I recently moved quite a few domains from a server to another new one. While testing the new setup with Pingability, I encountered the following errors (repeated a few times):
Error Got an error when connecting to xyz.com/a.b.c.d with a request for xyz.com/CNAME: IOException: I/O Error on name server a.b.c.d for xyz.com.
Heads-up Could not perform the CNAME check. IOException: I/O Error on name server a.b.c.d for xyz.com.
The first suggestion I saw (nothingOS – DNS Server Problems) was to open up port 53 in both UDP in TCP (this is the port used for DNS). I did check that (iptables -L), but as expected since this is a dedicated server (so, most if not all ports opened by default), port 53 was fine.
I then remembered that BIND can be configured to listen only to localhost, and indeed after finding the relevant file this is the default behavior. Simply edit /etc/bind/named.conf.options and replace
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
with
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
//listen-on-v6 { ::1; };
//listen-on { 127.0.0.1; };
//allow-recursion { 127.0.0.1; };
version "BIND";
NB: the version line at the end is irrelevant to the problem, I only add it to mask the version. allow-recursion is also irrelevant to this issue, I believe. I don’t remember why I commented it, probably this was a temporary workaround to some old vulnerability now fixed. Note that commenting it seems to break /etc/init.d/bind9 reload (not a big issue though since you can just do /etc/init.d/bind9 restart instead)
Don’t forget to apply the new configuration (/etc/init.d/bind9 reload or /etc/init.d/bind9 restart)
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.