LQ Newbie
Registered: Jul 2005
Posts: 2
Rep:
|
SuSE 9.2 XDM turn "off" authoritative DNS queries
Q: Is there a way to turn "OFF" forced authoritative reverse DNS lookups in XDM on SuSE 9.2? RedHat works fine and accpets non-authoritative reverse DNS lookup replies. Apparently SuSE is much more security conscious, to our chagrin. It seems to ALWAYS want to contact the "authoritative" server for a domain to get reverse lookups satisfied. Internal lab hosts on private networks suffer as a result since they are not in DNS when queried from hosts external to the lab.. Details below.
We have external corporate network hosts on subnet A ( example: 123.143.92.x) which are unknown in DNS to lab networks, (ex: 10.100.4.x) on subnet B. Each have their own domain for which they are authoritative and company policy will not allow any lab interaction of any sort with lab networks. Proxies and switch VLANs allow the handling of traffic between the 2 networks. A proxy using NAT and a caching nameserver handles outbound DNS queries as if they were being answered by the proxy, hence lab get the proper DNS query responses, even though they are on an unknown network.
When RedHat ES4 hosts running XDM are queried by an external corporate host on 123.143.92.x, they reference the appropriate internal nameserver which forwards to the proxy, yielding an non-authoritative response for reverse record lookups. RedHat is quite happy the name given by the reverse lookup and hence allows XDM displays to open up.
SuSe EL9.2 however is not so forgiving. Traced code show that the queries coming back from the non-authoritative name server are followed by a request from SuSE XDM for an "authoritative" answer for that name. It gets the right name, but wants MORE. The internal lab DNS servers responds with the name of the authoritative server, and SuSE XDM tries to go directly to that host to obtain the authoritative reverse lookup. This circumvents the /etc/resolv.conf file and the DNS proxy host and forces the queried XDM host to send for a response to the corporate DNS server. The corporate DNS server of course doesn't recognized the lab host query IP since it is unknown to it. So, the "computed display" from XDM debug info comes back as 0.0.0.0 due to the inability to get an authoritative answer.
Is there a way to circumvent this default setting either within the X11 settings, startup config, or by using some other architecture changes to make the SuSe 9.2 reverse lookups succeed so that our users can get X displays to lab hosts from the corporate network desktops? (corp Windows XP client using Cygwin "x -query host.IP", ala "x -query 10.100.1.41") (Similar to Xwin32 and Xdeep)
Example:
Basic problem XDM debug on lab host:
ProcessRequestSocket^M
header: 1 10 23^M
Manage 23^M
FindProtoDisplay^M
Manage Session ID 331888001, pdpy 0x8071ae0^M
Computed display name: 0.0.0.0:0^M
ConvertAddr returning 0 for family 10^M
Starting display 0.0.0.0:0,MIT-unspecified^M
StartDisplay 0.0.0.0:0^
Basic details of query failure:
open("/etc/resolv.conf", O_RDONLY) = 6^M
fstat64(6, {st_mode=S_IFREG|0644, st_size=104, ...}) = 0^M
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4032b000^M
read(6, "nameserver 10.100.4.50\nnameserve"..., 4096) = 104^M
read(6, "", 4096) = 0^M
close(6) = 0^M
munmap(0x4032b000, 4096) = 0^M
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6^M
connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.100.4.50")}, 28) = 0^M
send(6, "\326\300\1\0\0\1\0\0\0\0\0\0\0010\0010\0010\0010\7in-a"..., 38, 0) = 38^M
gettimeofday({1121901491, 530464}, NULL) = 0^M
poll([{fd=6, events=POLLIN, revents=POLLIN}], 1, 5000) = 1^M
ioctl(6, FIONREAD, [118]) = 0^M
recvfrom(6, "\326\300\205\203\0\1\0\0\0\1\0\0\0010\0010\0010\0010\7"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.100.4.50")}, [16]) = 118^M
close(6) = 0^M
write(1, "Computed display name: 0.0.0.0:0"..., 33) = 33^M
Using proxy host 123.143.92.29 yields the same
recvfrom(6, "v\315\201\203\0\1\0\0\0\1\0\0\0010\0010\0010\0010\7in-"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("123.143.92.29")}, [16]) = 104^M
close(6) = 0^M
write(1, "Computed display name: 0.0.0.0:0"..., 33) = 33
Details of failure:
stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=104, ...}) = 0^M
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6^M
connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.100.4.50")}, 28) = 0^M
send(6, "u8\1\0\0\1\0\0\0\0\0\0\0010\0010\0010\0010\7in-addr\4arpa\0\0\f\0\1", 38, 0) = 38^M (reverse lookup)
gettimeofday({1121995111, 595750}, NULL) = 0^M
poll([{fd=6, events=POLLIN, revents=POLLIN}], 1, 5000) = 1^M
ioctl(6, FIONREAD, [118]) = 0^M
recvfrom(6, "u8\205\203\0\1\0\0\0\1\0\0\0010\0010\0010\0010\7in-addr\4arpa\0\0\f\0\1\0010\7in-addr\4arpa\0\0\6\0\1\0\0\16\20\0006\7dnsrvr1\3flt\3lab\3com\0\nhostmaster\300H\0\0\0\1\0\0\3\204\0\0 \2X\0\1Q\200\0\0\16\20", 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.100.1.50")}, [16]) = 118^M
close(6) = 0^M
(request for authoritative answer, which gives only the local lab domain as authoritative, not for corporate net)
Actual DNS logs on servers (request for authoritative host for looked up host name, d1100757.corp.com)
lab dnsrvr1: PACKET UDP Rcv 10.100.1.51 09f8 Q [0001 D NOERROR] (3)146(2)92(3)143(3)123(7)in-addr(4)arpa(0)
lab dnsrvr1: PACKET UDP Snd 10.100.1.51 09f8 R Q [8081 DR NOERROR] (3)146(2)92(3)143(3)123(7)in-addr(4)arpa(0),
DATA (9)d11007157(4)corp(3)com(0)
lab dnsrvr1: PACKET UDP Rcv 10.100.1.51 09f9 Q [0001 D NOERROR] (9)d11007157(4)corp(3)com(0),
Name "[C016](4)corp(3)com(0)
DATA
PrimaryServer: (11)corpdnsrv[C016](3)corp(3)com(0)
Administrator: (6)bobby(3)sox)
SerialNo = 1184023
Refresh = 900
Retry = 600
Expire = 604800
MinimumTTL = 900
|