Shane Bywater
2012-Feb-01 08:14 UTC
[CentOS] Yes another "I can't open port 53 for Bind DNS"
Hi,
It's just past 3am and for the past 6 hours I've been
configuring a secondary name server to replace one that just crashed.
My problem appears to be that port 53 is not open for some reason on my
server even though I have this:
[root at tribe etc]# netstat -an | grep ":53 "
tcp 0 0 205.211.154.3:53
0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53
0.0.0.0:* LISTEN
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
But with a test from
http://www.yougetsignal.com/tools/open-ports/
it says port 53 is closed.
I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
I'm not using iptables (well I didn't configure any)
[root at tribe log]# iptables --line-numbers -n -L
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Currently this server is not behind any type of firewall.
Can someone suggest something I have forgotten?
TIA,
Shane
Shane Bywater wrote:> Hi, > It's just past 3am and for the past 6 hours I've been > configuring a secondary name server to replace one that just crashed. > My problem appears to be that port 53 is not open for some reason on my > server even though I have this: > > [root at tribe etc]# netstat -an | grep ":53 " > tcp 0 0 205.211.154.3:53 > 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:53 > 0.0.0.0:* LISTEN > udp 0 0 205.211.154.3:53 0.0.0.0:* >> {snip} > > But with a test from > http://www.yougetsignal.com/tools/open-ports/ > it says port 53 is closed. > > I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 > > I'm not using iptables (well I didn't configure any) >{snip}> 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-host-prohibited > >{snip}> Can someone suggest something I have forgotten? > > TIA, > Shane >I think iptables rule 5 is stopping DNS. I can 'see' your ICMP (ping) and SSH are open from here. I've not used Centos 6 in production yet but try entering:- iptables -I INPUT 4 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT 4 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT hopefully that will fix it YMMV Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Gordon Messmer
2012-Feb-02 03:31 UTC
[CentOS] Yes another "I can't open port 53 for Bind DNS"
On 02/01/2012 12:14 AM, Shane Bywater wrote:> I'm not using iptables (well I didn't configure any) > > [root at tribe log]# iptables --line-numbers -n -L > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHEDYou should figure out who/what did, then. Those rules don't look like they were created by Red Hat's tools (where you'd see RH-Firewall...), and won't be present by default. Something created rules and the rules don't allow access to TCP or UDP 53 (you need both). For now, just flush the rules: iptables -F INPUT