CentOS BIND DNS Not Responding To DNS Queries

KB ID 0000906 

Problem

While moving my DNS records from my old hosting company, I finally got round to pointing my domain name server records at my own server. I then saw my web traffic nose dive! Some troubleshooting steps later I realised I could not connect to my server on TCP port 53 (use an online port scanner to test yours).

Solution

Allow Access to DNS BIND From Remote Clients

1. Firstly let’s make sure that the firewall is not blocking DNS (Note: I’m using iptables).

[box]iptables -A INPUT -p udp -m state –state NEW –dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 53 -j ACCEPT
service iptables save
service iptables restart[/box]

2. Still mine refused to work! I had to edit the named.conf file

[box] nano /etc/named.conf[/box]

3. Mine was set to only respond to 127.0.0.1, and only return localhost.

Before

After

4. Then restart the DNSBIND service.

[box] service named restart[/box]

Related Articles, References, Credits, or External Links

NA

 

CentOS – Disable BIND DNS Recursion

KB ID 0000981

Problem

I got a Tweet this morning, to say the site was down.

I checked and the VPS was off-line? So I powered it on and waited a few minutes. Linux is not one of my strongest technical areas so I did some Googling about what logs to check etc. When I looked in the var/log/messages log it was full of these, up to the point where it went down;

[box] Aug 7 03:51:52 MY-HOSTNAME named[490]: error (unexpected RCODE REFUSED) resolving ‘anotherdomain.com.ru/ANY/IN’: 123.123.123.123#53 [/box]

After some more reading it became clear that I’d been used in part of a DDOS DNS amplification attack. This was possible because the DNS BIND server that I was running had DNS recursion enabled. This means that if it can’t resolve a DNS query then it attempts to resolve the DNS query for you, (currently this is the default setting). You can check yours online with this tool, (you don’t want it to say ‘open’).

Solution

Disable BIND DNS Recursion (From the Console)

1. Log onto the server directly or via SSH, navigate to, and open the named.conf file.

[box]cd /etc
vi named.conf [/box]

2. Near the top of the file locate ‘recursion yes;

3. Press ‘I’ to go into ‘insert’ mode, using the arrow keys navigate to ‘yes’ and change it to ‘no’, Press {Esc} then to save and exit type ZZ (for some reason :wq wouldn’t save on mine!).

4. Then restart BIND DNS. Check once again with the tool and hopefully now it will say ‘no response’

[box] service named restart[/box]

Disable BIND DNS Recursion (From Webmin)

1. Log into Webmin > Servers > DNS BIND Server > Edit Config File.

2. Change ‘recursion yes;‘ to ‘recursion no;‘ > Save.

3. In the top right hand corner click ‘Stop BIND’ then ‘Start BIND’.

Related Articles, References, Credits, or External Links

NA