DNS problems through firewall

vertices · 04-03-2002, 05:09 PM

Ok heres the deal:

I have 4 PCs right now in the current configuration.

Computer A is configured as a router/firewall with 3 nics as such: DHCP,192.168.1.1,10.0.0.1 This computer is running smoothwall (www.smoothwall.org a stripped down nice and easy secure linux router/firewall) and has the DMZ on the 10.0.0.1 network and the internal network is on the 192.168.1.1

Computer B is a Win2K Adv. Server acting as a primary domain controller with DHCP (only DHCP to the 192.168.1.0 addresses, the DMZ is all hardcoded) and serving web and ftp to external visitors.

Computers C and D are WinXP pro workstations on the 192.168.1.0 network.

I have setup dhcrelay on Computer A so it routes any DHCP requests from the 192 network to the server at 10.0.0.2. This works fine and the 192 network can receive their addresses. However they can not login to the domain because they cant get DNS requests DNS server. They cant surf the web either because of the DNS.

All ports are blocked from the DMZ to the internal network from the firewall. I can pinhole from the DMZ to the internal network and the pinholes do funtion as I have tested this extensively. I have basic TCP/IP connection because I can logon to it via IP. I can print to a printer that it is sharing.

I pinholed port 53 TCP and UDP to my internal network as well as any other port that showed up as being blocked in my logs during trouble shooting. I still cant receive DNS requests.

I know the server is functioning properly because I reconfigured it with a 192.168.1.201 IP and adjusted the DHCP scope to reflect this and moved it to the switch for the 192 network thus eliminating computer A and of course everything works perfectly. As soon as I put everyting back and move it back to the 10 switch and reconfigure it I cantcontact DNS. So I know for a fact the problem lies with getting the requests through the firewall.

I have swapped NICs across the board and swapped switches as well. I can't seem to make this work. I know this si long but I wanted to let you know exactly what was happening and what I've already tried.

Thanx for your time.

DavidPhillips · 04-03-2002, 05:42 PM

I got confused between 10.0.0.1 and 10.0.0.2

I am counting 5 computers

Assuming A is 10.0.0.2 or there is a second interface on C or D

Anyway Are you using iptables and what are your rules for port 53, and how are they arranged in the file?

also have you tried setting up A as a DNS for the internal lan, so you don't have a hole into the 192 network.

I guess /etc/resolv.conf is correct.

vertices · 04-03-2002, 05:56 PM

4 computers

computer A has 3 nics. 1 on DHCP to cable modem. 2 on 10.0.0.1 and 3 on 192.168.1.1 Nic 1 goes to modem. Nic 2 to a swtich and Nic 3 to a switch.

Nic 2 with the 10.0.0.1 is the DMZ network and it connects to the switch which has Computer B (10.0.0.2) on it

Nic3 with the 192.168.1.1 goes to a switch with the the 2 workstations (Computers C and D) on it.

I think it may be ipchains. I have not checked. Smoothwall has a nifty web interface that handels everything. It has a section for DMZ pinholeing and it does work. I tested it with FTP.

DNS must go to the Win2K server to update the DNS records for active directory. I cant just use the DNS proxy on smoothwall.

Thanx for the help

vertices · 04-03-2002, 07:40 PM

Actually I think I solved my own problem.

The way I see it is that a client on the 192.168.1.1 network is sending a request to the DNS servers port 53. This part gets through. The server then sends back to any random port above 1024 which is gettin blocked by the firewall.

The only answer would be to open up all ports above 1024 from the server in the DMZ to the internal network which sort of defeats the purpose of the DMZ.

Sound correct? Anybody?

DavidPhillips · 04-03-2002, 08:53 PM

Yep the "unpriviledged" ports 1024:65535

are used

You should be able to fix this by setting up a dns server and set it to port 53 and query-source port *

then use this

echo "56000 65096" >/proc/sys/net/ipv4/ip_local_port_range

ipchains -A input -p udp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT

ipchains -A input -p tcp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT

vertices · 04-04-2002, 12:28 PM

Thanx for the help David! I will try that when I get home from work.

Although doesn't this put a big hole between the DMZ and my inernal network?

My other idea was to put another pc running a full distro in the DMZ and use that for web/mail/ftp since my internal network has no problem accessing those services from the DMZ. I could then have everything I need without punching a huge gaping hole in the firewall, only a few small ones.

What do you think?

DavidPhillips · 04-04-2002, 01:13 PM

right,

I would put the dns server in the DMZ
Also you could only allow the ports to be connected to by the servers of your choice.

vertices · 04-04-2002, 02:07 PM

Thanx again David!