Restricting zone transfers with IP addresses in BIND DNS Server

Posted on in Categories BIND Dns, Howto, Linux, Security, Sys admin, Tips, UNIX last updated February 18, 2009

DNS server can be attacked using various techniques such as

[a] DNS spoofing

[b] Cache poisoning

[c] Registration hijacking

One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to do this. Remember you don’t have to make an attacker’s life easier.

How to restrict zone trasfer with IP address?

You need to define ACL in /etc/named.conf file. Let us say IP and are allowed to transfer your zones.
# vi named.conf
Here is sample entery for domain (ns1 configuration):

acl trusted-servers  {;  //ns2;   //ns3
zone  {
        type master;
        file "zones/";
        allow-transfer { trusted-servers; };

Next add zone Please note that you must use set of hosts later in each zone’s configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone / domain name. Restart named:
# /etc/init.d/named restart

How do I test zone transfers restrictions are working or not?

Use any UNIX dns tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:
$ host -T axfr

;; Connection to for axfr failed: connection refused.

Transaction signatures (TSIG)

Another recommend option is to use transaction signatures (TSIG) to authorize zone transfers. This makes more difficult to spoof IP addresses.

Force BIND DNS Server to take full advantage of Dual Core Multiple Intel / AMD Cpu

Posted on in Categories CentOS, Debian Linux, Gentoo Linux, Howto, Linux, RedHat/Fedora Linux, Sys admin, Tips, Troubleshooting, Tuning, Ubuntu Linux, UNIX last updated September 7, 2007

One of my client runs dedicated NS1 and NS2 to host more than 3000+ domains. Recently they upgraded their servers to latest Dual Core Dual AMD server with CentOS 5.0 and BIND server.

By default BIND / named will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. However due to some reason the BIND server failed to automatically utilize all of the system’s available CPUs. So how do you force DNS Server to take advantage of multiple CPUs under CentOS Linux?

After a little investigation, named man page pointed out me in right direction ~ -n #CPU option, which creates #cpus worker threads to take advantage of multiple CPUs.

Force BIND DNS Server to take advantage of multiple CPUs

In order to enable multiple CPU open /etc/sysconfig/named file under CentOS / RHEL / Fedora Linux:
# vi /etc/sysconfig/named
To force bind to take advantage of 4 CPUs, add / modify as follows:
OPTIONS="-n 4"
Save and close the file. Restart named service:
# /etc/init.d/named restart

A note about Debian / Ubuntu Linux user

If you are a Debian / Ubuntu Linux modify /etc/defaults/bind9 file:
$ sudo vi /etc/defaults/bind9
Append config line:
OPTIONS="-n 4"
Please note append -n 4 to the end of other options (if any), for example:
OPTIONS="-4 -6 -n 4"
Save and close the file. Restart BIND server:
$ sudo /etc/init.d/bind9 restart

More more information read named man page.

No Route to Host error and solution

Posted on in Categories Debian Linux, Gentoo Linux, Linux, Networking, RedHat/Fedora Linux, Tips, Troubleshooting, Ubuntu Linux last updated October 16, 2007

I am getting error that read as No Route to Host. I am trying to ping my ISP gateway as well as DNS server but I am getting this error. How do I solve this problem?

This problem indicate networking conflicts or some sort of networking configuration problem.

Here are things to check:

Can you ping to your local router interface (such as

Make sure your card (eth0) is properly configured with correct IP address and router address. Use ifconfig command to configure IP address and route command to setup correct router address. If you prefer to use GUI tools:

  • redhat-config-network – Works on Red Hat and Fedora Linux/Cent OS.
  • network-admin – Debian and Other Linux distribution use this GUI too

Use above two GUI tools to setup correct IP address, DNS address and router address.

b) Make sure firewall is not blocking your access

iptables is default firewall on Linux. Run following command to see what iptables rules are setup:
# /sbin/iptables -L -n

You can temporary clear all iptables rules so that you can troubleshoot problem. If you are using Red Hat or Fedora Linux type command:
# /etc/init.d/iptables save
# /etc/init.d/iptables stop

If you are using other Linux distribution type following commands:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

c) Finally make sure you are using a router and not a proxy server. Proxy servers are good for Internet browsing but not for other work such as ftp, sending ICMP request and so on.

See also:

Improve DNS performance for Linux / Windows desktop using DNS caching software

Posted on in Categories Debian Linux, FreeBSD, Gentoo Linux, Howto, Linux, OpenBSD, RedHat/Fedora Linux, Tips, Tuning, Ubuntu Linux, UNIX last updated October 8, 2007

One of my friend recently send me an email. It reads as follows:

“…My DSL service providers DNS server seems to be little slow, they have two servers it takes little time (some time upto 2 seconds) to resolve a domain name, once domain resolved, browsing speed remains the same, what should I do to improve DNS performance?….”

The answer is use a DNS proxy i.e. Dnsmasq. It is a a lightweight, easy to configure DNS forwarder and optional DHCP server. Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any small network where low resource use and ease of configuration are important. The main use of the DNS proxy is to increase speed. Generally all computer send their request to ISP’s DNS servers. But with DNS proxy request are cached. It stands between your local system and firewall server. Here is our sample network setup, are all desktop system, is our Linux firewall server:

Laptop | Desktop --> Linux Server --> ADSL Modem/Router
                   Firewall -> Dynamic or                          Static IP assign                          by ISP

Login to your Linux firewall server and install Dnsmasq .

Step # 1 : Install Dnsmasq (Debian Linux)

# apt-get install dnsmasq

Fedora/Redhat/Centos user, use yum command to install dnsmasq:

# yum install dnsmasq

RedHat Linux user use rpm/up2date command to install it:

# up2date -i dnsmasq

Step # 2 Configure Dnsmasq

To be frank you don’t have to change a single line in /etc/dnsmasq.conf. However you need to setup as dns server name in /etc/resolve.conf file:

# vi /etc/resolve.conf


Replace with your actual ISP DNS server IPS. The dnsmasq should read the list of ISP nameservers from the automatically /etc/resolv.conf. You should list as the first nameserver address in /etc/resolv.conf. So local desktop clients always gets cached queries.

Step # 3 Restart/start Dnsmasq

# /etc/init.d/dnsmasq start

Step # 4 Update DNS server IPS for all desktop systems

Point your windows XP or Linux Desktop client to IP of Linux firewall server i.e. (see above network diagram)

It is easy to use Dnsmasq rather than setting up caching BIND server. But hold on it has some cool usage too. You can add domains which you want to force to specific IP address. For example, displays ugly adds on many sites, just send this server it to our (i.e. your local server ). Just open a file /etc/dnsmasq.conf and add following line to it:

Restart Dnsmasq and make sure you runs local webserver at with some default page. Read the Dnsmasq man page and docs for more information.

How to: Troubleshoot UNIX / Linux BIND DNS server problems

Posted on in Categories BIND Dns, CentOS, Debian Linux, FreeBSD, Gentoo Linux, GNU/Open source, Howto, Linux, OpenBSD, RedHat/Fedora Linux, Suse Linux, Sys admin, Troubleshooting, Tuning, UNIX last updated October 12, 2007

BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.

Task: Port 53 open and listing requests

By default BIND listen DNS queries on port 53. So make sure port 53 is open and listing user requests. by running any one of the following tests. See if you can telnet to port 53 from remote computer:
$ telnet remote-server-ip 53
telnet domain

Connected to
Escape character is '^]'.

If you cannot connect make sure firewall is not blocking your requests. Next use netstat command to list open and listing port 53 on server itself:
$ netstat -tulpn | grep :53
# netstat -atve

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode
tcp        0      0 *:*                     LISTEN      named      10386
tcp        0      0     *:*                     LISTEN      named      10384
tcp        0      0 *:ssh                   *:*                     LISTEN      root       1785
tcp        0      0       *:*                     LISTEN      named      10388
tcp        0      0       *:*                     LISTEN      root       1873
tcp        0      0   ESTABLISHED root       10501
tcp        0      0     TIME_WAIT   root       0
tcp        0      0 TIME_WAIT   root       0
tcp        0      0     TIME_WAIT   root       0

Make sure iptables firewall is not blocking request on server:
# iptables -L -n
# iptables -L -n | less
Make sure named is running:
# /etc/init.d/named status
If not start named:
# chkconfig named on
# service named start

Task: Use log files

You can use log files after starting/restarting bind to see error messages:
# tail –f /var/log/message

Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface lo,
Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface eth0,
Nov 17 16:50:25 rhx named[3539]: command channel listening on
Nov 17 16:50:25 rhx named[3539]: zone loaded serial 1997022700
Nov 17 16:50:25 rhx named[3539]: no TTL specified; using SOA MINTTL instead
Nov 17 16:50:25 rhx named[3539]: zone loaded serial 12
Nov 17 16:50:25 rhx named[3539]: zone localhost/IN: loaded serial 42
Nov 17 16:50:25 rhx named[3539]: zone loaded serial 12
Nov 17 16:50:25 rhx named[3539]: running

Task: Check zone file for errors

You can check zone file syntax and /etc/named.conf file using following utilities. named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf

/etc/named.conf:32: missing ';' before 'zone'

Plesse note that if named-checkconf did not find any errors it will not display in output on screen.

Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/
#named-checkzone /var/named/

zone loaded serial 12

Task: Testing BIND/DNS with utilities

You can use host and dig utilties to test your bind configuration.

  • host: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
  • dig: dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

List IP address associated with host names:
# host
# host www
Output: has address

Perform a zone transfer for zone name using -l option:
# host -l SOA 12 10800 900 604800 86400 name server mail is handled by 10 has address has address has address has address has address has address SOA 12 10800 900 604800 86400

Other examples
# dig
# dig