DNS server stop working

limws1

Hi,

I setup Tiny dns as an authoritative dns for my domain. DNS server is setup with IP 127.0.0.1. Interface to listen is WAN. I have a 1:1 NAT setup to point the public IP of my dns to 127.0.0.1. All SOA, MX, and A records are setup. DNS server was able to resolve hostname for my domain on the Internet. Lately, the DNS server just stop working. When I view the DNS server log, there are no entries found. The only change I made is setting up OpenVPN.

Can anyone advise?

Rdgs

doktornotor

Leaving the utterly pointless 1:1 NAT aside, is the server running at all? (Like, ps / netstat output). I'd go to ask your ISP. Other than that, won't touch DJBware with a 10ft pole otherwise, so… maybe someone else.

johnpoz

^ agreed most likely your isp blocked unless your on a business connection because of all the dns amplification attacks of late.

Why you would serve up authoritative dns off your firewall to the public net is another question ;)

But I am curious – why would anyone do this??  If you need more dns features than say your registrars free dns provides, or the other free providers for like $30 a year you can have a company that all they do is DNS..  They have multiple servers across the globe, anycast, etc. etc.. etc..  Why would you host something that clearly you "need" to work off your "firewall" - where is your secondary server for your domain hosted?

limws1

@doktornotor:

Leaving the utterly pointless 1:1 NAT aside, is the server running at all? (Like, ps / netstat output). Other than that, Won't touch DJBware with a 10ft pole otherwise, so… maybe someone else.

If you mean the DNS Server, yes it is running. So is svscan service as shown in pfsense –> Status --> Services

netstat result:

[2.1.1-RELEASE][admin@]/root(1): netstat -an |grep 53
tcp4      0      0 192.168.90.101.53      .                    LISTEN
tcp4      0      0 127.0.0.1.53          .                    LISTEN
udp4      0      0 192.168.90.101.53      .
udp4      0      0 127.0.0.1.53          .

Not sure if I am seeing right, is udp 53 not listening?

What should I ps for to tell the dns server is running? Just running ps -ef give this result:

[2.1.1-RELEASE][admin@]/root(2): ps -ef
ps: Process environment requires procfs(5)
  PID  TT  STAT      TIME COMMAND
  100  v0- SN    0:04.56  /bin/sh /var/db/rrd/updaterrd.sh
60650  v0  Is+    0:00.00  /usr/libexec/getty Pc ttyv0
18788  0  R+    0:00.00  ps -ef
90777  0  Is    0:00.01  /bin/sh /etc/rc.initial
99203  0  S      0:00.01  /bin/tcsh

doktornotor

Go back to your ISP and ask them about blocking. And what johnpoz said, I'd just NOT run a public DNS on my firewall.

limws1

@johnpoz:

^ agreed most likely your isp blocked unless your on a business connection because of all the dns amplification attacks of late.

Why you would serve up authoritative dns off your firewall to the public net is another question ;)

But I am curious – why would anyone do this??  If you need more dns features than say your registrars free dns provides, or the other free providers for like $30 a year you can have a company that all they do is DNS..  They have multiple servers across the globe, anycast, etc. etc.. etc..  Why would you host something that clearly you "need" to work off your "firewall" - where is your secondary server for your domain hosted?

We own our domain. The domain name registrar requires us to provide two name servers. That is why I need an authoritative DNS. How else would the Internet resolve our domain name then?

doktornotor

If your domain registrar does NOT provide DNS servers, you should just run…. run like hell from them. Other than that, if you really insist on using such lame registrar, you can have 50 domains hosted here: https://dns.he.net/ (5 different DNS servers, anycasted, for free.)

johnpoz

^ exactly!!!

I agree if you have a domain name, you need at min 2 servers that will respond authoritatively for your domain..  What does that have to do with running it on your own?

Unless your a dns provider – or you serving up dns to your users for your local domain.. Leave public dns to the companies that do it for a living.  If the FREE ones don't suit your fancy or provide you what you need/want..  Then for like $30 a year you can do it a enterprise class service with 5 9's uptime.

Shit your time alone in having to even look at why its not working has most likely cost more than 3x the cost of hosting dns with an actual dns company for a whole year ;)

I can tell you if I charged my normal billing rate - the time in me reading your question and responding would of cost more than hosting your dns for a whole year!!