PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : bind und "conntection timed out"



chris_h
24.10.08, 16:15
Hi,

habe einen Nameserver aufgesetzt, der sich eigenartig verhält. Vermute irgendwo einen Fehler in der Konfig. Läuft auf einem akt. Debian.

/etc/host.conf


multi on
order hosts,bind


/etc/bind/db.root


; <<>> DiG 9.3.4-P1.1 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63116
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30

;; Query time: 174 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Fri Oct 24 15:43:14 2008
;; MSG SIZE rcvd: 500


/etc/bind/named.conf.options


options {
directory "/var/cache/bind";

// from bind 9:
// [fetch-glue] is obsolete. In BIND 8, fetch-glue yes caused the
// server to attempt to fetch glue resource records it didn't have
// when constructing the additional data section of a response.
// This is now considered a bad idea and BIND 9 never does it.

fetch-glue no;

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

auth-nxdomain no; # conform to RFC1035

# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.

#forwarders { 192.0.2.1; 192.0.2.2; };

# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.

#forward first;

# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.

listen-on port 53 { 127.0.0.1; };

# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.

#listen-on-v6 { any; };
listen-on-v6 { 127.0.0.1; };

# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.

#allow-query { 127.0.0.1; };

# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.

notify no;
};


Mehr habe ich in nach der default Installation nicht geändert.

dig amazon.de > geht
dig www.amazon.de +trace > geht nicht:


; <<>> DiG 9.3.4-P1.1 <<>> www.amazon.de +trace
;; global options: printcmd
. 516630 IN NS G.ROOT-SERVERS.NET.
. 516630 IN NS I.ROOT-SERVERS.NET.
. 516630 IN NS F.ROOT-SERVERS.NET.
. 516630 IN NS C.ROOT-SERVERS.NET.
. 516630 IN NS D.ROOT-SERVERS.NET.
. 516630 IN NS K.ROOT-SERVERS.NET.
. 516630 IN NS J.ROOT-SERVERS.NET.
. 516630 IN NS B.ROOT-SERVERS.NET.
. 516630 IN NS E.ROOT-SERVERS.NET.
. 516630 IN NS A.ROOT-SERVERS.NET.
. 516630 IN NS L.ROOT-SERVERS.NET.
. 516630 IN NS M.ROOT-SERVERS.NET.
. 516630 IN NS H.ROOT-SERVERS.NET.
;; Received 492 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms

de. 172800 IN NS L.DE.NET.
de. 172800 IN NS S.DE.NET.
de. 172800 IN NS F.NIC.de.
de. 172800 IN NS A.NIC.de.
de. 172800 IN NS C.DE.NET.
de. 172800 IN NS Z.NIC.de.
;; Received 289 bytes from 192.112.36.4#53(G.ROOT-SERVERS.NET) in 144 ms

amazon.de. 86400 IN NS udns1.ultradns.net.
amazon.de. 86400 IN NS udns2.ultradns.net.
;; Received 83 bytes from 89.213.253.189#53(L.DE.NET) in 34 ms

www.amazon.de. 7200 IN NS ns-932.amazon.com.
www.amazon.de. 7200 IN NS ns-931.amazon.com.
www.amazon.de. 7200 IN NS ns-923.amazon.com.
www.amazon.de. 7200 IN NS ns-921.amazon.com.
www.amazon.de. 7200 IN NS ns-912.amazon.com.
www.amazon.de. 7200 IN NS ns-911.amazon.com.
;; Received 167 bytes from 204.69.234.1#53(udns1.ultradns.net) in 100 ms

dig: couldn't get address for 'ns-932.amazon.com': failure


Weshalb fragt mir der DNS nicht bei den Nameservern von amazon an?

Danke,
Chris

chris_h
24.10.08, 16:43
query-source port 53;

in der named.conf.options brachte leider keinen Erfolg.

chris_h
27.10.08, 11:03
Habe gerade in Erfahrung gebracht, dass die lokale Firewall verschiedene direkte DNS-Abfragen unterbindet.