Internal host names resolving through external DNS?!?

dschuett · 02-06-2011, 01:42 AM

I just set up my first ever bind9 DNS server running on ubuntu server 10.04. This server is also my gateway/dhcp server.

Here is what is weird:
If I do a dig @8.8.8.8 dschuett-lmtl.scs.local from any of my clients it resolves?!?! Dig shows that it got the answer from MY Bind9 DNS server (and NOT Google's of course), but why is it still resolving when I'm telling it to use and external DNS server?

The other weird thing is that the SAME EXACT dig command above does NOT resolve internal host names if I do it from the Bind9 DNS server. - Which is what i would expect SHOULD be happening if done from the client machines...

Here are the dig results:

From any internal client:

Code:

dig @8.8.8.8 dschuett-lmtl.scs.local

; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 dschuett-lmtl.scs.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49041
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;dschuett-lmtl.scs.local.       IN      A

;; ANSWER SECTION:
dschuett-lmtl.scs.local. 259200 IN      A       192.168.0.202

;; AUTHORITY SECTION:
scs.local.              259200  IN      NS      gateway.scs.local.

;; ADDITIONAL SECTION:
gateway.scs.local.      259200  IN      A       192.168.0.1

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb  6 01:18:09 2011
;; MSG SIZE  rcvd: 95

From Bind9 DNS server:

Code:

dig @8.8.8.8 dschuett-lmtl.scs.local

; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 dschuett-lmtl.scs.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9279
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dschuett-lmtl.scs.local.       IN      A

;; AUTHORITY SECTION:
.                       1800    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2011020501 1800 900 604800 86400

;; Query time: 77 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb  6 01:28:57 2011
;; MSG SIZE  rcvd: 116

Any ideas why this is happening?

acid_kewpie · 02-06-2011, 09:26 AM

Odd. I'd look at iptables. Are you somehow redirecting all outbound DNS traffic going *through* the server in its gateway function to your internal DNS server? something in the PREROUTING NAT table? That's all that makes sense to me. As the DNS is the GW, you'll probably find out a lot by using tcpdump if there's any confusion. run "tcpdump -vn -i eth0 port 53" to dump all DNS traffic on what I'd guess is your internal interface, and then do the same on the external side, and see what traffic is going where.

dschuett · 02-06-2011, 03:14 PM

Quote:

Originally Posted by acid_kewpie

Odd. I'd look at iptables. Are you somehow redirecting all outbound DNS traffic going *through* the server in its gateway function to your internal DNS server? something in the PREROUTING NAT table? That's all that makes sense to me. As the DNS is the GW, you'll probably find out a lot by using tcpdump if there's any confusion. run "tcpdump -vn -i eth0 port 53" to dump all DNS traffic on what I'd guess is your internal interface, and then do the same on the external side, and see what traffic is going where.

That's funny that you say that because that is exactly what I was trying to accomplish when I discovered that this was happening. I set these two rules in my iptables script:

Code:

#Redirect DNS so it will ALWAYS use YOUR server
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j REDIRECT --to-port 53
$IPT -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT --to-port 53

But when I comment them out and flush dns with:

Code:

invoke-rc.d nscd restart
nscd -i hosts

It still resolves the hosts names through google's DNS with the Dig commands in the previous posts.

I uninstalled bind and disabled those rules in my iptables script. Reinstalled bind, and it stopped doing it. But once I enabled those rules in iptables it resolves them again (as i would expect), however if i disable the rules and flush dns and restart bind...it still resolves, so SOMETHING is getting cached somewhere once those rules are applied ONE time.