LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-21-2008, 07:37 AM   #1
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
DNS doesn't resolv hosts that are on internal DNS


Hello,

let me first explain what kind of an situation we have here.

We have a firewall for our whole network, on this network, there is a "server subnet" and "client subnet" as we call them.
The firewall acts as a DNS for clients AND servers, the "firewall DNS" does not serve any hosts, but only resolves DNS requests.
On the server subnet, there we have a cPanel server and a DNS-ONLY cPanel server, which are connected, these two serve domains.

So the cPanel and DNS-ONLY cPanel servers serve a domain mydomain.com i.e.
So I go to an external machine not on this network and try to resolve mydomain.com which resolves just fine as it should.
The problem is when I try to resolve mydomain.com from our network or the firewall, then it just doesn't want to resolve, but everything else, every domain that is not hosted on our DNS servers it resolves just fine, only our domains are our problem, what could be the cause of that? All server are Linux machines with Red Hat or Red Hat based Distributions.

Regards,
Tux-Slack
 
Old 05-22-2008, 10:21 PM   #2
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
You need to setup views within BIND. I think cpanel is a toy, so I can't advise you on its use. Google for bind views and you'll find your answer. The first link is exactly what you need.

You setup 3 views for your situation. One for the public net (smallest, with no recursion), then 2 internal (or 1, depending on your topology). If the servers and the clients have separate subnets, you'll need one for each. If all the internals have the same subnet, you can get away with one internal view.

Peace,
JimBass
 
Old 05-26-2008, 01:23 AM   #3
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
I think the problem is somewhere in the firwall. All zones are in views. I can resolve the host if I do it like so:
dig somehost.com @192.168.15.3
If I input the local IP of the DNS server.
But...If I do this:
dig somehost.com @xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx is the external IP) then it does not resolve the host.
If I just let the firewall recursevly resolve the host then this is what I get from the firewall logings:
Code:
May 26 08:05:36 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=40847 DF PROTO=UDP SPT=32812 DPT=53 LEN=41
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=42
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=42
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=53
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=53
For some reason these packets just don't then get NATed over to the DNS server. The DNS server does not know anything about these packets, because they never reach it.
 
Old 05-27-2008, 08:58 PM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
That could be any number of things, but trying to resolve to the WAN address of the DNS from inside the LAN will often be doomed to failure. That isn't a DNS issue, it is a network issue. You often can't loopback to the WAN address from inside.

The proper way to test would be to connect to any machine outside your network at work, and check from there.

Peace,
JimBass
 
Old 05-27-2008, 09:11 PM   #5
grizly
Member
 
Registered: Nov 2006
Location: Melbourne Australia
Distribution: Centos, RHEL, Debian, Ubuntu, Mint
Posts: 128

Rep: Reputation: 16
Is bind listening on all three interfaces? (public, private, and loopback)

Can you post your named.conf file? Specifically the listen-on and allow-query sections..

Some helpful advice for BIND: http://www.novell.com/communities/no...et-name-domain
 
Old 06-02-2008, 01:49 AM   #6
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
JimBass: I'm not doing this for testing, I have an outside view on the servers and can test them.

grizly: The problem isn't the DNS, it's listening on every address, don't worry, but the machine that's running the DNS never hears about those packages, because firewall doesn't forward them.


Here's how I fixed the problem.
On the Cache only DNS server on the firewall I added forwarders with internal DNS servers, now it resolves as it should.
 
Old 06-03-2008, 04:01 AM   #7
grizly
Member
 
Registered: Nov 2006
Location: Melbourne Australia
Distribution: Centos, RHEL, Debian, Ubuntu, Mint
Posts: 128

Rep: Reputation: 16
Forwarders.. its always the forwarders.. they are just far too forward for my liking!

 
Old 06-03-2008, 04:44 AM   #8
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
Well I don't like it either, but I can't seem to get it working otherwise.
 
Old 06-03-2008, 06:42 AM   #9
ARC1450
Member
 
Registered: Jun 2005
Location: Odenton, MD
Distribution: Gentoo
Posts: 290

Rep: Reputation: 30
Quote:
Originally Posted by JimBass View Post
You need to setup views within BIND. I think cpanel is a toy, so I can't advise you on its use. Google for bind views and you'll find your answer. The first link is exactly what you need.

You setup 3 views for your situation. One for the public net (smallest, with no recursion), then 2 internal (or 1, depending on your topology). If the servers and the clients have separate subnets, you'll need one for each. If all the internals have the same subnet, you can get away with one internal view.

Peace,
JimBass
Just FYI, one view can cover multiple subnets easily. Unless you mean something completely different, which is possible. All you have to do is include all subnets you want to be answered, like 192.168.0.0/29; 192.168.1.0/30; 192.168.2.0/24.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Win2k3 DNS + PFsense DNS Forwarder = No internal DNS resolution Panopticon Linux - Networking 1 11-19-2007 09:59 PM
resolv.conf won't hold dns johngrinham Linux - Networking 9 07-05-2006 10:39 AM
DNS Hosts.conf or resolv.conf problem mac_casey Suse/Novell 0 03-26-2006 09:21 AM
dns n ot able to resolv jkmartha Linux - Software 1 07-28-2005 08:03 PM
DNS resolv oalvarado31 Linux - Networking 6 08-20-2001 10:08 AM


All times are GMT -5. The time now is 09:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration