LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-03-2005, 09:06 PM   #1
KurtAKARebuild
LQ Newbie
 
Registered: Feb 2005
Location: Australia
Distribution: Debian, Reformed Slackwareist
Posts: 20

Rep: Reputation: 0
Unhappy DNS Config error preventing access to secure sites?


Hi All. For me this is a strange one. I've recently set up an internal DNS server at work to support using short names for our intranet websites & other internal devices. I did this so I wouldn't have to alter peoples hosts file every time I added, removed or (for whatever reason) changed the IP of a service.

Since setting up this name server and altering the DHCP server to give it out instead of the DNSs supplied by our ISP, nobody can access any secure sites (banking, airline bookings etc). When I changed it back to our ISP supplied DNSs everything worked normally again.

I can only assume I've made an error setting up the DNS.

I'm using Bind 9.2.4 on Debian 3.1 (testing)

The DNS box runs at 192.168.0.253.
The router to the internet is at 192.168.0.254

Configuration files follow:

named.conf
Code:
include "/etc/bind/named.conf.options";
zone "." {
	type hint;
	file "/etc/bind/db.root";
};
zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
named.conf.options
Code:
options {
	directory "/etc/bind";
	listen-on port 53 { 127.0.0.1; 192.168.0.253; };
	listen-on-v6 { none; };
	allow-query { 127.0.0.1; 192.168.0.0/24; };
	notify no;
	forwarders {
		203.12.160.35;
		203.12.160.36;
	};
	auth-nxdomain no;
};
named.conf.local
Code:
zone "our-domain.sanitised" {
	type master;
	file "our-domain.sanitised";
};

zone "0.168.192.in-addr.arpa" {
	type master;
	file "192.168.0";
};
our-domain.sanitised
Code:
$TTL 1M
@		IN	SOA	ns1.our-domain.sanitised.	me.our-domain.sanitised. (
					200502241	; serial
					8H
					2H
					1W
					1D )

			NS	ns1

		IN	A	[our public ip - matches delegated NS entry]
www			A	[our externally hosted www server]
router			A	192.168.0.254
ns1			A	192.168.0.253
photocopier		A	192.168.0.252
intranet		CNAME	ns1.our-domain.sanitised.
finance			CNAME	ns1.our-domain.sanitised.
mailscanner		CNAME	ns1.our-domain.sanitised.
192.168.0
Code:
$TTL 1M
@		IN	SOA	ns1.our-domain.sanitised.	me.our-domain.sanitised. (
				200502241	; serial
				8H		; refresh
				2H		; retry
				1W		; expire
				1D )		; MIN TTL

		NS	ns1.our-domain.sanitised.
254		PTR	router.our-domain.sanitised.
253		PTR	ns1.our-domain.sanitised.
252		PTR	photocopier.our-domain.sanitised.
 
Old 03-04-2005, 06:44 AM   #2
Brian Knoblauch
Member
 
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288

Rep: Reputation: 39
Can you ping any of those external secure sites?
 
Old 03-04-2005, 09:58 AM   #3
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Re: DNS Config error preventing access to secure sites?

Quote:
Originally posted by KurtAKARebuild ...
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
...
Are those typos from scrubbing the actual values, or is that what's in your named.conf? Forgive me if BIND actually needs those, but I've never set those up and I can't find anything else obvious that would break anything. If it's something you need, what's in the db.0 and db.255 zonefiles? Do they check out ok, for that matter do all the others check out with no errors?
Code:
named-checkzone 255.in-addr.arpa /etc/bind/db.255
named-checkzone 0.in-addr.arpa /etc/bind/db.0

named-checkzone localhost /etc/bind/db.local
named-checkzone 127.in-addr.arpa /etc/bind/db.127
named-checkzone your-real-domainname.com /path_to/domain.zonefile
named-checkzone 0.168.192.in-addr.arpa /path_to/192.168.0
 
Old 03-04-2005, 10:05 AM   #4
Brian Knoblauch
Member
 
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288

Rep: Reputation: 39
Those have nothing to do with "BIND" needing them. They're reverse DNS entries which should be used on internal networks. They look a little mal-formed, and may be what's causing the problem (if the browser is unable to verify the proper reverse address, it could reject it I suppose). However, lots of people vhost on single IP's and the reverse wouldn't match up for more than one client anyways...
 
Old 03-06-2005, 06:37 PM   #5
KurtAKARebuild
LQ Newbie
 
Registered: Feb 2005
Location: Australia
Distribution: Debian, Reformed Slackwareist
Posts: 20

Original Poster
Rep: Reputation: 0
Thanks Guys,

All files check out ok with named-checkzone.

The two zones/zone files in question are included with the default configuration provided by the BIND9 debian package - I have not modified them.

I'm not able to ping the secure sites, though banks (etc) being paranoid as they are could be expected to block/drop pings. The secure sites do resolve correctly but do not reverse resolve (some not correctly, some not at all) but this is the case whether using my DNS or the ISP provided DNS.

I'm thinking that the issue arises during the SSL negotiation (issues with forward and reverse resolution and the 'authoritiveness' of the responses) but I'm having trouble finding out exactly how this works. Any suggestions on reference material that gives a thorough treatment on SSL.

til next time
Kurt
 
Old 03-29-2005, 10:12 PM   #6
KurtAKARebuild
LQ Newbie
 
Registered: Feb 2005
Location: Australia
Distribution: Debian, Reformed Slackwareist
Posts: 20

Original Poster
Rep: Reputation: 0
FOLLOWUP: This problem as it turns out WAS NOT related to my bind configuration. It was a problem with our router. It was, it seems, pure coincidence that changing the DNS entries on the router caused/fixed the problem - new router no problem

Thanks for your help/suggestions guys.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
not able to connect to secure sites with Squid 3.0 (Fedora) Khetho Linux - Enterprise 3 11-08-2005 09:53 PM
Moz & FF cannot access secure sites behind firewall rickenbacherus Linux - Networking 2 11-05-2004 11:54 AM
error at end of bootup, preventing access to desktop VanDraegon Linux - Newbie 2 07-01-2004 03:25 PM
I am having problems connecting to secure sites (https) jflores1974 Linux - Networking 1 02-06-2004 03:22 PM
Iptables Preventing Access lappen Linux - Security 3 12-21-2003 04:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration