Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
DNS and firewall - I give up !
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mpalladi
n00b
n00b


Joined: 16 Apr 2003
Posts: 47

PostPosted: Sun May 25, 2003 3:06 pm    Post subject: DNS and firewall - I give up ! Reply with quote

I have been in the process of moving over from mandrake..this one has me stumped.

Am running a shorewall two-interface firewall. The deal is that I cannot get the windows clients resolving beyond the firewall. They can dns resolve to the linux (gateway).

I have tried both bind and dnsmasq, without success.

Ie hunted the forums, and can find no clues, which makes me think it normally works, just not for me.

(The mandrake setup uses bind, and works fine )

Any suggestions greatly appreciated
Back to top
View user's profile Send private message
xedx
Tux's lil' helper
Tux's lil' helper


Joined: 23 May 2003
Posts: 93

PostPosted: Mon May 26, 2003 3:17 am    Post subject: rules Reply with quote

can u post ur firewall rules
_________________
--+//+
Back to top
View user's profile Send private message
gcostanz
n00b
n00b


Joined: 24 Feb 2003
Posts: 69
Location: Hilton, New York

PostPosted: Tue May 27, 2003 10:39 pm    Post subject: Reply with quote

This is just a note of support. I'm in the process of doing the same thing. I've been running my gateway, webserver and mail system on Mandrake 8.1. And before that, 7, and before that Redhat 6.0. It has worked great.

But now all of my desktop boxes are running Gentoo, and I wan't my server on the same platform-- mainly to stay current.

So, I'm in the process of setting up Gentoo on my AMD K6-III. I was just about to sit down an start working on the dns_masq configuration, when I decided to check the forums first. Your note is not encouraging, but I intend to plod through it. It will be a few days before I have an answer-- but I'll be watching this thread.
Back to top
View user's profile Send private message
fatcat.00
Tux's lil' helper
Tux's lil' helper


Joined: 12 Aug 2002
Posts: 145

PostPosted: Wed May 28, 2003 1:42 am    Post subject: Reply with quote

Not to worry, I am quite sure we can get it working.

There are two obvious things that could be wrong.
1) Your DNS server isn't handing out root servers when he should.
or
2) Your firewall is blocking DNS queries to the Internet.

First, run this command from a UN*X host *behind* your firewall:
Code:
dig @e.root-servers.net . ns | awk '$1 !~ /^;/ { print $0 } '

If you get back a "command not found" error, you need to emerge "bind-tools". The correct output should look like this:
Code:
.         518400   IN   NS   K.ROOT-SERVERS.NET.
.         518400   IN   NS   L.ROOT-SERVERS.NET.
.         518400   IN   NS   M.ROOT-SERVERS.NET.
.         518400   IN   NS   I.ROOT-SERVERS.NET.
.         518400   IN   NS   E.ROOT-SERVERS.NET.
.         518400   IN   NS   D.ROOT-SERVERS.NET.
.         518400   IN   NS   A.ROOT-SERVERS.NET.
.         518400   IN   NS   H.ROOT-SERVERS.NET.
.         518400   IN   NS   C.ROOT-SERVERS.NET.
.         518400   IN   NS   G.ROOT-SERVERS.NET.
.         518400   IN   NS   F.ROOT-SERVERS.NET.
.         518400   IN   NS   B.ROOT-SERVERS.NET.
.         518400   IN   NS   J.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET.   3600000   IN   A   193.0.14.129
L.ROOT-SERVERS.NET.   3600000   IN   A   198.32.64.12
M.ROOT-SERVERS.NET.   3600000   IN   A   202.12.27.33
I.ROOT-SERVERS.NET.   3600000   IN   A   192.36.148.17
E.ROOT-SERVERS.NET.   3600000   IN   A   192.203.230.10
D.ROOT-SERVERS.NET.   3600000   IN   A   128.8.10.90
A.ROOT-SERVERS.NET.   3600000   IN   A   198.41.0.4
H.ROOT-SERVERS.NET.   3600000   IN   A   128.63.2.53
C.ROOT-SERVERS.NET.   3600000   IN   A   192.33.4.12
G.ROOT-SERVERS.NET.   3600000   IN   A   192.112.36.4
F.ROOT-SERVERS.NET.   3600000   IN   A   192.5.5.241
B.ROOT-SERVERS.NET.   3600000   IN   A   128.9.0.107
J.ROOT-SERVERS.NET.   3600000   IN   A   192.58.128.30


If you get back this output, then your firewall is NOT the problem. Run the same command, except instead of pointing to one of the root servers, point to your own DNS server:
Code:
dig @YOUR.DNS.SERVER . ns | awk '$1 !~ /^;/ { print $0 } '

That should produce very similar output at when you queried the root server. If it doesn't, then your BIND config might have problems.

Anyway, let us know what you find out.
_________________
-- Fatcat
Back to top
View user's profile Send private message
mpalladi
n00b
n00b


Joined: 16 Apr 2003
Posts: 47

PostPosted: Wed May 28, 2003 1:09 pm    Post subject: Reply with quote

fatcat.

Your help was invaluable !

I tried your suggestions, what I found was very interesting.

The nameservers that I am automatically assigned from my ISP are

nameserver 203.194.27.57 #kppp temp entry
nameserver 203.194.56.150 #kppp temp entry

My firewall is able to dig these servers as you suggest. However these servers have been configured in such a way as they cannot be pinged, I guess to prevent from a denial of service attack. Try it yourself from your machine.

The consequence of this, is that for a reason I do not know, the client windows machines behind the firewall cannot use them as a dsn server , either directly, or through the firewall.

So whatever they have done is very restrictive and clever, and far beyond my simple knowledge.

I added a few more less restrictive name servers in my /etc/resolv.conf file, and eveything worked.

Mark
Back to top
View user's profile Send private message
fatcat.00
Tux's lil' helper
Tux's lil' helper


Joined: 12 Aug 2002
Posts: 145

PostPosted: Thu May 29, 2003 12:35 am    Post subject: Reply with quote

Alright well there's something else you can do too. Add this to your named.conf file in the "options" section:

Code:
options {
   directory "/var/named";

   forwarders {
      203.194.27.57;
      203.194.56.150;
   };
.
.
.
};


This tells your DNS server to forward any requests that he can't answer himself to the IP addresses defined. That should fix this issue. Now your interior hosts can hit your Gentoo DNS and resolve internet addresses (or should be able to).

I can't ping those servers either, because my ISP blocks all ICMP "echo request" messages, amongst other things. However, lack of ping shouldn't prevent your interior hosts from using those DNS's directly...no matter, the forwarders thing I mention above make your DNS ask on the clients behalf (kinda like a DNS proxy), so as long as your DNS box can resolve queries, your other interior hosts should be able to.

If you run into more trouble, post again to this thread.
_________________
-- Fatcat
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum