Markku L writes:

> I got the machines to ping each other and the FW pinged to internet and
> DNS worked on that one.

so your firewall has dns access but not the machines on your lan.

> The internal machine pinged Google with the raw IP but not with the
> www.google.com host name. So no DNS on the internal machine.

Two approaches are possible - let all dns queries go through a specific
name server which caches for the network, or let dns requests on both
udp and tcp pass through your firewall from your local net with state.

The first possibly involves reconfiguring your name server and might
even prompt you to write some redirection rules. The other is a
one-liner, which assuming $lan is $int_if:network (ie your local net)
would be something like

pass inet proto { tcp, udp } from $lan to any port domain keep state

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Begin <86irukohbb.fsf@amidala.datadok.no>
On 2005-11-22, Peter N M Hansteen wrote:
> Markku L writes:
>
>> I got the machines to ping each other and the FW pinged to internet and
>> DNS worked on that one.
>
> so your firewall has dns access but not the machines on your lan.

I haven't seen a statement from the OP that DNS worked for the clients
without any firewalling rules in action, so it coult be a configuration
issue as well. My preference would probably be to add at least a
caching/forwarding dns, and have all the clients on the lan use it.

The upside of this is that if OP uses RFC1918 addresses he can provide
his own authoritative .local zone with matching reverse. This is
preferrable over leaking those queries to the internet, NAT or no. See
also http://as112.net.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

On Tue, 22 Nov 2005 16:34:58 +0000, jpd wrote:

>
> I haven't seen a statement from the OP that DNS worked for the clients
> without any firewalling rules in action, so it coult be a configuration
> issue as well. My preference would probably be to add at least a
> caching/forwarding dns, and have all the clients on the lan use it.

Do you have a link to a simple howto document on building a DNS proxy? I
tryed to Google one but couldn't find anything easy.

Markku L writes:

> Do you have a link to a simple howto document on building a DNS proxy? I
> tryed to Google one but couldn't find anything easy.

googling on "caching only named" turns up quite a few hits. As you are
probably aware, recent versions OpenBSD use bind 9, so weed out the ones
which refer to bind 4.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Begin <863blnlo4g.fsf@amidala.datadok.no>
On 2005-11-23, Peter N M Hansteen wrote:
> Markku L writes:
>
>> Do you have a link to a simple howto document on building a DNS proxy? I
>> tryed to Google one but couldn't find anything easy.
>
> googling on "caching only named" turns up quite a few hits. As you are
> probably aware, recent versions OpenBSD use bind 9, so weed out the ones
> which refer to bind 4.

Way back when I found the linux DNS HOWTO to be useful.
It helps that just about everyone and his dog uses bind.

For more help (after reading at least that HOWTO) don't hesitate to ask,
but do provide some detail on the networking setup, including whether or
not RFC1918 addresses are used.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.