DNS question

DNS question

[Reed Wiedower]

I'm having some trouble with DNS queries making it through the filters...if
I allow connections out to use udp port 53, that should allow clients inside
the firewall to query external dns servers for information, correct? Do I
need to open any other ports? (Of course, I have "related, established"
open, so I assume the DNS server response will work properly). Am I missing
somthing?

end of line,

Reed


reed wiedower
reed.wiedower@peyser.com
peyser.com
202.638.3730x115

Re: DNS question

[Maciej Soltysiak]

> I'm having some trouble with DNS queries making it through the filters...if
> I allow connections out to use udp port 53, that should allow clients inside
> the firewall to query external dns servers for information, correct? Do I
> need to open any other ports? (Of course, I have "related, established"
> open, so I assume the DNS server response will work properly). Am I missing
> somthing?
If a dns query via udp fails (or it has over 512 bytes, and the Trunacated
bit set), the resolver is obligated to commit the query via tcp.

In order to have dns queries working with external DNS servers, the
clients must be able to send tcp and udp with dport 53 to the servers,
and the replies must get back, e.g. using the state mechanism.

If you have a DNS server in your network and want to allow dns queries to
your server you need to allow both tcp and udp with dport 53 to your DNS.

Also, TCP is used for zone transfers.

If you fail to solve your problem, try tcpdumping the traffic on the
firewall, you will know what is being send, what is being block.

Regards,
Maciej Soltysiak

DNS question

[John Black]

I'm trying to setup DNS for domain.  Is there a mailing list or some really good
documentation online on setting up DNS with only one static ip address?


thanks
John



http://www.arbbs.net/

Re: DNS question

[Antony Stone]

On Monday 01 March 2004 7:46 pm, John Black wrote:

> I'm trying to setup DNS for domain.  Is there a mailing list or some really
> good documentation online on setting up DNS with only one static ip
> address?

What is special about having only one IP address?

Obviously if you have only one server you don't get any resiliency / 
redundancy, but presumably you either don't mind, or else you're getting 
someone else to act as secondary for you?

Maybe it's me, but I'm not sure I understand your problem.

Regards,

Antony.

-- 
"Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
Blaster].   However, these products are no longer supported.   Users of these
products are strongly encouraged to upgrade to later versions."

(which *are* affected by MS Blaster...)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

                                                     Please reply to the list;
                                                           please don't CC me.

RE: DNS question

[Daniel Chemko]

John Black wrote:
> I'm trying to setup DNS for domain.  Is there a mailing list or some
> really good documentation online on setting up DNS with only one
> static ip address?  

Try www.isc.org if you use bind. That's all I needed to set up a quite
complex DNS setup from 0 knowledge. I guess the Oreilly book helped as
well.

Re: DNS question

[John Black]

> What is special about having only one IP address?
i have a private subnet at work with only one static ip address.  which they
are authoritative over the subnet.


> Obviously if you have only one server you don't get any resiliency /
> redundancy, but presumably you either don't mind, or else you're getting
> someone else to act as secondary for you?
I have an internal mail, ftp, and web server that I want to grant access to,
from the outside world.


the problem is I'm trying to setup a nonauthoritative dns server.  And I
have never setup a dns server before


thanks for everyone's help

john

dns question

[Peter Marshall]

I am sure this is a stupid question ...but I will ask anyway.  Should I be
allowing my dns server (in my dmz) connect to root servers ?   At the moment
it is being bloced, and the only thing it can connect to is my ISP's DNS
server.  Basically, my dns server serves requests for servers in my dmz for
my internal users.  If it can't find the hit, it passs the request on to my
ISP's ... I am trying to clean up my firewall logs, and noticed that the DNS
server is always trying to query root servers.  I was just not sure if this
should be allowed.  If it is not, (and I suspect there is no need to) Is
there a way to make my DNS server stop quering the root servers ?

PS  DNS is a rh9 box running bind.


Thanks,
Peter

Re: dns question

[Jason Opperisano]

On Thu, 2004-11-18 at 07:32, Peter Marshall wrote:
> I am sure this is a stupid question ...but I will ask anyway.  Should I be
> allowing my dns server (in my dmz) connect to root servers ?   At the moment
> it is being bloced, and the only thing it can connect to is my ISP's DNS
> server.  Basically, my dns server serves requests for servers in my dmz for
> my internal users.  If it can't find the hit, it passs the request on to my
> ISP's ... I am trying to clean up my firewall logs, and noticed that the DNS
> server is always trying to query root servers.  I was just not sure if this
> should be allowed.  If it is not, (and I suspect there is no need to) Is
> there a way to make my DNS server stop quering the root servers ?
> 
> PS  DNS is a rh9 box running bind.

if your bind configuration specifies:

        forwarders {
                x.x.x.x;
                x.x.x.x;
                // 24.25.4.107;
                // 24.25.4.108;
                4.2.2.2;
                4.2.2.1;
                4.2.2.3;
        };
--
"My cat's breath smells like cat food."
	--The Simpsons

Re: dns question

[a.ledvinka]

and see also "forward only;" and "forward first;"

> if your bind configuration specifies:
> 
>         forwarders {
>                 x.x.x.x;
>                 x.x.x.x;
>                 // 24.25.4.107;
>                 // 24.25.4.108;
>                 4.2.2.2;
>                 4.2.2.1;
>                 4.2.2.3;
>         };

Re: dns question

[Jason Opperisano]

On Thu, 2004-11-18 at 07:32, Peter Marshall wrote:
> I am sure this is a stupid question ...but I will ask anyway.  Should I be
> allowing my dns server (in my dmz) connect to root servers ?   At the moment
> it is being bloced, and the only thing it can connect to is my ISP's DNS
> server.  Basically, my dns server serves requests for servers in my dmz for
> my internal users.  If it can't find the hit, it passs the request on to my
> ISP's ... I am trying to clean up my firewall logs, and noticed that the DNS
> server is always trying to query root servers.  I was just not sure if this
> should be allowed.  If it is not, (and I suspect there is no need to) Is
> there a way to make my DNS server stop quering the root servers ?
> 
> PS  DNS is a rh9 box running bind.

oops...apparently CTRL+ENTER sends a message in evolution before you're
done typing--sorry about that last message...

if you're specifying:

        forwarders {
                x.x.x.x;
                x.x.x.x;
        };
        forward only;

then your DNS server should not be falling back to the root servers if
your ISP's servers don't have the answer.  the drawback is--if your
ISP's servers don't have the answer--your clients will get a negative
response, which usually isn't what you want.

i normally specify:

        forwarders {
                x.x.x.x;
                x.x.x.x;
        };
        forward first;

and in that case--you need to allow the DNS server out to any IP on port
53, not just to the root servers (the root servers do not provide
recursion).

-j

--
"Dear Baby, Welcome to Dumpsville. Population: You"
	--The Simpsons

Re: dns question

[Peter Marshall]

No .. but I do have the following at the end of my named.conf file .... the
db.cache file has all of the root servers.   I just was not sure if it would
cause problems just removing that section as it was in all of the examples I
read.

zone "." {
       type hint;
       file "/etc/named/db.cache";
       };


----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: "Peter Marshall" <peter.marshall@caris.com>
Cc: "netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, November 18, 2004 9:44 AM
Subject: Re: dns question


On Thu, 2004-11-18 at 07:32, Peter Marshall wrote:
> I am sure this is a stupid question ...but I will ask anyway.  Should I be
> allowing my dns server (in my dmz) connect to root servers ?   At the
moment
> it is being bloced, and the only thing it can connect to is my ISP's DNS
> server.  Basically, my dns server serves requests for servers in my dmz
for
> my internal users.  If it can't find the hit, it passs the request on to
my
> ISP's ... I am trying to clean up my firewall logs, and noticed that the
DNS
> server is always trying to query root servers.  I was just not sure if
this
> should be allowed.  If it is not, (and I suspect there is no need to) Is
> there a way to make my DNS server stop quering the root servers ?
>
> PS  DNS is a rh9 box running bind.

if your bind configuration specifies:

        forwarders {
                x.x.x.x;
                x.x.x.x;
                // 24.25.4.107;
                // 24.25.4.108;
                4.2.2.2;
                4.2.2.1;
                4.2.2.3;
        };
--
"My cat's breath smells like cat food."
--The Simpsons

DNS question

[Chuck Campbell]

I've managed to completely confuse myself.

I have a domain registered at a registrar and hosted at a provider.

The provider has given me primary and secondary DNS names and ip addresses.

I have entered those at the registrar's site. All whois queries work and 
email is configured and working properly.  I can find the web site from
anyone's browser.

I now have a new company which has built commercial web pages for me, and I 
need to make them active.  This company says I need to change my DNS addresses
with my registrar to make this work.  Is this correct?  They will then take
over hosting the domain (become my NEW provider)?

They do NOT do any email, so if I make the DNS server changes at my registrar, 
will my email break?

If not, then I'm not sure I understand how any of this works.

I thought that my provider (ISP) puts up A and MX DNS records which allow
resolution of my web pages and my email addresses.  If I switch to a new 
provider that claims to not do email, who will make my email work?

thanks,
-chuck

Re: DNS question

[Jens Knoell]

Hi Chuck,

On Tuesday 10 May 2005 09:01, Chuck Campbell <CC> wrote:
> I've managed to completely confuse myself.
>
> I have a domain registered at a registrar and hosted at a provider.
>
> The provider has given me primary and secondary DNS names and ip addresses.
>
> I have entered those at the registrar's site. All whois queries work and
> email is configured and working properly.  I can find the web site from
> anyone's browser.
>
> I now have a new company which has built commercial web pages for me, and I
> need to make them active.  This company says I need to change my DNS
> addresses with my registrar to make this work.  Is this correct?  They will
> then take over hosting the domain (become my NEW provider)?
>
> They do NOT do any email, so if I make the DNS server changes at my
> registrar, will my email break?
>
> If not, then I'm not sure I understand how any of this works.
>
> I thought that my provider (ISP) puts up A and MX DNS records which allow
> resolution of my web pages and my email addresses.  If I switch to a new
> provider that claims to not do email, who will make my email work?

That provider is probably giving you a load of BS. I've seen providers who 
actually "need" the DNS resolvers on their servers, but in each case it's 
just a matter of total utter BS on their side. The only thing you need to do 
is point the www entry to the providers webserver.

Alternatively if you'd rather play along and transfer the domains nameservice 
to them, you can still add an MX entry pointing elsewhere if they don't 
provide email services.

J

Re: DNS question

[Nick Mitchell]

All you need to do is have the company that hosts your DNS currently
setup an A record to point www.yourname.com to the webhosting companys
servers. Leave your MX records alone so you don't have an interruption
in email.

Nick


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nick Mitchell <nick@niteconline.com>
Network Security Specialist
Nitec Security
Voice - 302.542.7992
The invention of IQ does a great disservice to creativity in education.
- Joel Hildebrand
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re: DNS question

[Chuck Campbell]

On Tue, May 10, 2005 at 09:14:50AM -0600, Jens Knoell wrote:
> Hi Chuck,
> 
> On Tuesday 10 May 2005 09:01, Chuck Campbell <CC> wrote:
> > I've managed to completely confuse myself.
> >
> > I have a domain registered at a registrar and hosted at a provider.
> >
> > The provider has given me primary and secondary DNS names and ip addresses.
> >
> > I have entered those at the registrar's site. All whois queries work and
> > email is configured and working properly.  I can find the web site from
> > anyone's browser.
> >
> > I now have a new company which has built commercial web pages for me, and I
> > need to make them active.  This company says I need to change my DNS
> > addresses with my registrar to make this work.  Is this correct?  They will
> > then take over hosting the domain (become my NEW provider)?
> >
> > They do NOT do any email, so if I make the DNS server changes at my
> > registrar, will my email break?
> >
> > If not, then I'm not sure I understand how any of this works.
> >
> > I thought that my provider (ISP) puts up A and MX DNS records which allow
> > resolution of my web pages and my email addresses.  If I switch to a new
> > provider that claims to not do email, who will make my email work?
> 
> That provider is probably giving you a load of BS. I've seen providers who 
> actually "need" the DNS resolvers on their servers, but in each case it's 
> just a matter of total utter BS on their side. The only thing you need to do 
> is point the www entry to the providers webserver.

Who (in my current situation) needs to point the www entry?  I assume you mean
my current provider needs to change something to point web resolution to 
a different address?  What (so I can speak intelligently with them) needs to be
changed?

> Alternatively if you'd rather play along and transfer the domains nameservice 
> to them, you can still add an MX entry pointing elsewhere if they don't 
> provide email services.

I can't add an MX for email, the (new) provider would have to do that, 
correct?

Are there some tools which let me see what A and MX records exist now, and 
where they actually are living?

thanks,
-chuck


-- 
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671 ph.
 2401 Fountain View |   and Integrated Interpretation   |  (713)993-0608 fax
     Suite 320      |            Since 1992             |  (713)306-5794 cell
 Houston, TX, 77057 |          Chuck Campbell           | campbell@accelinc.com
                    |  President & Senior Geoscientist  |

     "Integration means more than having all the maps at the same scale!"

Re: DNS question

[Richard Nairn]

The only changes that you need to make is to add a record for the www name  
which points to the company hosting your website. I think the terminolgy  
may be a little bit confusing. From the sounds of things he isn't hosting  
all of your services. So you would keep all of your other records (MX and  
such) pointing at your current service providers.


On Tue, 10 May 2005 09:01:59 -0600, Chuck Campbell <campbell@accelinc.com>  
wrote:

> I've managed to completely confuse myself.
>
> I have a domain registered at a registrar and hosted at a provider.
>
> The provider has given me primary and secondary DNS names and ip  
> addresses.
>
> I have entered those at the registrar's site. All whois queries work and
> email is configured and working properly.  I can find the web site from
> anyone's browser.
>
> I now have a new company which has built commercial web pages for me,  
> and I
> need to make them active.  This company says I need to change my DNS  
> addresses
> with my registrar to make this work.  Is this correct?  They will then  
> take
> over hosting the domain (become my NEW provider)?
>
> They do NOT do any email, so if I make the DNS server changes at my  
> registrar,
> will my email break?
>
> If not, then I'm not sure I understand how any of this works.
>
> I thought that my provider (ISP) puts up A and MX DNS records which allow
> resolution of my web pages and my email addresses.  If I switch to a new
> provider that claims to not do email, who will make my email work?
>
> thanks,
> -chuck
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
  |       Richard Nairn          Specializing in Linux
  |     Nairn Consulting         Web / Database Solutions
  |        Calgary, AB
  | Richard@NairnConsulting.ca

Re: DNS question

[Chuck Campbell]

On Tue, May 10, 2005 at 11:20:02AM -0400, Nick Mitchell wrote:
> All you need to do is have the company that hosts your DNS currently
> setup an A record to point www.yourname.com to the webhosting companys
> servers. Leave your MX records alone so you don't have an interruption
> in email.

Thanks, I think this is the info I was looking for.

I call my existing provider and request they change the current A record
to point to a different IP address (or is it at a different server name?)

This would allow my web pages to resolve to the new location, right?

-chuck

Re: DNS question

[Jens Knoell]

On Tuesday 10 May 2005 09:23, Chuck Campbell <CC> wrote:
> On Tue, May 10, 2005 at 09:14:50AM -0600, Jens Knoell wrote:
> > Hi Chuck,
> >
> > On Tuesday 10 May 2005 09:01, Chuck Campbell <CC> wrote:
> > > I've managed to completely confuse myself.
> > >
> > > I have a domain registered at a registrar and hosted at a provider.
> > >
> > > The provider has given me primary and secondary DNS names and ip
> > > addresses.
> > >
> > > I have entered those at the registrar's site. All whois queries work
> > > and email is configured and working properly.  I can find the web site
> > > from anyone's browser.
> > >
> > > I now have a new company which has built commercial web pages for me,
> > > and I need to make them active.  This company says I need to change my
> > > DNS addresses with my registrar to make this work.  Is this correct? 
> > > They will then take over hosting the domain (become my NEW provider)?
> > >
> > > They do NOT do any email, so if I make the DNS server changes at my
> > > registrar, will my email break?
> > >
> > > If not, then I'm not sure I understand how any of this works.
> > >
> > > I thought that my provider (ISP) puts up A and MX DNS records which
> > > allow resolution of my web pages and my email addresses.  If I switch
> > > to a new provider that claims to not do email, who will make my email
> > > work?
> >
> > That provider is probably giving you a load of BS. I've seen providers
> > who actually "need" the DNS resolvers on their servers, but in each case
> > it's just a matter of total utter BS on their side. The only thing you
> > need to do is point the www entry to the providers webserver.
>
> Who (in my current situation) needs to point the www entry?  I assume you
> mean my current provider needs to change something to point web resolution
> to a different address?  What (so I can speak intelligently with them)
> needs to be changed?
>
> > Alternatively if you'd rather play along and transfer the domains
> > nameservice to them, you can still add an MX entry pointing elsewhere if
> > they don't provide email services.
>
> I can't add an MX for email, the (new) provider would have to do that,
> correct?
>
> Are there some tools which let me see what A and MX records exist now, and
> where they actually are living?

Depends on the DNS setup. You can look up individual records with dig (like 
in: dig yahoo.com NS) or you can use the regular "host" command like so:

host -t NS yahoo.com
host -t MX yahoo.com
or plain:
host yahoo.com

in rare cases you can also grab the whole DNS table by using:
dig @ns.yahoo.com yahoo.com AXFR
where you put in any of the nameservers which are authoritative for the 
yahoo.com domain. Most DNS servers have this disabled though.

Hope this helps
J

Re: DNS question

[Jens Knoell]

Forgot...

On Tuesday 10 May 2005 09:23, Chuck Campbell <CC> wrote:
> On Tue, May 10, 2005 at 09:14:50AM -0600, Jens Knoell wrote:
> > That provider is probably giving you a load of BS. I've seen providers
> > who actually "need" the DNS resolvers on their servers, but in each case
> > it's just a matter of total utter BS on their side. The only thing you
> > need to do is point the www entry to the providers webserver.
>
> Who (in my current situation) needs to point the www entry?  I assume you
> mean my current provider needs to change something to point web resolution
> to a different address?  What (so I can speak intelligently with them)
> needs to be changed?

In the current situation, you would have to. Either with a CNAME entry, or 
with an A entry.

> > Alternatively if you'd rather play along and transfer the domains
> > nameservice to them, you can still add an MX entry pointing elsewhere if
> > they don't provide email services.
>
> I can't add an MX for email, the (new) provider would have to do that,
> correct?

If you have the authority to make DNS changes to your domain, you could do 
that.

J

Re: DNS question

[Nick Mitchell]

You need to call your web-hosting company and ask them what the ip
address of the server your site is hosted on and then have the A record
pointed to that.

Nick

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nick Mitchell <nick@niteconline.com>
Network Security Specialist
Nitec Security
Voice - 302.542.7992
The invention of IQ does a great disservice to creativity in education.
- Joel Hildebrand
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re: DNS question

[David Ziggy Lubowa]

> Are there some tools which let me see what A and MX records exist now, and
> where they actually are living?

 www.dnsreport.com  can help you out with this .....
>
> thanks,
> -chuck

Re: DNS question

[Glynn Clements]

Chuck Campbell wrote:

> I've managed to completely confuse myself.
> 
> I have a domain registered at a registrar and hosted at a provider.
> 
> The provider has given me primary and secondary DNS names and ip addresses.
> 
> I have entered those at the registrar's site. All whois queries work and 
> email is configured and working properly.  I can find the web site from
> anyone's browser.
> 
> I now have a new company which has built commercial web pages for me, and I 
> need to make them active.  This company says I need to change my DNS addresses
> with my registrar to make this work.  Is this correct?

No. Your DNS provider needs to change the addresses of the A records.
That's all.

> They will then take over hosting the domain (become my NEW provider)?
> 
> They do NOT do any email, so if I make the DNS server changes at my registrar, 
> will my email break?
> 
> If not, then I'm not sure I understand how any of this works.
> 
> I thought that my provider (ISP) puts up A and MX DNS records which allow
> resolution of my web pages and my email addresses.  If I switch to a new 
> provider that claims to not do email, who will make my email work?

The registrar ensures that the DNS servers for the parent domain (e.g. 
com) have NS records for your domain (e.g. yourdomain.com) which point
at your provider's DNS servers.

You need to ask your provider to make the A records for yourdomain.com
and/or www.yourdomain.com point at the web-hosting company's web
server(s). Leave the MX records for yourdomain.com pointing to the
existing mail (SMTP) server(s).

The company which provides web hosting doesn't need to host your DNS;
they just need to have the appropriate A records pointed at their
server.

-- 
Glynn Clements <glynn@gclements.plus.com>