DNS and firewall help please

mpalladi · 05-25-2003, 08:48 PM

I have been in the process of moving over from mandrake..this one has me stumped.

Am running a shorewall two-interface firewall. The deal is that I cannot get the windows clients resolving beyond the firewall. They can dns resolve to the linux (gateway). They can ping ip addresses beyond the firewall, just not resolve the name.

They can resolve the name, however, on the internal network, so it appears DNS is working, at least partially.

I have checked that port 53 is open between the local zone and the firewall, and between the firewall and the internet

I have tried both bind and dnsmasq, without success.

Ie hunted the forums, and can find no clues, which makes me think it normally works, just not for me.

(The mandrake setup uses bind, and works fine )

Any suggestions greatly appreciated

robot_army · 05-25-2003, 10:10 PM

Try manually configuring DNS on clients to see if they can resolve then. If they can, triple-check your zone files to make sure everything is as it should be.

mpalladi · 05-26-2003, 09:35 AM

I can't figure this out.

My client machines can ping external adresses, for example
206.16.0.147 for www.cnet.com.

But, they cannot ping the ip for my name server in /etc/resolv.conf
search localdomain
nameserver 192.168.1.1
nameserver 203.194.27.57 #kppp temp entry
nameserver 203.194.56.150 #kppp temp entry

ie ping 203.194.27.57 just times out.

What even more strange is that my linux router/firewall cannot ping the nameservers either, but that cannot be, because how else would it be resolving internet names ?

The water get's murky now.

If I host 203.194.27.57
I get
57.27.194.203.in-addr.arpa domain name pointer ns3.comindico.com.au

and dig 203.194.2; <<>> DiG 9.2.2 <<>> 203.194.27.57
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31926
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;203.194.27.57. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2003052600 1800 900 604800 86400

;; Query time: 450 msec
;; SERVER: 203.194.27.57#53(203.194.27.57)
;; WHEN: Mon May 26 22:38:07 2003
;; MSG SIZE rcvd: 106
7.57

I not sure exactly what these tools do, but they have been mentioned as tools to use to resolve dns/lookup issues on the forums.

That would point, I guess, to icmp being blocked by the firewall, even though I have specified it in the shorewall rules file as follows

# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8

Help !