resolv.conf with local DNS problem

Hi All,

I think this is a resolv.conf issue, but
I could be wrong now.

I have a CentOS 5.2 server with two network cards:
eth0: 192.168.255.10 connects to internal private network
eth1: firewalled to the internet (iptables)

The server acts as the gateway and firewall to
the Internet. The server has its own DNS (bind/named).

All of the client computers (12 Windows XP) use
the server's DNS without issue. (Running "ipconfig"
and "nslookup" on the XP machines confirms this.)

Problem: the server can not see its own DNS. I
had to put my ISP's DNS1 IP into resolv.conf
to use Firefox or the "host" command from the
server.

My /etc/resolv.conf:

; generated by /sbin/dhclient-script
; search 192.168.255.10
search foo.local
; nameserver 192.168.255.10
nameserver 207.xxx.yyy.zzz

If I switch the comments on the "nameserver",
to the 192... the server can not see its own
DNS.

My /etc/sysconfig/network:
NETWORKING=yes
NETWORKING_IPV6=no
FORWARD_IPV4=true
HOSTNAME=server.foo.local
GATEWAY=216.xxx.yyy.zzz

What am I doing wrong?

Many thanks,
-T

On Sat, 01 Nov 2008 22:25:35 GMT, ToddAndMargo wrote:[color=blue]
> Hi All,
>
> I think this is a resolv.conf issue, but
> I could be wrong now.
>
> I have a CentOS 5.2 server with two network cards:
> eth0: 192.168.255.10 connects to internal private network
> eth1: firewalled to the internet (iptables)
>
> The server acts as the gateway and firewall to
> the Internet. The server has its own DNS (bind/named).[/color]


No forwarders in /named.conf or named not running or zone setting invalid.

You might run named-checkconf.

On my Mandriva linux the commands would be
$ hostname
wm81.home.test

$ hostname --ip-address
192.168.1.131

named-checkconf -t /var/lib/named /etc/named.conf
named-checkzone -t /var/lib/named/var/named/master home.test home.zone
named-checkzone -t /var/lib/named/var/named/reverse 1.168.192.in-addr.arpa home.reversed

My named.conf changes
dif /var/lib/named/etc/named.conf_orig /var/lib/named/etc/named.conf
44c44
< // forwarders { first_public_nameserver_ip; second_public_nameserver_ip; };
---[color=blue]
> forwarders { 208.67.222.222; 208.67.220.220; };[/color]
139a140,152[color=blue]
>
> zone "home.test" IN {
> type master;
> file "master/home.zone";
> allow-update { none; };
> };
>
> zone "1.168.192.in-addr.arpa" IN {
> type master;
> file "reverse/home.reversed";
> allow-update { none; };
> };[/color]

Hello,

ToddAndMargo a écrit :[color=blue]
>
> I have a CentOS 5.2 server with two network cards:
> eth0: 192.168.255.10 connects to internal private network
> eth1: firewalled to the internet (iptables)
>
> The server acts as the gateway and firewall to
> the Internet. The server has its own DNS (bind/named).
>
> All of the client computers (12 Windows XP) use
> the server's DNS without issue. (Running "ipconfig"
> and "nslookup" on the XP machines confirms this.)
>
> Problem: the server can not see its own DNS. I
> had to put my ISP's DNS1 IP into resolv.conf
> to use Firefox or the "host" command from the
> server.
>
> My /etc/resolv.conf:
>
> ; generated by /sbin/dhclient-script
> ; search 192.168.255.10[/color]

This is wrong : the "search" option expects a domain, not an IP address.
[color=blue]
> search foo.local
> ; nameserver 192.168.255.10
> nameserver 207.xxx.yyy.zzz
>
> If I switch the comments on the "nameserver",
> to the 192... the server can not see its own
> DNS.[/color]

Can you describe what happens exactly when using the "host" command,
including delays and messages ?
Does the firewall allow DNS traffic over the loopback interface ?

On Sat, 01 Nov 2008 22:25:35 +0000, ToddAndMargo wrote:
[color=blue]
> Problem: the server can not see its own DNS. I had to put my ISP's DNS1
> IP into resolv.conf to use Firefox or the "host" command from the
> server.[/color]

Are you using "bind" as a nameserver? And if so, do you have something
like the lines below in your /etc/named.conf?

options {
directory "/var/named";

// Only allow recursive queries from the internal network
allow-recursion { 192.168.255/24; };
};

This will deny all processes running on your server to look up external
addesses. Lookups originating on your server will use 127.0.0.1 as the
source address of the queries.

Change the "allow-recursion" line to read:
allow-recursion { 192.168.255/24; 127.0.0.1; };


Regards,

Kees.

--
Kees Theunissen.

Kees Theunissen a écrit :[color=blue]
>
> Are you using "bind" as a nameserver? And if so, do you have something
> like the lines below in your /etc/named.conf?
>
> options {
> directory "/var/named";
>
> // Only allow recursive queries from the internal network
> allow-recursion { 192.168.255/24; };
> };
>
> This will deny all processes running on your server to look up external
> addesses. Lookups originating on your server will use 127.0.0.1 as the
> source address of the queries.[/color]

Not necessarily. When the destination address is local (belongs to the
host itself), the Linux kernel IPv4 routing code chooses the same
address as the default source address. So if the nameserver address in
/etc/resolv.conf is 192.168.255.10, then the default source address for
DNS queries will be 192.168.255.10. However this may not be true for
local IPv6 communications, the Linux kernel IPv6 routing code may choose
the loopback address ::1 as the default source address regardless of the
destination address.

Hi Bit, Pacsal, and Kees,

Figured it out. After pouring over my named.conf for a mistake, I
fired up
Bit's check utilities. Found nothing. Very frustrating. Then I
realized
that my "serial numbers" were out of sync on my hosts and hosts.rev
files. So, I updated them to the same higher number. Reset named and
happy camping has returned.

Thank you all for the tips and suggestions. (Love those configuration
checking utilities!)

-T