Cannot open port 53 / status 'refused'

S

Sygmoral

Verified User
Joined
Aug 15, 2012
Messages
63
Hello,

I'm on CentOS 7. Years ago, I had disabled named because I did not need it. I made sure the service did not start anymore, and closed the ports using csf; maybe elsewhere too. I used something similar to this guide, although that one did not exist yet.

Now, I do need named.

I was able to make the service run again: it works when I try locally inside the server (dig @127.0.0.1 mydomain.com), and I reopened port 53 in csf on TCP and UDP (both ipv4 and ipv6), but I still cannot reach my server from outside. Even when I temporarily disable csf completely, I cannot reach it (using nslookup on Windows 10, or even dig @my_server_ip mydomain.com from inside the server). connection timed out; no servers could be reached, it says. When I try with https://portchecker.co/check, indeed, port 53 is closed, even with csf turned off.

Where else might my requests be blocked?
 
Last edited:
Okay, I had to add my server's ip on named.conf under listen-on port 53... That makes at least dig @my_server_ip mydomain.com work from inside the server, and portchecker.co reports the port is open. Although I still cannot access it for now from my own machine... continuing to.. dig...
 
Sygmoral said:
Although I still cannot access it for now from my own machine... continuing to.. dig...
Click to expand...
You must not add anything to the listen ip, because that will limit the connection options for named.

Use this default named.conf of DA and things should start to work for you.
Code: 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        //allow-query     { localhost; };
        allow-recursion { localnets; };
        allow-transfer {"none";};
        empty-zones-enable no;

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        //recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

You can just copy and paste if you want. Don't forget to restart named afterwards.
 
Richard G said:
You must not add anything to the listen ip, because that will limit the connection options for named.
Click to expand...

Thank you for your reply!
I can now get a response from anywhere. Unfortunately, it does not yet yield the result I'm hoping for ?

It returns a status of REFUSED as well as "WARNING: recursion requested but not available", despite "recursion no" in my named.conf. This is regardless of whether I try it from outside or from localhost. (I thought it worked locally before, but I may have seen it wrong ...)

What I am trying to do:
This is a single-server setup on CentOS 7 (at Tilaa), which we only use for our own domains. I normally use an external DNS server for them, but now I want to generate wildcard SSL certificates for one of them using LetsEncrypt, and so I need to host the DNS for that domain myself. That is the only thing I need this named for,

Digging around a bit more, I notice that in DirectAdmin via Admin > Server Manager > DNS Administration, the list there is empty. This is despite 10+ domains with DNS records, according to the User access level.

Which configuration may be missing?
 
Last edited:
Sygmoral said:
despite "recursion no" in my named.conf.
Click to expand...
that is not a setting in the named.conf I gave you. So this means I use the default wich is yes.
As said, the named.conf I gave you, can be use 1:1 and is a working named.conf

So if you're using another one, then I can't figure out what is going wrong. Mostly what you see happening is to ACL statements present in the named.conf but could also be other things.
Best is to keep yours in a backup and use my named.conf file and start searching for issues using that one so we can be sure no odd things are in there which can block certain other things.

  • If you are going to run your own nameservers, did you setup the nameservers correctly at your registrar as well as in Directadmin?
  • Are you only planning to run your own nameserver for 1 domain?
  • Are you aware of the fact that DA has a LEGO option to provide wildcard LE certificates with external DNS providers?
  • What is the content of your /etc/resolv.conf?
  • When you switch to Enhanced skin, then switch to reseller and then look at "nameservers" are they set correctly there as well as in the nameserver domain?
  • Ports in CSF are opened. But are the opened incoming as well as outgoing?
I don't know why the list in the DNS administration is empty. That is an odd thing. Maybe you because you switched from external to local and something didn't update correctly. Not sure about that one. Could also be because named was disabled before. Not sure.

Maybe you can give me the domain your nameservers should be running on (can also be via pm if you want) so I can check some things.
 
Hi, thank you very much again for your instructions. I did start with your named.conf, but in my tweaks to try to get other things to work after that, I must have put the "recursion no;" in, trying to make sure recursion was turned off, and not think about it later... Commenting out the option again solved the issue. I guess I don't understand well enough yet what the role of that option is.

So although it seems to work correctly now, I would like to address your questions, just in case I'll run into issues otherwise later ?

- I had not yet actually set a domain to use my own nameserver yet; I assumed I could use 'dig' to ask my nameserver about what it would respond, even if the nameserver was not set yet. But now I did use a domain name I'm not really using, in order to test with better, and it responds the DNS that I set in DA as expected.
- I only really need it for 1 domain, but I may start using it for "a few" domains, like 3 or 4, whose webhosting are running on the same server.
- I saw the option to let wildcard certs be generated via external DNS providers, but the one I'm using wasn't between the options.
- My /etc/resolv.conf includes two other ip addresses, which I don't own, but in a network close to where my own server is sitting.
- Reseller > Nameservers does not mention the nameserver subdomains I'm using. Should it? I just created glue records in my DNS registrar in order to point two subdomains to my DA server, and then just used those subdomains on my test domain, and it works.
- In CSF, indeed 53 is opened for both incoming and outgoing.

The DNS Administration page is still empty, but I guess that wasn't the problem after all then... so ignoring for now...
 
Good to hear it's fixed now then. :)

Sygmoral said:
I guess I don't understand well enough yet what the role of that option is.
Click to expand...
You can find it here, about a quarter down from the top.

Sygmoral said:
- I only really need it for 1 domain, but I may start using it for "a few" domains, like 3 or 4, whose webhosting are running on the same server.
Click to expand...
If you start running your own nameservers, it might be good to have every domain you host on your server to use your nameservers. This way you have everything in your ownh ands and might be easier to maintain. Also it might improve finding issues when they occur. Ofcourse, after testing your own nameservers are working as should be.
You could use a site like intodns.com to test it. Be aware that this site sometimes also throws some errors which are not present. But you can always ask over here if you don't understand something.

Sygmoral said:
- Reseller > Nameservers does not mention the nameserver subdomains I'm using. Should it?
Click to expand...
If it works now it's oke. But if I'm not mistaken, if you want to automatically add the correct nameservers to new accounts and domains you create, it must be in there.

Be aware that ns names like ns1.domain.com are not called subdomains, they are called nameservers because they are not used as subdomains nore create as subdomains. Just A and NS records. It als prevents confusion.

DNS administration page is odd. Should at least contain the domains on your own nameservers now. So might be a good idea anyway to check their DNS settings.
 
You must log in or register to reply here.
Back
Top