Configuring a Domain Name Server

[wingcom]

Hey all,

 

I've configured DHCPD, DNS, SHOREWALL and Internet Connection Sharing using the Mandriva Wizards but I'm having troubles with queries on the DNS through the LAN.

 

My configuration is this:

 

1. Interface eth0 has a static IP 192.168.1.2 and connects to my ADSL router on IP 192.168.1.1 So this is the NET zone in shorewall. My wireless clients are also in this zone and receive an IP in that range from the router.

eth0	  Link encap:Ethernet  HWaddr 00:E0:7D:A3:3D:02
	  inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
	  inet6 addr: fe80::2e0:7dff:fea3:3d02/64 Scope:Link
	  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	  RX packets:16472 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:11445 errors:0 dropped:0 overruns:0 carrier:0
	  collisions:0 txqueuelen:1000
	  RX bytes:17676496 (16.8 MiB)  TX bytes:1270234 (1.2 MiB)
	  Interrupt:18 Base address:0xef00

 

2. Interface eth1 also has static IP 10.0.1.1 and connects to the LAN. (XBOX and 2 other PC's) This is the LOC zone in shorewall. Default gateway for this is set to 192.168.1.1 I think this is done by the "Internet Connection Wizard"

eth1	  Link encap:Ethernet  HWaddr 00:E0:7D:A3:3D:0F
	  inet addr:10.0.1.1  Bcast:10.0.1.255  Mask:255.255.255.0
	  inet6 addr: fe80::2e0:7dff:fea3:3d0f/64 Scope:Link
	  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	  RX packets:278 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
	  collisions:0 txqueuelen:1000
	  RX bytes:24693 (24.1 KiB)  TX bytes:13332 (13.0 KiB)
	  Interrupt:19 Base address:0xe00

 

In shorewall I have masquerading set like this:

 

#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
eth0	eth1

 

My routing table looks like this:

Kernel IP routing table
Destination	 Gateway		 Genmask		 Flags Metric Ref	Use Iface
10.0.1.0		*			   255.255.255.0   U	 10	 0		0 eth1
192.168.1.0	 *			   255.255.255.0   U	 10	 0		0 eth0
169.254.0.0	 *			   255.255.0.0	 U	 10	 0		0 eth0
169.254.0.0	 *			   255.255.0.0	 U	 10	 0		0 eth1
127.0.0.0	   *			   255.0.0.0	   U	 0	  0		0 lo
default		 192.168.1.1	 0.0.0.0		 UG	10	 0		0 eth0

 

I do NOT see any shorewall messages in my messages log and policy is set to this:

loc	net	ACCEPT
loc	fw	ACCEPT
fw	loc	ACCEPT
fw	net	ACCEPT
loc	loc	ACCEPT
net	all	DROP	info
all	all	REJECT	info

 

service named restart gives me:

Jun 10 13:03:22 ENTERPRISE named[12044]: starting BIND 9.3.2 -u named -t /var/lib/named
Jun 10 13:03:22 ENTERPRISE named[12044]: loading configuration from '/etc/named.conf'
Jun 10 13:03:22 ENTERPRISE named[12044]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 10 13:03:22 ENTERPRISE named[12044]: listening on IPv4 interface eth0, 192.168.1.2#53
Jun 10 13:03:22 ENTERPRISE named[12044]: listening on IPv4 interface eth1, 10.0.1.1#53
Jun 10 13:03:22 ENTERPRISE named[12044]: command channel listening on 127.0.0.1#953

 

I can do queries on the domain name server EXCEPT on interface 10.0.1.1 but I donot think its the nameserver itself but a network setup/ firewall or routing problem.

 

dig @localhost google.com

dig @192.168.1.2 google.com

dig @127.0.0.1 google.com

and dig @ENTERPRISE gives me:

 

; <<>> DiG 9.3.2 <<>> @localhost google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18177
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.					IN	  A

;; ANSWER SECTION:
google.com.			 300	 IN	  A	   64.233.167.99
google.com.			 300	 IN	  A	   64.233.187.99
google.com.			 300	 IN	  A	   72.14.207.99

;; AUTHORITY SECTION:
google.com.			 345600  IN	  NS	  ns1.google.com.
google.com.			 345600  IN	  NS	  ns2.google.com.
google.com.			 345600  IN	  NS	  ns3.google.com.
google.com.			 345600  IN	  NS	  ns4.google.com.

;; Query time: 464 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 10 13:05:22 2007
;; MSG SIZE  rcvd: 148

 

but dig @10.0.1.1 gives me:

[root@ENTERPRISE wingcom]# dig @10.0.1.1 google.com

; <<>> DiG 9.3.2 <<>> @10.0.1.1 google.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

 

All these commands are performed on the server...

 

The reason why I think it has nothing to do with the DNS itself is that I also can't ping ip addresses from my connected clients on that interface. (nor can i ping/connect to hostnames of course)

 

CORRECTION: I can now ping my ISP DNS Server IP from my connected client so i'm gonna post my named.conf because it DOES seem like a DNS problem after all:

key mykey {
algorithm hmac-md5;
secret "";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { mykey; };
};

options {
directory "/var/lib/named/var/named";
pid-file "/var/lib/named/var/named/named.pid";
version "Wizard drake";
allow-query { any; };
allow-transfer { any; };
forwarders { 192.168.1.1; };
};

zone "localhost" {
type master;
file "zone/db.localhost";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "zone/db.127.0.0.1";
};

zone "." {
type hint;
file "zone/root.hints";
};

zone "1.168.192.in-addr.arpa" {
type master;
file "zone/db.1.168.192.hosts";
forwarders { };
};

zone "STARFLEET.COM" {
type master;
file "zone/db.STARFLEET.COM.hosts";
forwarders { };
};

 

Ive had this setup before but I reinstalled a new motherboard and upgraded from 2005 to 2007 keeping only my homedir and reinstalling all the rest. So I must be overlooking something :s

 

Can someone point me in the right direction please? I must be overlooking something but don't seem to find it :s

 

 

thanx

wingcom

Edited June 10, 2007 by wingcom

[ianw1974]

If you've got another Linux machine, run nmap and scan 10.0.1.1 to see what ports are open. If it doesn't list port 53, then your firewall is blocking it. Seems your machine is listening on 53 though from what you posted before.

[wingcom]

I already telnetted to it and it seemed open. Nonetheless, I ran the test:

 

Discovered open port 53/tcp on 10.0.1.1

 

:s weird stuff

[ianw1974]

Default routes on the machine?

[gjmwalsh]

The top line of the /etc/named.conf file is missing .... I've been fighting this nonsense myself.

 

Add the line:

include "/etc/rndc.key"

 

Then run: service named start (or restart)

 

If that fails, reboot and then run service named status and you should be up and running.

[wingcom]

The top line of the /etc/named.conf file is missing .... I've been fighting this nonsense myself.

 

Add the line:

include "/etc/rndc.key"

 

Then run: service named start (or restart)

 

If that fails, reboot and then run service named status and you should be up and running.

 

No Joy...

Still fighting with this. I've configured my dhcp to put my ISP dns directly however I still want to know what this is :s

All works accept queries from the local network. They don't seem to find their way to the internet or upper name servers. So a routing problem might be correct but I don't know how I should configure it then :s

[ianw1974]

Please post exactly what you see on the screen when you attempt to do a query?

 

Also, I doubt very much you will find your entries in your DNS server propagating out on to the internet. It won't work like that as such. Normally I configure the DNS server for internal use, and I then set a forwarder to use an external DNS server on the internet. Usually if you want your entries on the internet, you'd have to talk to someone who is providing your web services. And if you're not using public IP addresses, then there is no way your DNS entries will end up on the internet.