Date: Mon, 22 May 2000 15:19:23 -0500 (EST) From: Blake Matheny <matheny@bussert.com> To: Ron Smith <ronnetron@hotmail.com> Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain Message-ID: <Pine.BSF.4.10.10005221512530.9101-100000@arf.bussert.com> In-Reply-To: <20000522191733.61404.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I had this problem before, I had to add an A record in dns on the firewall
for the web server. For instance, let's say bussert.com was hosted at
111.111.111.111, I had to add that in the dns records. add teh following
records to be able to browse:
@ IN A ipaddressofwebserver
www IN A ipaddressofwebserver
the first line will allow for resolation of crcfx.com, the second line
will allow of resolution of www.crcfx.com. I /think/ that answered your
question, but I was a little unclear, let me know if that helps.
-Blake
Blake Matheny
Bussert Consulting
Network Engineer
(765)423-2100
matheny@bussert.com
On Mon, 22 May 2000, Ron Smith wrote:
> Hi all,
>
> O.K. gang I need your help on this one. I have a particular problem that I
> can't seem to solve on my own. Here's what's happening:
>
> I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
> works fine for those on the LAN when browsing HTTP. DNS is also running on
> this machine as primary and I have a name server at the ISP as secondary.
> However, the problem is that when looking for the domain name "crcfx.com"
> out on the web, It's not seen. An error message comes up saying: "A network
> error occurred: Unable to connect to server. The server may be down or
> unreachable." Also, I don't get a proper response, from outside our LAN,
> when doing an 'nslookup stargate.crcfx.com', which has the primary DNS
> running locally. This is preventing us from putting other services on-line,
> such as 'HTTP' and 'SMTP'. I've talked to several sources (including my
> ISP), to no avail. There's lots of confusion all around. I have a suspicion
> my problem may stem from the way my zones are set up, or the firewall rules,
> but I'm not sure. Anyway, here are the details:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ping 127.0.0.1 (loopback)
> ping 192.x.x.1 (inside interface)
> ping 63.x.x.218 (outside interface)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> All show 0% packet loss.
>
> ~~~~~~~~~~~~~~~
> 'rc.conf' says:
> ~~~~~~~~~~~~~~~
>
> # This file now contains just the overrides from/etc/defaults/rc.conf #
> please make all changes to this file.
>
> # -- sysinstall generated deltas -- #
> ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0"
> ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
> hostname="stargate.crcfx.com"
> linux_enable="YES"
> moused_enable="YES"
> gateway_enable="YES"
> defaultrouter="63.x.x.217"
> # -- The following deltas were generated by Ron Smith on Apr. 17, 2000
> firewall_enable="YES"
> firewall_type="simple"
> firewall_script="/etc/rc.firewall"
> inetd_enable="NO"
> sendmail_enable="NO"
> dumpdev=/dev/wd0s1b
> natd_enable="YES"
> natd_interface="pn0"
> named_enable="YES"
>
> ~~~~~~~~~~~~~~~~~~~
> 'rc.firewall' says:
> ~~~~~~~~~~~~~~~~~~~
>
> # set these to your outside interface network and netmask and ip
> oif="pn0"
> onet="63.x.x.216"
> omask="255.255.255.248"
> oip="63.x.x.218"
>
> # set these to your inside interface network and netmask and ip
> iif="fxp0"
> inet="192.x.x.0"
> imask="255.255.255.0"
> iip="192.x.x.1"
>
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
> #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add
> deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow ICMP inside only
> #$fwcmd add deny icmp from any to any via ${oif}
> #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of incoming email
> #$fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> #$fwcmd add pass tcp from any to ${oip} 80 setup
>
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
> $fwcmd add pass udp from ${inet}:${imask} to any 53
>
> # Allow stuff to 192 net in from the outside, since we're
> # checking after NAT does the conversion
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
>
> # Everything else is denied as default.
>
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
> $fwcmd ${firewall_type}
> fi
>
> ~~~~~~~~~~~~~~~~~~~~~~~
> 'whois crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~
>
> Whois Server Version 1.1
>
> Domain names in the .com, .net, and .org domains can now be registered
> with many different competing registrars. Go to http://www.internic.net for
> detailed information.
>
> Domain Name: CRCFX.COM
> Registrar: REGISTER.COM, INC.
> Whois Server: whois.register.com
> Referral URL: www.register.com
> Name Server: NS1.PBI.NET
> Name Server: STARGATE.CRCFX.COM
> Updated Date: 28-apr-200
>
> >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<
>
> The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
> Registrars.
>
> Access to register.com's WHOIS information is for informational purposes
> only. Register.com makes this information available
> "as is," and does not guarantee its accuracy. The compilation, repackaging,
> dissemination or other use of register.com's WHOIS information in its
> entirety, or a substantial portion thereof, is expressly prohibited without
> the prior written consent of register.com. By accessing and using our WHOIS
> information, you agree to these terms.
>
> Organization:
> Cinema Research Corp
> 6860 Lexington Ave
> Hollywood, CA 90038
> US
>
> Registrar..: Register.com (http://www.register.com)
> Domain Name: CRCFX.COM
> Created on..............: Fri, Mar 24, 2000
> Expires on..............: Sat, Mar 24, 2001
> Record last updated on..: Fri, Apr 28, 2000
>
> Administrative Contact:
> Smith, Ron ronnetron@hotmail.com
> 323-460-4111
>
> Technical Contact, Zone Contact:
> Internic, Registrar internic-free@register.com
> 212-594-988
>
> Domain servers in listed order:
>
> STARGATE.CRCFX.COM 63.x.x.218
> NS1.PBI.NET 206.13.28.11
>
> Register your domain name at http://www.register.com
>
> ~~~~~~~~~~~~~~~~~
> ifconfig -a says:
> ~~~~~~~~~~~~~~~~~
>
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255
>
> pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223
>
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 'netstat -na crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> icmp 0 0 *.* *.*
> tcp 0 0 *.111 *.* LISTEN
> tcp 0 0 127.0.0.1.53 *.* LISTEN
> tcp 0 0 63.x.x.218.53 *.* LISTEN
> tcp 0 0 192.x.x.1.53 *.* LISTEN
> udp 0 0 *.111 *.*
> udp 0 0 *.1024 *.*
> udp 0 0 127.0.0.1.53 *.*
> udp 0 0 63.x.x.218.53 *.*
> udp 0 0 192.x.x.1.53 *.*
> udp 0 0 *.514 *.*
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'db.crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> ; Definition of zone crcfx.com
> crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. (
> 2000042901 ; Serial (date, two digits version of day)
> 86400 ; refresh (1 day)
> 7200 ; retry (2 hours)
> 8640000 ; expire (100 days)
> 86400 ) ; minimum (1 day)
>
> ; name servers
> IN NS stargate.crcfx.com.
> IN NS ns1.pbi.net.
> IN NS ns2.pbi.net.
> stargate IN A 63.x.x.218
> ns1.pbi.net. IN A 206.13.28.11
> ns2.pbi.net. IN A 206.13.29.11
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'crcfx-reverse' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> @ IN SOA stargate.crcfx.com. root.crcfx.com. (
> 2000042901 ; Serial (date, 2 digits version of day)
> 86400 ; refresh (1 day)
> 7200 ; retry (2 hours)
> 8640000 ; expire (100 days)
> 86400 ) ; minimum (1 day)
>
> IN NS stargate.crcfx.com.
> IN NS ns1.pbi.net.
> IN NS ns2.pbi.net.
>
> 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com.
> 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net.
> 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net.
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'localhost.rev' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
> ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29
> peter Exp $
> ;
> ; This file is automatically edited by the `make-localhost' script in
> ; the /etc/namedb directory.
> ;
>
> @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. (
> 2000042901 ; Serial
> 86400 ; Refresh (1 day)
> 7200 ; Retry (2 hours)
> 8640000 ; Expire (100 days)
> 86400 ) ; Minimum
> IN NS stargate.crcfx.com.
> 1 IN PTR localhost.crcfx.com.
>
> ~~~~~~~~~~~~~~~~~~~
> 'resolv.conf' says:
> ~~~~~~~~~~~~~~~~~~~
>
> domain crcfx.com
> nameserver 127.0.0.1
> nameserver 192.x.x.1
> nameserver 63.x.x.218
> nameserver 206.13.28.11
> nameserver 206.13.29.11
>
> ~~~~~~~~~~~~~~~~~~
> 'named.conf' says:
> ~~~~~~~~~~~~~~~~~~
>
> options {
> directory "/etc/namedb";
>
> forwarders {
> 206.13.28.11;
> };
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "localhost.rev";
> };
>
> zone "crcfx.com" {
> type master;
> file "db.crcfx.com";
> };
>
> zone "0.x.192.IN-ADDR.ARPA" {
> type master;
> file "crcfx-reverse";
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,
>
> This is a lot to swallow, but they are all the pertinent files, in regards
> to the problem. I would appreciate any feedback on how to get our local name
> server to do proper zone transfers to our upstream ISP, and to get a proper
> 'nslookup stargate.crcfx.com' from outside our LAN ...same thing.
>
> TIA
> Ron
>
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005221512530.9101-100000>