I am trying to get my nameserver to propagate my domain to Internet but its just not happening. I can see the requests coming in using tcpdump, but each request is met with "unreachable - admin prohibited":

20:33:49.504131 IP 202.188.0.181.36949 > 192.168.100.3.domain: 17223 A? mydomain.com. (24)
20:33:49.504242 IP 192.168.100.3 > 202.188.0.181: icmp 60: host 192.168.100.3 unreachable - admin prohibited


I have the server behind a linksys router. The external IP of the router is what the registrar was instructed to send requests to (nameserver) and I have the linksys router rigged to forward all port 53 traffic to the server (192.168.100.3).

Port 53 is indeed open on the server (portscanned from the LAN):

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on dsl081-053-098.sfo1.dsl.speakeasy.net (64.81.53.98):
(The 1596 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
10000/tcp open snet-sensor-mgmt

Nmap run completed -- 1 IP address (1 host up) scanned in 189 seconds

and 53 is open to Internet on the router (portscanned from another server out on Internet)

(The 1596 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http

As far as the server is concerned--named is running just peachy:

named 424 1 0 Jun25 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot

and the zone file appears to be fine:

$TTL 180s
@ IN SOA ns4.mydomain.com. webmaster.mydomain.com. (
2005062501 ; Serial
180s ; Refresh Slaves
1H ; Retry
1W ; Expiry
1D ) ; Minimum
;
NS www ; Internet address of nameserver
mydomain.com. MX 10 mail ; Primary Mail Exchanger

;
localhost A 127.0.0.1
apollo A 123.123.123.123 <---external IP
ns4 CNAME apollo
ns5 CNAME apollo
www CNAME apollo
ftp CNAME apollo
mail CNAME apollo



So--the question is--why can't I propagate my domain name?

just to check, you forwarded both tcp and udp?

yes ... both are forwarded.

Don't think you should use a cname here:

---@ IN SOA ns4.mydomain.com. webmaster.mydomain.com. (
try:
+++@ IN SOA apollo.mydomain.com. webmaster.mydomain.com. (

Or here:

---NS www ; Internet address of nameserver
try:
+++NS apollo.mydomain.com ; Internet address of nameserver

It's been awhile... for me...

Thanks for the suggestions--I tried that--get the same result.

13:47:25.754060 IP resolver1-a.xs4all.nl.24291 > 192.168.100.3.domain: 25137 AAAA? www.mydomain.com. (28)
13:47:25.754136 IP 192.168.100.3 > resolver1-a.xs4all.nl: icmp 64: host 192.168.100.3 unreachable - admin prohibited
---

So, I went onto a server where I have a friend's site hosted for the moment (until I am back up) and took a look at their zone file and modeled mine after theirs--so now it looks like this, but I still get the same result!

$TTL 180s
@ IN SOA ns4.mydomain.com. webmaster.mydomain.com. (
2005062602 ; Serial
180s ; Refresh Slaves
1H ; Retry
1W ; Expiry
1D ) ; Minimum
;

mydomain.com. IN NS ns4.mydomain.com.
mydomain.com. IN NS ns5.mydomain.com.

mydomain.com. IN A 123.123.123.123

localhost.mydomain.com. IN A 127.0.0.1

mydomain.com. IN MX 0 mydomain.com.

mail IN CNAME mydomain.com.
www IN CNAME mydomain.com.
ftp IN CNAME mydomain.com.

OK--I got this solved. I'll enter the resolution in here so that others won't have to wrack their brains like I did for 2 weeks! It seems it wasn' a DNS issue at all, rather, I had to have both UDP and TCP open on the firewall (IPtables) for DNS to work. Once I opened up UDP for port 53 the problem was solved.