Date: Sun, 16 Dec 2001 01:13:14 -0600 From: "Dustin Puryear" <dpuryear@usa.net> To: <freebsd-isp@freebsd.org> Subject: Public DNS server and FreeBSD firewall Message-ID: <PGECILGGNJGDPJKLFEMIKELFCJAA.dpuryear@usa.net> In-Reply-To: <107624744755.20011211191506@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
I am setting up a public DNS server and having a bit of a problem figuring
out why it cannot query outside of our network. I am using FreeBSD
4.4-RELEASE on both the DNS server and firewall. Basically, when I try to
resolve a host outside of my network the local named times out:
Server: XXXXX.com
Address: 10.0.0.5
*** XXXXXX.com can't find www.cdrom.com: Non-existent host/domain
> www.google.com
Server: XXXXX.com
Address: 10.0.0.5
*** XXXX.com can't find www.google.com: Non-existent host/domain
>
I can't figure out why, and darn if I am not getting any denied packet log
entries in /var/log/security on the firewall. I am using static NAT, with my
DNS server having the internal address 10.0.0.5, but an external address of
aa.bb.cc.dd. The ipfw entries that appear relevant are:
# internal DNS..
03000 allow udp from ww.xx.yy.zz to any 53 keep-state
03100 allow tcp from ww.xx.yy.zz to any 53 keep-state
# this is the public DNS server..
03200 allow udp from aa.bb.cc.dd to any 53 keep-state
03300 allow tcp from aa.bb.cc.dd to any 53 keep-state
This should allow my name servers to access any outside name servers right?
I even get dynamic rules that indicate some type of connection is being
attempted:
03200 0 0 (T 29, # 91) ty 0 udp, aa.bb.cc.dd 1196 <-> 66.135.0.10 53
Despite this entry the local named still times out. The wierd thing is that
the named running on the firewall, ww.xx.yy.zz (internal 10.0.0.1), works.
But the named running on aa.bb.cc.dd (10.0.0.5) doesn't.
Note, the entire ruleset follows if you need more information:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow ip from any to any via nge0
00500 deny ip from 10.0.0.0/24 to any in recv rl0
00600 deny ip from public-network-XXX/26 to any in recv nge0
00700 deny ip from any to 10.0.0.0/8 via rl0
00800 deny ip from any to 172.16.0.0/12 via rl0
00900 deny ip from any to 192.168.0.0/16 via rl0
01000 deny ip from any to 0.0.0.0/8 via rl0
01100 deny ip from any to 169.254.0.0/16 via rl0
01200 deny ip from any to 192.0.2.0/24 via rl0
01300 deny ip from any to 224.0.0.0/4 via rl0
01400 deny ip from any to 240.0.0.0/4 via rl0
01500 divert 8668 ip from any to any via rl0
01600 deny ip from 10.0.0.0/8 to any via rl0
01700 deny ip from 172.16.0.0/12 to any via rl0
01800 deny ip from 192.168.0.0/16 to any via rl0
01900 deny ip from 0.0.0.0/8 to any via rl0
02000 deny ip from 169.254.0.0/16 to any via rl0
02100 deny ip from 192.0.2.0/24 to any via rl0
02200 deny ip from 224.0.0.0/4 to any via rl0
02300 deny ip from 240.0.0.0/4 to any via rl0
02400 allow tcp from any to any established
02500 allow ip from any to any frag
02800 allow tcp from any to any 22 keep-state
02900 allow icmp from any to any keep-state
03000 deny log logamount 10 tcp from any to any in recv rl0 setup
03100 allow tcp from any to any setup
03200 allow udp from ww.xx.yy.zz to any 53 keep-state
03300 allow tcp from ww.xx.yy.zz to any 53 keep-state
03400 allow udp from aa.bb.cc.dd to any 53 keep-state
03500 allow tcp from aa.bb.cc.dd to any 53 keep-state
65535 deny ip from any to any
Regards, Dustin
---
Dustin Puryear <dpuryear@usa.net>
Information Systems Consultant
http://members.telocity.com/~dpuryear
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams
> -----Original Message-----
> From: Gabriel Ambuehl [mailto:gabriel_ambuehl@buz.ch]
> Sent: Tuesday, December 11, 2001 12:15 PM
> To: Dustin Puryear
> Cc: isp@freebsd.org
> Subject: Re[10]: Using DNAT and DNS round-robin
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hello Dustin,
>
> Tuesday, December 11, 2001, 6:29:35 PM, you wrote:
> > Yes, that is what I eventually found out. Apparently, unless you
> > have some type of special gear, you cannot do IP-based virtual
> > hosting in a
> > load-sharing or -balancing environment. Now, doing HA might not be
> > too much work depending on what your requirements for switch over
> > time are.
>
> <10s is doable with standard gear. <1s is quite a bit harder but
> perhaps still doable.
>
> >> That's nice. I wished I were in the same situation...
> > Yes, it is nice. I have yet to do work for a company providing web
> > hosting to consumers, but I can see how it would have some real
> > challenges. But it
>
> It certainly has.
>
> > synchronization issue. NAS being one. A second is using a few
> > "shell" servers that automatically get replicated to your web
> > servers seems to be another.
>
> I've been thinking about that approach too, but it doesn't buy you
> much since there are still that morons that use the FS as DB...
>
> >> Squid should do the job too, more flexibly, but probably slower.
> > I played with Squid and it works nicely. Indeed, I liked the fact
> > that with Squid I can make my web cluster disappear from outsiders
> > and use Squid as a reverse proxy. However, since we dropped the
> > requirement for IP-based virtual hosting the point is moot. We will
> > be using just a standard configuration where we will DNS
> > round-robin between web servers.
>
> That's the easiest approach, of course. OTOH, I haven't got a very
> high opinion of DNS round robin since it essentially still lets the
> remote client fuck it up...
>
>
>
>
> Best regards,
> Gabriel
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5i
>
> iQEVAwUBPBY/HcZa2WpymlDxAQFoUQgAuCZrFy8u5EILeyiLBgjtLuRVcLhX8ItT
> 3LfKOnw2ve513rx4F6gT9nVNrapH4jWYtidrBla4Z8xtH3N6Yem9r53To6xCqYpd
> GMxv8RZdxuZtXCV92CnDxeKGIZ89nPBPFAsC6sQkDPX3jThf9+t6jI59J9rroqq+
> rwP63//vR8Pq63//Q7Lc7/TgAE6jJHs0nAXadiq1mUSwFZVF+nUgPYU3BnN9iyud
> 7CLLxYnArXguGZRx2wfdskPiZ7ZCSl5mC78kUimTDHLXrV2VofyzjIJWBcWyMzNA
> d9fo9b9OtDKRj3Hnvj5MpDjJySaxDBsyY15NaecYlAVazQIWuRMUyQ==
> =5dpk
> -----END PGP SIGNATURE-----
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PGECILGGNJGDPJKLFEMIKELFCJAA.dpuryear>