in /var/log/messages (the file in /etc/ had been a symlink to the file in the chrooted path before this) Aug 22 13:10:06 sunspot restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) No such file or directory /etc/init.d/named status returns: [root at sunspot etc]# /etc/init.d/named status number of zones: 172 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/1000 tcp clients: 0/100 server is up and running So....while I'm sure it's simple, I'm stumped. Any help will be greatly appreciated. Kind regards, ~Ray
Ray Leventhal wrote:> Hi all, > > My CentOS 5 nameserver is seemingly unable to be queried by anything but > itself (localhost, 127.0.0.1). From any other machine, including the > primary which *does* transfer zone files correctly to this machine > (which is secondary), requests time out. > > I've put SELinux into permissive mode, so I don't think that's an issue. > > /var/named/chroot/etc/named.conf begins thus: > ====================================> options { > directory "/var/named/slaves"; > listen-on { localhost; 127.0.0.1; 64.135.16.15; }; > }; > ====================================>Are you using views? If you only have a 'localhost' view (kind how namecacheserver is set up), then no one else can query. Do you have match-clients and match-destinations set up? I think the default for these are 'any', but if you have them and they are wrong?> I've placed a copy of resolv.conf in /etc/ as well as > /var/named/chroot/etc as a result of seeing this message in > /var/log/messages (the file in /etc/ had been a symlink to the file in > the chrooted path before this) > > Aug 22 13:10:06 sunspot restorecond: Will not restore a file with more > than one hard link (/etc/resolv.conf) No such file or directory > > /etc/init.d/named status returns: > > [root at sunspot etc]# /etc/init.d/named status > number of zones: 172 > debug level: 0 > xfers running: 0 > xfers deferred: 0 > soa queries in progress: 0 > query logging is OFF > recursive clients: 0/1000 > tcp clients: 0/100 > server is up and running > > So....while I'm sure it's simple, I'm stumped. > > Any help will be greatly appreciated. > > Kind regards, > ~Ray > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
replies-lists-a1z2-centos at listmail.innovate.net wrote:> first, if you turn query logging on you'll likely get some more hints. > > do you have a: > > allow-query { > localhost; > <ipnumber>; > }; > > directive in the top options section? i think the server defaults to > "all" if you don't have one, but i'm not positive about that. if you do > have one, and only have "localhost" in, that's likely your problem. > > - Rick > > >Thanks for your replies. @Rick, My understanding was that the default was 'any' for 'allow-query' and so the only thing (other than the zone requests) in options in my named.conf is options { directory "/var/named/slaves"; listen-on { localhost; 127.0.0.1; 64.135.16.15; }; }; I'll try adding an allow-query statement, using 'all' and see if that resolves the issue (no pun intended <g>)> Are you using views? If you only have a 'localhost' view (kind how > namecacheserver is set up), then no one else can query. > > Do you have match-clients and match-destinations set up? I think the > default for these are 'any', but if you have them and they are wrong?@Robert, No I am not using any explicitly configured 'views', nor do I have match-clients or match-destinations set up as I also believe that these are 'any' by default. Kind regards, ~Ray
replies-lists-a1z2-centos at listmail.innovate.net wrote:> first, if you turn query logging on you'll likely get some more hints. >Rick, I did miss that comment before I posted. I'll do that and query...will report the log here this evening. Kind regards, ~Ray
Ray Leventhal wrote:> Hi all, > > My CentOS 5 nameserver is seemingly unable to be queried by anything but > itself (localhost, 127.0.0.1). From any other machine, including the > primary which *does* transfer zone files correctly to this machine > (which is secondary), requests time out. > > I've put SELinux into permissive mode, so I don't think that's an issue. >Are you running the firewall and have DNS allowed? This is a separate issue from SELinux.> /var/named/chroot/etc/named.conf begins thus: > ====================================> options { > directory "/var/named/slaves"; > listen-on { localhost; 127.0.0.1; 64.135.16.15; }; > }; > ====================================>Do a netstat -na|grep 53 Lets be really sure.
<snip>> > not certain if you intend it to be, but your 64.135.16.15 machine is > not reachable from "outside". an attempt to telnet to port 53 (or 25) > gets me "no route to host" and a traceroute ends with: > > 8 ge2-0.cr1.bct.fl.host.net (64.135.1.9) 34.779ms 35.102ms 35.413ms > 9 ge6-1.er8.bct.fl.host.net (64.135.1.58) 34.934ms 34.219ms 35.044ms > 10 sunspot.swhi.net (64.135.16.15) 34.653 ms !<10> 34.619 ms !<10> > > 35.739 ms !<10> > > so, from the outside, it appears that you have a firewall block (or > network configuration problem). > > my read is that the block is at the machine, not an edge router, so > this may be the source of your problem. > > try doing a telnet to port 53 on 64.135.16.15 (based on past messages i > think that that's the correct ipnumber) from some local machine and see > what you get. if it's listening you should get a connect message (even > if there are access restrictions in named.conf). if you get something > else, that should give a hint on where to look. > > > - Rick > >Hi Rick, Telnetting on port 53 from a machine in the same /24 gives this: [ray at wh1 ray]$ telnet 64.135.16.15 53 Trying 64.135.16.15... telnet: connect to address 64.135.16.15: No route to host Thanks for your input. I welcome any suggestions. Kind regards, ~Ray