Getting DNS through PF - BSD

This is a discussion on Getting DNS through PF - BSD ; I was just building a firewall with OpenBSD. I got the machines to ping each other and the FW pinged to internet and DNS worked on that one. The internal machine pinged Google with the raw IP but not with ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Getting DNS through PF

  1. Getting DNS through PF

    I was just building a firewall with OpenBSD.

    I got the machines to ping each other and the FW pinged to internet and
    DNS worked on that one.

    The internal machine pinged Google with the raw IP but not with the
    www.google.com host name. So no DNS on the internal machine.

    The setup is pretty much the same as the one on installation documents.

    So what's wrong? Should there be a dns proxy or something?

    The external address is from ISP:s DHCP and the internal network is static
    IPs.

    Oh, and name resolution didn't work even though I gave the real DNS
    address (ISP's) to the internal (windows) machine instead of the FW
    address.

  2. Re: Getting DNS through PF

    Markku L writes:

    > I got the machines to ping each other and the FW pinged to internet and
    > DNS worked on that one.


    so your firewall has dns access but not the machines on your lan.

    > The internal machine pinged Google with the raw IP but not with the
    > www.google.com host name. So no DNS on the internal machine.


    Two approaches are possible - let all dns queries go through a specific
    name server which caches for the network, or let dns requests on both
    udp and tcp pass through your firewall from your local net with state.

    The first possibly involves reconfiguring your name server and might
    even prompt you to write some redirection rules. The other is a
    one-liner, which assuming $lan is $int_if:network (ie your local net)
    would be something like

    pass inet proto { tcp, udp } from $lan to any port domain keep state

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

  3. Re: Getting DNS through PF

    Begin <86irukohbb.fsf@amidala.datadok.no>
    On 2005-11-22, Peter N M Hansteen wrote:
    > Markku L writes:
    >
    >> I got the machines to ping each other and the FW pinged to internet and
    >> DNS worked on that one.

    >
    > so your firewall has dns access but not the machines on your lan.


    I haven't seen a statement from the OP that DNS worked for the clients
    without any firewalling rules in action, so it coult be a configuration
    issue as well. My preference would probably be to add at least a
    caching/forwarding dns, and have all the clients on the lan use it.

    The upside of this is that if OP uses RFC1918 addresses he can provide
    his own authoritative .local zone with matching reverse. This is
    preferrable over leaking those queries to the internet, NAT or no. See
    also http://as112.net.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  4. Re: Getting DNS through PF

    On Tue, 22 Nov 2005 16:34:58 +0000, jpd wrote:

    >
    > I haven't seen a statement from the OP that DNS worked for the clients
    > without any firewalling rules in action, so it coult be a configuration
    > issue as well. My preference would probably be to add at least a
    > caching/forwarding dns, and have all the clients on the lan use it.


    Do you have a link to a simple howto document on building a DNS proxy? I
    tryed to Google one but couldn't find anything easy.


  5. Re: Getting DNS through PF

    Markku L writes:

    > Do you have a link to a simple howto document on building a DNS proxy? I
    > tryed to Google one but couldn't find anything easy.


    googling on "caching only named" turns up quite a few hits. As you are
    probably aware, recent versions OpenBSD use bind 9, so weed out the ones
    which refer to bind 4.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

  6. Re: Getting DNS through PF

    Begin <863blnlo4g.fsf@amidala.datadok.no>
    On 2005-11-23, Peter N M Hansteen wrote:
    > Markku L writes:
    >
    >> Do you have a link to a simple howto document on building a DNS proxy? I
    >> tryed to Google one but couldn't find anything easy.

    >
    > googling on "caching only named" turns up quite a few hits. As you are
    > probably aware, recent versions OpenBSD use bind 9, so weed out the ones
    > which refer to bind 4.


    Way back when I found the linux DNS HOWTO to be useful.
    It helps that just about everyone and his dog uses bind.

    For more help (after reading at least that HOWTO) don't hesitate to ask,
    but do provide some detail on the networking setup, including whether or
    not RFC1918 addresses are used.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

+ Reply to Thread