FAQ

[CentOS] Yes another "I can't open port 53 for Bind DNS"

Shane Bywater
Feb 1, 2012 at 3:14 am
Hi,
It's just past 3am and for the past 6 hours I've been
configuring a secondary name server to replace one that just crashed.
My problem appears to be that port 53 is not open for some reason on my
server even though I have this:

[root at tribe etc]# netstat -an | grep ":53 "
tcp 0 0 205.211.154.3:53
0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53
0.0.0.0:* LISTEN
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 205.211.154.3:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*

But with a test from
http://www.yougetsignal.com/tools/open-ports/
it says port 53 is closed.

I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2

I'm not using iptables (well I didn't configure any)

[root at tribe log]# iptables --line-numbers -n -L
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Currently this server is not behind any type of firewall.

Can someone suggest something I have forgotten?

TIA,
Shane
reply

Search Discussions

4 responses

  • Ken Smith at Feb 1, 2012 at 4:01 am

    Shane Bywater wrote:
    Hi,
    It's just past 3am and for the past 6 hours I've been
    configuring a secondary name server to replace one that just crashed.
    My problem appears to be that port 53 is not open for some reason on my
    server even though I have this:

    [root at tribe etc]# netstat -an | grep ":53 "
    tcp 0 0 205.211.154.3:53
    0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:53
    0.0.0.0:* LISTEN
    udp 0 0 205.211.154.3:53 0.0.0.0:*
    {snip}

    But with a test from
    http://www.yougetsignal.com/tools/open-ports/
    it says port 53 is closed.

    I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2

    I'm not using iptables (well I didn't configure any)
    {snip}

    5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
    reject-with icmp-host-prohibited
    {snip}
    Can someone suggest something I have forgotten?

    TIA,
    Shane
    I think iptables rule 5 is stopping DNS.

    I can 'see' your ICMP (ping) and SSH are open from here.

    I've not used Centos 6 in production yet but try entering:-

    iptables -I INPUT 4 -p udp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -I INPUT 4 -p tcp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT



    hopefully that will fix it

    YMMV

    Ken

    --
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.
  • Ken Smith at Feb 1, 2012 at 4:05 am

    Ken Smith wrote:
    Shane Bywater wrote:
    Hi,
    It's just past 3am and for the past 6 hours I've been
    iptables -I INPUT 4 -p udp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -I INPUT 4 -p tcp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT


    Ken
    Obviously those commands are all on one line

    so the '--state' is followed by 'NEW,' and not line wrapped as in this
    e-mail

    :-) Ken


    --
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.
  • Dennis Jacobfeuerborn at Feb 1, 2012 at 7:12 am

    On 02/01/2012 10:01 AM, Ken Smith wrote:
    Shane Bywater wrote:
    Hi,
    It's just past 3am and for the past 6 hours I've been
    configuring a secondary name server to replace one that just crashed.
    My problem appears to be that port 53 is not open for some reason on my
    server even though I have this:

    [root at tribe etc]# netstat -an | grep ":53 "
    tcp 0 0 205.211.154.3:53
    0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:53
    0.0.0.0:* LISTEN
    udp 0 0 205.211.154.3:53 0.0.0.0:*
    {snip}

    But with a test from
    http://www.yougetsignal.com/tools/open-ports/
    it says port 53 is closed.

    I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2

    I'm not using iptables (well I didn't configure any)
    {snip}

    5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
    reject-with icmp-host-prohibited
    {snip}
    Can someone suggest something I have forgotten?

    TIA,
    Shane
    I think iptables rule 5 is stopping DNS.

    I can 'see' your ICMP (ping) and SSH are open from here.

    I've not used Centos 6 in production yet but try entering:-

    iptables -I INPUT 4 -p udp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -I INPUT 4 -p tcp --dport 53 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT
    You only want "--state NEW". The related/established bit is handled by rule
    1 in the INPUT chain.

    Regards,
    Dennis
  • Gordon Messmer at Feb 1, 2012 at 10:31 pm

    On 02/01/2012 12:14 AM, Shane Bywater wrote:
    I'm not using iptables (well I didn't configure any)

    [root at tribe log]# iptables --line-numbers -n -L
    Chain INPUT (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
    RELATED,ESTABLISHED
    You should figure out who/what did, then. Those rules don't look like
    they were created by Red Hat's tools (where you'd see RH-Firewall...),
    and won't be present by default. Something created rules and the rules
    don't allow access to TCP or UDP 53 (you need both).

    For now, just flush the rules: iptables -F INPUT

Related Discussions

Discussion Navigation
viewthread | post