LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   DNS doesn't resolv hosts that are on internal DNS (http://www.linuxquestions.org/questions/linux-networking-3/dns-doesnt-resolv-hosts-that-are-on-internal-dns-643757/)

Tux-Slack 05-21-2008 07:37 AM

DNS doesn't resolv hosts that are on internal DNS
 
Hello,

let me first explain what kind of an situation we have here.

We have a firewall for our whole network, on this network, there is a "server subnet" and "client subnet" as we call them.
The firewall acts as a DNS for clients AND servers, the "firewall DNS" does not serve any hosts, but only resolves DNS requests.
On the server subnet, there we have a cPanel server and a DNS-ONLY cPanel server, which are connected, these two serve domains.

So the cPanel and DNS-ONLY cPanel servers serve a domain mydomain.com i.e.
So I go to an external machine not on this network and try to resolve mydomain.com which resolves just fine as it should.
The problem is when I try to resolve mydomain.com from our network or the firewall, then it just doesn't want to resolve, but everything else, every domain that is not hosted on our DNS servers it resolves just fine, only our domains are our problem, what could be the cause of that? All server are Linux machines with Red Hat or Red Hat based Distributions.

Regards,
Tux-Slack

JimBass 05-22-2008 10:21 PM

You need to setup views within BIND. I think cpanel is a toy, so I can't advise you on its use. Google for bind views and you'll find your answer. The first link is exactly what you need.

You setup 3 views for your situation. One for the public net (smallest, with no recursion), then 2 internal (or 1, depending on your topology). If the servers and the clients have separate subnets, you'll need one for each. If all the internals have the same subnet, you can get away with one internal view.

Peace,
JimBass

Tux-Slack 05-26-2008 01:23 AM

I think the problem is somewhere in the firwall. All zones are in views. I can resolve the host if I do it like so:
dig somehost.com @192.168.15.3
If I input the local IP of the DNS server.
But...If I do this:
dig somehost.com @xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx is the external IP) then it does not resolve the host.
If I just let the firewall recursevly resolve the host then this is what I get from the firewall logings:
Code:

May 26 08:05:36 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=40847 DF PROTO=UDP SPT=32812 DPT=53 LEN=41
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=42
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=42
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=53
May 26 08:05:37 gator kernel: [FW-0]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=53

For some reason these packets just don't then get NATed over to the DNS server. The DNS server does not know anything about these packets, because they never reach it.

JimBass 05-27-2008 08:58 PM

That could be any number of things, but trying to resolve to the WAN address of the DNS from inside the LAN will often be doomed to failure. That isn't a DNS issue, it is a network issue. You often can't loopback to the WAN address from inside.

The proper way to test would be to connect to any machine outside your network at work, and check from there.

Peace,
JimBass

grizly 05-27-2008 09:11 PM

Is bind listening on all three interfaces? (public, private, and loopback)

Can you post your named.conf file? Specifically the listen-on and allow-query sections..

Some helpful advice for BIND: http://www.novell.com/communities/no...et-name-domain

Tux-Slack 06-02-2008 01:49 AM

JimBass: I'm not doing this for testing, I have an outside view on the servers and can test them.

grizly: The problem isn't the DNS, it's listening on every address, don't worry, but the machine that's running the DNS never hears about those packages, because firewall doesn't forward them.


Here's how I fixed the problem.
On the Cache only DNS server on the firewall I added forwarders with internal DNS servers, now it resolves as it should.

grizly 06-03-2008 04:01 AM

Forwarders.. its always the forwarders.. they are just far too forward for my liking!

;)

Tux-Slack 06-03-2008 04:44 AM

Well I don't like it either, but I can't seem to get it working otherwise.

ARC1450 06-03-2008 06:42 AM

Quote:

Originally Posted by JimBass (Post 3161987)
You need to setup views within BIND. I think cpanel is a toy, so I can't advise you on its use. Google for bind views and you'll find your answer. The first link is exactly what you need.

You setup 3 views for your situation. One for the public net (smallest, with no recursion), then 2 internal (or 1, depending on your topology). If the servers and the clients have separate subnets, you'll need one for each. If all the internals have the same subnet, you can get away with one internal view.

Peace,
JimBass

Just FYI, one view can cover multiple subnets easily. Unless you mean something completely different, which is possible. All you have to do is include all subnets you want to be answered, like 192.168.0.0/29; 192.168.1.0/30; 192.168.2.0/24.


All times are GMT -5. The time now is 07:53 AM.