View previous topic :: View next topic |
Author |
Message |
mpalladi n00b

Joined: 16 Apr 2003 Posts: 47
|
Posted: Sun May 25, 2003 3:06 pm Post subject: DNS and firewall - I give up ! |
|
|
I have been in the process of moving over from mandrake..this one has me stumped.
Am running a shorewall two-interface firewall. The deal is that I cannot get the windows clients resolving beyond the firewall. They can dns resolve to the linux (gateway).
I have tried both bind and dnsmasq, without success.
Ie hunted the forums, and can find no clues, which makes me think it normally works, just not for me.
(The mandrake setup uses bind, and works fine )
Any suggestions greatly appreciated |
|
Back to top |
|
 |
xedx Tux's lil' helper


Joined: 23 May 2003 Posts: 93
|
Posted: Mon May 26, 2003 3:17 am Post subject: rules |
|
|
can u post ur firewall rules _________________ --+//+ |
|
Back to top |
|
 |
gcostanz n00b

Joined: 24 Feb 2003 Posts: 69 Location: Hilton, New York
|
Posted: Tue May 27, 2003 10:39 pm Post subject: |
|
|
This is just a note of support. I'm in the process of doing the same thing. I've been running my gateway, webserver and mail system on Mandrake 8.1. And before that, 7, and before that Redhat 6.0. It has worked great.
But now all of my desktop boxes are running Gentoo, and I wan't my server on the same platform-- mainly to stay current.
So, I'm in the process of setting up Gentoo on my AMD K6-III. I was just about to sit down an start working on the dns_masq configuration, when I decided to check the forums first. Your note is not encouraging, but I intend to plod through it. It will be a few days before I have an answer-- but I'll be watching this thread. |
|
Back to top |
|
 |
fatcat.00 Tux's lil' helper

Joined: 12 Aug 2002 Posts: 145
|
Posted: Wed May 28, 2003 1:42 am Post subject: |
|
|
Not to worry, I am quite sure we can get it working.
There are two obvious things that could be wrong.
1) Your DNS server isn't handing out root servers when he should.
or
2) Your firewall is blocking DNS queries to the Internet.
First, run this command from a UN*X host *behind* your firewall:
Code: | dig @e.root-servers.net . ns | awk '$1 !~ /^;/ { print $0 } ' |
If you get back a "command not found" error, you need to emerge "bind-tools". The correct output should look like this:
Code: | . 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 |
If you get back this output, then your firewall is NOT the problem. Run the same command, except instead of pointing to one of the root servers, point to your own DNS server:
Code: | dig @YOUR.DNS.SERVER . ns | awk '$1 !~ /^;/ { print $0 } ' |
That should produce very similar output at when you queried the root server. If it doesn't, then your BIND config might have problems.
Anyway, let us know what you find out. _________________ -- Fatcat |
|
Back to top |
|
 |
mpalladi n00b

Joined: 16 Apr 2003 Posts: 47
|
Posted: Wed May 28, 2003 1:09 pm Post subject: |
|
|
fatcat.
Your help was invaluable !
I tried your suggestions, what I found was very interesting.
The nameservers that I am automatically assigned from my ISP are
nameserver 203.194.27.57 #kppp temp entry
nameserver 203.194.56.150 #kppp temp entry
My firewall is able to dig these servers as you suggest. However these servers have been configured in such a way as they cannot be pinged, I guess to prevent from a denial of service attack. Try it yourself from your machine.
The consequence of this, is that for a reason I do not know, the client windows machines behind the firewall cannot use them as a dsn server , either directly, or through the firewall.
So whatever they have done is very restrictive and clever, and far beyond my simple knowledge.
I added a few more less restrictive name servers in my /etc/resolv.conf file, and eveything worked.
Mark |
|
Back to top |
|
 |
fatcat.00 Tux's lil' helper

Joined: 12 Aug 2002 Posts: 145
|
Posted: Thu May 29, 2003 12:35 am Post subject: |
|
|
Alright well there's something else you can do too. Add this to your named.conf file in the "options" section:
Code: | options {
directory "/var/named";
forwarders {
203.194.27.57;
203.194.56.150;
};
.
.
.
};
|
This tells your DNS server to forward any requests that he can't answer himself to the IP addresses defined. That should fix this issue. Now your interior hosts can hit your Gentoo DNS and resolve internet addresses (or should be able to).
I can't ping those servers either, because my ISP blocks all ICMP "echo request" messages, amongst other things. However, lack of ping shouldn't prevent your interior hosts from using those DNS's directly...no matter, the forwarders thing I mention above make your DNS ask on the clients behalf (kinda like a DNS proxy), so as long as your DNS box can resolve queries, your other interior hosts should be able to.
If you run into more trouble, post again to this thread. _________________ -- Fatcat |
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|