Here is my network:

cable modem
|
|
voip phone analog adapter
|
|
firewall - eth0 - dhcp - SUSE 10.1
eth2 - 192.168.2.0
|
|
eth0 - 192.168.3.0 - SUSE 10.1
proxy/dansgaurdian filter ----------WAP 192.168.4.0
eth4 - 192.168.4.0

I can resolv hostnames from my proxy(192.168.3.0) or from any machine on 192.168.4.0 network( I run dig,I can ping a domain name and get a reply) but for some reason i cannot ping a domain name from my firewall like suse.de so I cannot run and updates via YaST. I had to put static entries in my resolv.conf on my proxy and on any of my clients machines to get it to work. Nothing is pulling any dns server ip's via dhcp! My WAP is acting like a switch so I do not have it on dhcp but that is not the issue. My firewall first nic which is attached to the VOIP adapter is set to dhcp and it grabs and ip but nothing for a dns server.I have also tried disabling the stuff in /etc/sysconfig/network/dhcp and config about automatically pulling DNS from the ISP. It is not working on any machine.What is going on?

If you have a spare machine ( laptop would be easiest ) plug it directly into the cable modem and see if its gets a dns server from dhcp.

If it does then check on your firewall that /etc/resolv.conf has proper perms to let dhcpcd overwrite it with the new dns servers. Maybe clear your /etc/resolv.conf then reboot and see what gets written there. Also check your /var/log/messages and /var/log/syslog to see if there is any errors near dhcpcd on bootup.

If /etc/resolv.conf seems to have valid dns servers then check your iptable rules ( I am assume thats waht you are using ) and make sure you are actually allowing the dns queries out and the replies in. A good way to check this is to put
which for me goes to /var/log/debug, i believe 7 is debug level so yours might be the same check syslog.conf. This will log everything that hits the end of your chain and if you have a DROP policy, which you should, this will show packets that got dropped b/c of hitting the end of the rules.

I am also curious what dns servers 192.168.3.0 and 4.0 are pointing to if they can resolve names because from your diagram they would have to pass through the firewall. Them being able to resolve names and not the firewall made me think that it must have some iptable rules blocking it.

---

On a side note, once you get this sorted and your firewall can resolve names you would be very wise to run bind internal on the firewall. For me it makes the resolving much much quicker from before when I pointed everything at my isps dns servers.

with my 192.168.3.0 and 4.0 networks I have static entries in /etc/resolv, they to cannot automatically pull dns server I had to install them manually. The odd thing is that when I do that with my firewall, it does not work. I reinstall the whole from scratch and while during the installation Suse will ask you if you want to update you files to the latest revision and it worked at that point from a new install, then after it was done and I restart the machine then bam back to the original state of not being able to pull dns entries automatically! what gives! I will try you suggestions. thanks

update

I took your advice and grab my laptop and just connected it to the cable modem and cleared the /etc/resolv.conf. It did grab an DNS entry and added the ip address to the resolv.conf. It worked fine. I am using FC5 on my laptop and if I remember correctly it had said that dhclient had added the entry but when I run a chkconfig --list|grep n|more I do not see anything that remotely looks like it. On my firewall I am using SUSE 10.1 and I believe you configure stuff under the /etc/sysconfig/network/dhcp and config for DNS stuff and then it add entries to the /etc/resolv.conf. Well I ran chkconfig --list|grep n|more on that machine nothing that looks anything that has to do with DNS was running. Obviously it is the firewall that is not grabbing an DNS entry nor is it passing anything along. What gives?

ok so that makes it a little bit clearer.

First thing that would be strange but an easy fix -- does root or whoever dhclient runs as have write perms on resolv.conf on that machine?

I dont know the dhcp protocol well but looking at
http://www.tarunz.org/~vassilii/TAU/...dhcp/frame.htm
it says the dns server comes as an option and I assume it doesnt get fragmented. This kind of makes me think that iptables arent letting the ip come in and then blocking the dns servers but I would do iptables -Z ( clear the counters ) then dhcp to your isp and see what rules have hits after. If you see any rules that are DROP paste them and we can look at if its blocking them. also if no rules are hit and you have a drop policy then maybe the reply is getting dropped.

I would also turn on logging and see if it has dhcp reply. If you have screen you can dhcp and in screen have tcpdump running and see if you can watch the reply.

have you grepped /var/log/messages and /var/log/syslog for dhcp related stuff. Also exactly what dhcp client are you using b/c some have flags that say not to overwrite /etc/resolv.conf which could be the cause of your problem. Check your clients man page for this option and check the flags the system uses when it boots and runs the client.

I did look at the permission of /etc/resolv. root has all the write permission to that file and when I log in to my firewall, I log in as a standard user and then su to perform any commands. What should the write permission of /etc/resolv be and under what account. Should my standard user account have read/write permission to /etc/resolv. Can you please clarify the boot process, I was under the impression that /etc/resolv is using the root account during the boot process of the firewall machine.

dhclient runs from the network startup scripts.
It won't show in chkconfig..

Get at least one part of the system working properly, then the next & next etc..
The laptop proved that dhcp works directly to the cable modem.
Get the firewall directly on the cable modem and try again.
You could also try the laptop connected to the voip box to prove it can be done there, but you need to end up with the firewall working before trying anything else.

I meant to say that in my previous post that I did connect the laptop to the VOIP phone adapter and it did work fine. It did pull dns address and append them to etc.resolv. So we can eliminate the cable,VOIP phone ATA. Here is some more info. I am not using bind, just the dhcpcd client for dhcp information for eth0 which is the first nic on my firewall. I will check my firewall rules and logs to see if things are being drop like tgo was saying. When setting up bind, under the /etc/named, if I am going to use ISP for dns resolving would I specify that in that file. It is a dumb question but I am new to bind.

If you can get an ip address via dhcp, nothing in iptables is blocking anything..

In the firewall, do ps ax and see if any dhcp client is running. Kill it if it is with kill -TERM PID and do ifconfig eth0 down.

Depending on which dhcp client you have, you can either dhcpcd -d eth0 or dhclient -d eth0
You will get extra info printed about what it has asked for and received.

As for bind, unless you are going to set up urls for your local LAN, or internet dns for your domains, use a dns proxy like tinydns, djbdns or dnsmasq that listens on localhost and eth1 only.

there is one difference between the laptop and the firewall itself. I am not running a firwall on the laptop and on the firewall I am running a rather large script on it. Should I do this first, bring down iptables on my firewall and then see if I can pull anything automatically via dhcp like my laptop?

I think I figured it out. It was my firewall that I though I had configured correctly. I setup Bind and modifies my /etc/named.conf to foward DNS request to my ISP and then I set the /etc/resolv.conf to 127.0.0.1 the locahost and bam it worked. I have one more question. What kind of iptables rule should I put in my script to properly allow request through and in and should I log udp,tcp port 53. I am not sure if it is udp or tcp? thanks

Time to read some iptables scripts..

Have a look at The BIG iptables tutorial

Here is my solution:

1 - I plugged the laptop into the VOIP ata and set my nic to DHCP and it was successful

2 - After reading some literature, I set up Bind(DNS server) with fowarders pointing to my ISP for name resolution (named.conf) and then on the same machine(localhost) I pointed the dhclient to the the same machine(localhost)(system resolver). I ran dig on the local domain and then on my ISP and it worked fine.

3 - last but not least the whole root of the whole problem, my firewall. I scanned up and down my rules and did see anything out of the ordinary and I then realized that it was very restrictive. I realized that I was not allowing an request out from the firewall itself for DNS requests so I added the rule:

IPTABLES -A -INPUT -p tcp -i $EXTIF --dport 53 -j ACCEPT

and a couple of other ones and that took care of it.

I hope this helps out future readers.