Chris Evans wrote:
Wednesday, January 12, 2005, 5:30:00 PM, Daniel Miller wrote:DLM> If I were to guess - it's a DNS misconfiguration problem, not an DLM> iptables problem.DLM> Easy stuff first - what's in your /etc/resolv.conf? DLM> Are you running any DNS servers on your firewall machine? If so, what? DLM> You need to share a bit more information. Thanks Daniel. I did try that earlier and got no responses. Hugely appreciate your input. I have same problem with and without bind9 running on the machine. So with /etc/resolv.conf as: cat resolv.conf search psyctc.org nameserver 127.0.0.1 nameserver 213.120.62.97 nameserver 213.120.62.98 nameserver 213.120.62.99 nameserver 213.120.62.100 nameserver 213.120.62.101 nameserver 213.120.62.102 nameserver 213.120.62.103 nameserver 213.120.62.104
Wowser! How many %$#@&ing DNS servers do you need?!I dunno how up you are on DNS theory - let me lay some background, and if I screw up I'm certain someone else will pounce on me (gently please, I bruise easily).
Each computer that requires domain name resolution requires a list of one or more servers (that's your resolv.conf). Now, contrary to some people's belief, the resolver does NOT go through a list of servers looking for a valid response. Instead, it starts at entry #1 and tries for resolution. As long as that server responds - that counts as a successful resolution. "No such host" is a valid result - which means that's the end of your workstation trying to resolve www.abc123dontask.com.
The idea for multiple entries is to provide redundancy and backups - not multiple choices. And normally two is sufficient - unless you have multiple physical internet connections served from different providers and want to backup accordingly.
Each entry in resolv.conf should be functionally identical - because that's how your computer's resolver considers them.
With this in mind - let's consider running your own DNS service for your local LAN - and providing access to the Internet.
Let's say you have your own DNS server that is authoritative for your LAN - located at 192.168.0.1. This server has a list of all your local hosts - and that's ALL it knows about!
Now, in your workstation's resolv.conf, you list 192.168.0.1, along with your service provider's primary/secondary servers. And then you act surprised when you can find your local workstations - but not the Internet. Or you reverse the order of entries in the resolv.conf - and now you can find any Internet host, but not your LAN hosts!
The missing piece here is a caching DNS server. Here is where you start specifying multiple servers. In the setup for the caching DNS server - you list each domain, along with the associated authoritative DNS servers. In the simple case of a single internal LAN, and the Internet, you would list your internal domain along with its associated servers, and then specify your service provider's servers for the default/global/everything else (whatever your server uses).
Now you have a single source of DNS for your LAN - that when queried, can return an answer for both your LAN and the Internet. If you need/want a backup - then you need a backup cache, that again points to both a source of internal DNS and to a service provider's DNS.
So now, every workstation, and server - including the firewall, should have the following extensive resolv.conf:
domain mylocal.domain server 192.168.0.1 and that's it!I use djbdns for my dns servers - but if you need further help setting up Bind9 ask anyway.
-- Daniel