red Posted March 19, 2008 Report Share Posted March 19, 2008 Hiya folks, I am having one heck of a time getting this to work. I have a Mandriva 2006 Free system(firewall) set up as a firewall, and working just fine. (2 NICS, one internal, 1 external) Behind this firewall I have a Windows Active Directory domain which has the DC set up as a DHCP server and DNS server. Right now, I have the DNS on the DC answering queries for the local domain and forwarding queries it cannot answer (internet) to my ISPs DNS and everything is working perfectly. My only problem is that all users lose the ability to reach sites (internal and internet) when I take the DC off line for maintenance because the DC is the only DNS. I want to set the firewall up as a secondary DNS to answer queries (internal) just as the Windows DC doesn and forward queries it cannot answer (internet) to my ISPs DNS. I have tried 7 ways to Sunday to get this working and I just cannot seem to get BIND to answer anything. I have found a numbe rof how-tos but none seem to have the right answer, or I just dont get the config right. for the sake of clarity, lets use the follwoing variables so that any information you can give regarding configuration is understood: Windows DC Server = WDC WDC Name = SERVER1 Windows Domain Name = domain.local Mandriva 2006 Box - firewall ISP domain = ISPdomain I woudl also need to know which ports to open in the firewall, as I have it pretty locked down and suspect that I will need to open things up a bit for DNS and resulting traffic to occur between firewall and domain.local. Thanks, RED Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 20, 2008 Report Share Posted March 20, 2008 DNS runs on port 53, but you shouldn't need to open a port for it unless you're blocking various internal ports from getting outside. Most firewalls run as a DNS proxy, so whilst they listen on port 53, they immediately forward the request to the internet for the DNS servers configured within the firewall. These should not be internal DNS servers, but ones supplied by your ISP. What is your firewall? Is it a Linux computer, or something else? Once we know that, we can figure out how to get it all configured and up and running. Quote Link to comment Share on other sites More sharing options...
red Posted March 20, 2008 Author Report Share Posted March 20, 2008 (edited) the firewall is a Mandriva 2006 as stated in the original post. I managed to get some response yesterday after massing with it some more, but I am unsure if it was a fluke or something I actually figured out. The config files don't seem to be in the right places, so the more information you can give will be appreciated. Thanks. Edited March 20, 2008 by red Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 20, 2008 Report Share Posted March 20, 2008 Hmmm, can't really give you much more information as I'm not sure what you're trying to achieve as such other than the secondary DNS server existing on the firewall. How is your network set up? Here is mine: PC's/Servers --> Firewall --> Router --> Internet so let me know where your Windows DC is and where you want the secondary DNS. As for firewall, in Mandriva it could be iptables, or shorewall, or something else. I'm not sure how you installed it, to find out which package it is your using. You can let me know by posting output of: chkconfig --list | grep :on from console window as root on firewall so I can see what services are enabled. Quote Link to comment Share on other sites More sharing options...
red Posted March 21, 2008 Author Report Share Posted March 21, 2008 Well I did end up with SOME success. I found out that the config files and data files were not in the places the named script expected them to be, I moved them and named finally actually ran. I was able to get the firewall to forward queries it could not answer to the internet, I just could not get it configured to answer for my local domain (domain.local) So now its a matter of configuring this zone properly. My set up is like this: Domain.local and domain controller (windows primary DNS)-->firewall/router (Mandriva 2006 box w 2 NICS)--> Internet I want to make the firewall/router a DNS as well to answer internal queries and forward internet queries. Thanks for the help. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 21, 2008 Report Share Posted March 21, 2008 Post the contents of your named.conf and the zone file where you configured your internal DNS resolution for the firewall DNS setup. Quote Link to comment Share on other sites More sharing options...
red Posted March 21, 2008 Author Report Share Posted March 21, 2008 Success!!! It was not my config files at all, they were fine. It turned out to be their location and permissions. I installed BIND from the RPM "bind-9.3.1-4.320060mdk" and "bind-utils9.3.1-4.320060mdk" as provided onteh CD or through the RPMdrake. This installlation was putting the named.conf and resulting <zone> file in /var/lib/named/etc. To add to the problem, Webmin which I was using to configurre the named.comf and zone files was editing the files in /var/lib/named/etc After looking at the messages log and seeing that named was not finding the named.config file when starting, just for th ehell of it i copied the named.conf from /var/lib/named/etc to /etc/ and the error message changed from file not found to permission denied. some additional searching on this message indicated that permissions for the folder containing named.conf had to be modified so that the named group had full access. This was necessary because even trying to launch named as root failed because of permissions, which was supported by a post found on another site that indicated tha named trumps roots ability to override some file permissions and the named group mus be specifically granted permission. This is where I think that while this is working, it is incorrect. I had to change permissions on the /etc/ folder. I changed the group from root to group and gave it read and write access, when I did this, named fired right up and off we went. The <zone> file even updated from my windows DNS server!!!. This is one of my pet peeves with using linux, while some things are very consistent, others are not and this sort of issue should not have happened. the named script should be looking in the correct locations for the config files and I cetainly shouldnot have had to change permissions on the /etc/ folder. Any idea where to change what so that I can use the files in /var/lib/named/etc as installed instead of /etc/ and restore permissions? Thanks Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 21, 2008 Report Share Posted March 21, 2008 How did you copy the file? If you don't use the correct flag when you copy it, permissions won't follow with the file. cp -p filename will keep the privileges assigned when you copy it. In Mandriva, named runs in a chrooted environment if I remember correctly, which is why everything is in /var/lib/named/etc. Quote Link to comment Share on other sites More sharing options...
red Posted March 21, 2008 Author Report Share Posted March 21, 2008 I used midnight commander to copy the file, not a command as you showed. RED Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 21, 2008 Report Share Posted March 21, 2008 There is every chance midnight commander could have lost the permissions too. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.