[ale] DNS woes with Devil Linux

Joe Knapka jknapka at kneuro.net
Sat May 15 18:11:45 EDT 2004


Some time back, I wrote the message quoted below regarding the fact
that no matter what I did to the BIND or iptables config on my
Devil-Linux router, I couldn't get DNS requests from my DMZ network to
work.

Of course, the problem - which I just solved today - turned out to be
on the client side.  I only have one machine - a RH8 laptop - on the
DMZ net (which is actually my internal wireless network, NATted to the
world - not a real DMZ). And RH8's iptables config rejects DNS replies
except for those from the DNS server configured at install time, which
in this case was a different machine. Even though I'd changed
resolv.conf, the RH8 iptables rules were still blocking replies from
the new DNS server. A minor edit to /etc/sysconfig/iptables solved it.

There's probably a conventional way to fix this kind of thing from
the GUI, but I didn't bother figuring out what it is.

Cheers,

-- Joe Knapka

> Hi everyone,
> 
> As I reported recently, I've started using Devil Linux to route
> between my home LAN, wireless net, and cable connection.  All is going
> well, but I've discovered a strange issue that may or may not be
> Devil-Linux-specific; maybe someone here has a clue.
> 
> Devil runs a cache-only DNS server (BIND 9) that is, by default,
> visible only to machines on the internal network. I want that DNS
> server to service the wireless network as well (which I've configured
> as the "DMZ" net, making appropriate changes to the firewall rules to
> have the "DMZ" actually be treated as a distinct internal network).
> 
> I have changed the firewall rules to allow connections on the wireless
> interface at port 53 (both TCP and UDP), and I've also changed BIND's
> configuration to make it listen on both the internal and the wireless
> interfaces.  "lsof" reveals that named is in fact listening on both
> interfaces. From the internal net, "nslookup" et al can successfully
> resolve names using the router's named. Furthermore, from a machine on
> the wireless net I can telnet to port 53 on the router and get
> connected. (I know DNS uses UDP, but this fact seems to validate
> that the firewall rules are opening the correct ports.)
> 
> Still, DNS lookups from the wireless network to the router fail with
> "timeout, no servers could be reached". Iptables doesn't log
> any rejects during a lookup attempt, but named just won't
> answer the phone.
> 
> Can anyone suggest other things I might need to check/reconfigure?
> 
> Thanks,
> 
> -- Joe Knapka
> 


-- 
Resist the feed.
--
pub  1024D/BA496D2B 2004-05-14 Joseph A Knapka
     Key fingerprint = 3BA2 FE72 3CBA D4C2 21E4  C9B4 3230 94D7 BA49 6D2B
If you really want to get my attention, send mail to
jknapka .at. kneuro .dot. net.



More information about the Ale mailing list