LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-12-2010, 01:20 PM   #1
effekt01
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Rep: Reputation: 0
Unable to resolve very important domain->ip DNS issue?


Hi this is sort of an emergency so any help is greatly appreciated. I will try to explain our setup as best as I can:

-Debian Environment / OpenBSD (PF) firewall / Bind9 DNS

-SITE1: We have a DMZ / INTERNAL zone that is behind a firewall (DNS in DMZ)

-SITE2: Servers running IPTABLES and a different DNS resides there

My problem:

We cannot resolve a host from our dmz/internal zone at SITE1, but we can from SITE2, our home computers, and web host lookups. (This started to fail after many days of successful resolves)

This includes running host domain.com from the SITE1 firewall. BUT, if we tell SITE1s firewall to also use SITE2s DNS, we can resolve the host on the firewall. Now if I do the same thing in the resolve.conf for SITE1s dmz/internal servers and add some rules to pass it through the fw, we cannot resolve it from within the dmz/internal.

We can run dig against it, but not host at that point.

I've monitored the firewall blocks, nothing.

Monitored tcpdump | grep domain.com and we see the question going out, but no response.

So, I figured it might be on their end, but every other site location including home PCs can resolve this.. I don't know a ton about DNS so I might just be missing something here. (Can we just hardcode this domain that isn't ours into Bind9 with domain->ip?)

If you need any more info let me know. Thanks a lot for the help

-C
 
Old 11-12-2010, 03:35 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

I cannot understand your setup to help on the dns/firewall part, but if you want to hardcode a domain you can use /etc/hosts. Make user you have a line "hosts: files dns" in /etc/nsswitch.conf and then add in /etc/hosts:
Code:
x.x.x.x domain.com
Regards
 
Old 11-12-2010, 04:46 PM   #3
effekt01
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Original Poster
Rep: Reputation: 0
We've tried putting the entry in the host file for the servers that need to resolve it. Did not work.

running ping domain.com detects the ip in the hostfile, but running host domain.com it still either attempts to contact our DNS server, or fails somewhere outside of the firewall.

Basically Bind9 is acting up or we have been blocked on their end(?).

Very frustrating.
 
Old 11-12-2010, 04:54 PM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
The commands dig, host, nslookup use dns to resolve a hostname
Everything else uses first /etc/hosts and if there is no entry there they use dns
So I don't think there is a problem, as the very important domain is accessible from applications like a web browser, a mail server, ssh etc
 
Old 11-12-2010, 05:15 PM   #5
effekt01
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks bathory,

well host domain.com is using our SITE1 DNS then, and it is not able to resolve a host / ip, so something somewhere is wrong as we are able to resolve it form our SITE2 DNS using host domain.com


SITE1 host domain.com:

;; connection timed out; no servers could be reached


and SITE1 Firewall TCPdump | grep domain.com shows only the one way transaction..

SITE1DNS.com.58052 > xxx.xxx.xxx.xxx..domain: 60436 [1au] A? xxx.domain.com (48)


Thanks for the comments.

-C
 
Old 11-12-2010, 05:31 PM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
How about /etc/resolv.conf? Does it have the correct entries?
Why don't you use SITE2 dns as the 1st nameserver in /etc/resolv.conf?
Or check SITE1 dns to see if it allows queries/recursion from the host in question.
 
Old 11-12-2010, 05:59 PM   #7
effekt01
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Original Poster
Rep: Reputation: 0
We have SITE2s dns first in SITE1s resolve.confs, this only enables us to dig the site, but not nslookup/host and our code is getting an error because of this.

I momentarily switched the DNS to just our ISPs DNS (Removed SITE1/SITE2s DNS), and it was able to resolve instantly with host domain.com.

So this leads me to believe that it's either our SITE1 DNS, or the requests from our IPrange are blocked from this domain?

I don't know much about Bind9 really, but if you have some spare time:

------------------------------------------------------------------------
named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

------------------------------------------------------------------------

named.conf.local

view "dmz" {
match-clients {
127.0.0.1;
10.0.100.0/24;
};

recursion yes;

// prime the server with knowledge of the root servers

zone "." { type hint; file "/etc/bind/db.root"; };

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" { type master; file "/etc/bind/db.local"; };
zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
zone "100.0.10.in-addr.arpa" { type master; file "/etc/bind/db.100.0.10"; };
zone "200.0.10.in-addr.arpa" { type master; file "/etc/bind/db.200.0.10"; };

zone "xxxxxxxxxxx" { type master; file "/etc/bind/data/dmz/xxxxxxxxx.com"; allow-update { none; }; };
zone "xxxxxxxxxxx" { type master; file "/etc/bind/data/dmz/xxxxxxxxx.com"; allow-update { none; }; };
};

//
// Internal view for XXXXXXXXXXXXXX:
// these are the zones as defined for servers behind the firewall
//

view "internal" {
match-clients {
10.0.200.0/24;
};

recursion yes;

// prime the server with knowledge of the root servers

zone "." { type hint; file "/etc/bind/db.root"; };

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" { type master; file "/etc/bind/db.local"; };
zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
zone "100.0.10.in-addr.arpa" { type master; file "/etc/bind/db.100.0.10"; };
zone "200.0.10.in-addr.arpa" { type master; file "/etc/bind/db.200.0.10"; };

zone "XXXXXXXXXXXX" { type master; file "/etc/bind/data/internal/XXXXXXXXXXXXXXXX"; allow-update { none; }; };
zone "XXXXXXXXXXXX" { type master; file "/etc/bind/data/internal/XXXXXXXXXXXXXXXX"; allow-update { none; }; };
};


------------------------------------------------------------------------

named.conf.options


options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

auth-nxdomain no; # conform to RFC1035
listen-on-v6 {
//127.0.0.1;
//10.0.100.2;
//10.0.100.3;
none;
};

listen-on {
127.0.0.1;
10.0.100.2;
10.0.100.3;
};

allow-recursion {
127.0.0.1;
10.0.100.0/24;
10.0.200.0/24;
xxx.xxx.xxx.xxx/25;
};

allow-transfer {
127.0.0.1;
10.0.100.2;
10.0.100.3;
};
};

------------------------------------------------------------------------

Thanks again.
 
Old 11-13-2010, 08:20 AM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

The 2 config files you posted, look ok. You should explain the difference between the zones xxxx.. and XXXX.. in the 2 views and how it is related with the domain in question.

I suspect the problem is somewhere in the router(s) between the 2 networks (10.0.100.0/24, 10.0.200.0/24)
What does not make sense, is why dig works and nslookup/host don't!
Try:
Code:
host -T domain.com
host -v domain.com
to see if you get some more info why host fails
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS (and Postfix) Issue ('Domain doesn't resolve') zokken Linux - Networking 2 10-29-2008 01:10 PM
DNS http:domain.com resolve to www.domain.com keysorsoze Linux - Networking 3 02-12-2007 03:03 AM
DNS will not resolve non-domain qualified names arobinson74 Linux - Networking 2 10-25-2004 04:13 PM
FC2 DNS domain resolve problem flump Linux - Networking 2 08-14-2004 02:35 PM
Unable to resolve domain names holdem Linux - Networking 4 02-01-2004 10:50 PM


All times are GMT -5. The time now is 06:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration