×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Outside IPs can't query my DNS server

Outside IPs can't query my DNS server

Outside IPs can't query my DNS server

(OP)
I am currently working on setting up BIND on a personal server that I run in my apartment. Here is every thing I have tried/tested to get it working. If I change the DNS server of my laptop to my server's IP, I can go to my site properly, and dig can get the A record of my website from my server without recursion when I query it manually, and it shows that my server is authoritative for that domain. However when I switched the name servers of my domain to my DNS server with up the proper glue record, no IPs other than a few local ones can query my DNS server, so I have since switched back to using my registrar's DNS.

This online tool (http://dnscheck.iis.se/?test=undelegated) which can test undelegated nameservers says that it can't query my server's DNS because it times out.

I used an online port tester site to check if my ISP is blocking port 53. It says it cant see a service from my laptop, but it can see a service on port 53 when I access it while proxying through my server, so I do not think that my ISP is blocking port 53.

I am using a BIND config file for an authoritative only server copied verbatim from the latest BIND manual, with my domain substituted. it does have allow-query { any; };, and this isn't over ridden in the section for my zone. I have used the BIND command line tools to test my config file and my zone file, and it says they are both fine.

I am not currently using any firewall, I don't need port forwarding because all my devices get their own public IPs, and my ISP has no IPv6 support to complicate things.

I'm not sure what else could be causing this issue, and I do not know how to debug it much further. Suggestions about this? How do I find out if my ISP is affecting DNS traffic beyond a simple port check tool? Is there a problem with my zone file (below) or with hosting the DNS server on the same IP that the site is hosted on? I could easily host them on different public IPs.

$ORIGIN mydomain.co.
$TTL 23h
mydomain.co. IN SOA ns.mydomain.co. webmaster.mydomain.co. ( 2013070201 1d 2h 4w 1h )
mydomain.co. IN MX 10 mail.mydomain.co.
mydomain.co. IN A [my IP]
ns IN A [my IP]
www IN CNAME mydomain.co.
mail IN A [my IP]
*.mydomain.co. IN A [my IP]
mydomain.co. IN NS ns
mydomain.co. IN NS slv1.1and1.com.


RE: Outside IPs can't query my DNS server

What do you have set for the permissions within bind, e.g. allow-recusion and allow-query.

Generally speaking, you don't want the public to be able to use your name server to resolve anything other than domains use host (allow recursion set to no) because this will result in your DNS server being abused.

RE: Outside IPs can't query my DNS server

(OP)
I had allow recursion set to none and allow query to all.

Thanks for the suggestion, but I figured out the problem already. My ISP is blocking incoming DNS queries from outside their network. That's why the test showed that it could see my service, because it is t blocking the whole port, just certain requests. It also doesn't block DNS requests between computers on its network, so that's why it was working on the neighbors wifi.

Do you know if you can have success with convincing an ISP that this is dumb? Especially considering the 12TB of torrents they were completely fine with me seeding in a single month. Incoming DNS queries seem like a pretty small fish. Or is there anyway to get around this?

RE: Outside IPs can't query my DNS server

Quote:

I had allow recursion set to none and allow query to all.
This should allow resolution of systems for which your DNS is the master, e.g. your own domain. There shouldn't be any problems with this.

Quote:

Do you know if you can have success with convincing an ISP that this is dumb?
I agree that it is dumb. Are we talking about residential service? If so, you may be facing two problems. One, some ISPs make it part of the TOS that your not allowed to run a public facing server. Having domain lookups for said servers may be construed as a "business" or an activity in support of running said servers. Two, 99.99% of residential customers won't use anything other than standard application and non privileged ports because they won't do things like run email or DNS servers. Compromised hosts, however, will make use of these ports to conduct attacks. Consequently, it is an easy out to block these ports to reduce their need to deal with problems correctly while having minimal impact on their customer base.

If you are using business grade service, then they should not be blocking ports, period.

RE: Outside IPs can't query my DNS server

(OP)
Yes, this is a residential internet service. I'm doing all of this just for a personal project. I haven't seen the terms of service for my Internet because I live in a large apartment complex. If they come knocking on my door, I'll say hey I never agreed to these rules, you can't give me shit for not following them.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close