--:bjskmVC=.GDE3fq
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Ok... I''ve searched the mailing list archives, and the website...
Tried
all kinds of stuff, and yet I still have problems getting my DNS server to
update... It''s secondary for some domains, primary for others... Does a
great job of filling the logfiles with errors :( Here''s a sample:
Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2
OUTMAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1
DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=50738 DPT=53 LEN=35
Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2
OUTMAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1
DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=50738 DPT=53 LEN=35
That is just as DNS restarts.. The DNS server is in the DMZ, and is setup
using views.. Here''s the pertinant parts of rules:
DNAT net dmz:192.168.2.1 udp domain - 64.216.105.3
DNAT net dmz:192.168.2.1 tcp domain - 64.216.105.3
DNAT net dmz:192.168.2.1 udp 953
DNAT net dmz:192.168.2.1 tcp 953
ACCEPT dmz:192.168.2.1 net udp domain
ACCEPT dmz:192.168.2.1 net tcp domain
ACCEPT dmz:192.168.2.1 net udp 953
ACCEPT dmz:192.168.2.1 net tcp 953
ACCEPT dmz:192.168.2.1 net udp - domain
ACCEPT dmz:192.168.2.1 net tcp - domain
ACCEPT dmz:192.168.2.1 net udp - 953
ACCEPT dmz:192.168.2.1 net tcp - 953
ACCEPT loc dmz:192.168.2.1 udp domain
ACCEPT kids dmz:192.168.2.1 udp domain
ACCEPT fw dmz:192.168.2.1 udp domain
ACCEPT loc dmz:192.168.2.1 tcp domain
ACCEPT kids dmz:192.168.2.1 tcp domain
ACCEPT fw dmz:192.168.2.1 tcp domain
I''m sure there''s some extra stuff, and know there''s
an error (why else
would the logs say that), but I''ve tried several things... DNS lookups
work fine local and remote, it''s just the updates to
primaries/secondaries
that seem to be the issue.. This is a Bering 1.0 firewall, not 100% sure
of the Shorewall version, don''t remember if I''ve applied the
update to it
yet or not...
---
Homer Parker /"\ ASCII Ribbon Campaign
\ / No HTML/RTF in email
http://www.homershut.net x No Word docs in email
telnet://bbs.homershut.net / \ Respect for open standards
This e-mail message is 100% Microsoft free!
WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!!
--:bjskmVC=.GDE3fq
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+DUzjrgrN227HZ+8RAtvGAKCeX6Nn6KWsU7FYC9ZUJL94VObVDACeK/VM
LhG3+TU+FlmWvW0p7k4Xk0Y=Se2H
-----END PGP SIGNATURE-----
--:bjskmVC=.GDE3fq--
--On Saturday, December 28, 2002 01:04:00 AM -0600 Homer Parker <hparker@homershut.net> wrote:> Ok... I''ve searched the mailing list archives, and the website... Tried > all kinds of stuff, and yet I still have problems getting my DNS server to > update... It''s secondary for some domains, primary for others... Does a > great job of filling the logfiles with errors :( Here''s a sample: > > Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=50738 DPT=53 LEN=35 > Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=50738 DPT=53 LEN=35Those appear to be outbound queries -- looks to me like you have a misconfigured ''named'' that it trying to talk to itself (it is trying to query 65.216.105.3 which is its own external address).> > That is just as DNS restarts.. The DNS server is in the DMZ, and is setup > using views..Does 127.0.0.0/8 map to the ''internal'' view? How about 192.168.2.1? Here''s the pertinant parts of rules:> > DNAT net dmz:192.168.2.1 udp domain - 64.216.105.3 > DNAT net dmz:192.168.2.1 tcp domain - 64.216.105.3 > DNAT net dmz:192.168.2.1 udp 953 > DNAT net dmz:192.168.2.1 tcp 953 > > ACCEPT dmz:192.168.2.1 net udp domain > ACCEPT dmz:192.168.2.1 net tcp domain > ACCEPT dmz:192.168.2.1 net udp 953 > ACCEPT dmz:192.168.2.1 net tcp 953> ACCEPT dmz:192.168.2.1 net udp - domain > ACCEPT dmz:192.168.2.1 net tcp - domainThe two above are superfluous.> ACCEPT dmz:192.168.2.1 net udp - 953 > ACCEPT dmz:192.168.2.1 net tcp - 953 > > ACCEPT loc dmz:192.168.2.1 udp domain > ACCEPT kids dmz:192.168.2.1 udp domain > ACCEPT fw dmz:192.168.2.1 udp domain > ACCEPT loc dmz:192.168.2.1 tcp domain > ACCEPT kids dmz:192.168.2.1 tcp domain > ACCEPT fw dmz:192.168.2.1 tcp domain > > I''m sure there''s some extra stuff, and know there''s an error (why else > would the logs say that), but I''ve tried several things... DNS lookups > work fine local and remote, it''s just the updates to primaries/secondaries > that seem to be the issue.. This is a Bering 1.0 firewall, not 100% sure > of the Shorewall version, don''t remember if I''ve applied the update to it > yet or not... >I don''t see anything wrong with your ruleset other than what I''ve noted above. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep > Sent: Saturday, December 28, 2002 9:01 AM > Subject: Re: [Shorewall-users] Perplexing DNS issue > > --On Saturday, December 28, 2002 01:04:00 AM -0600 Homer Parker > <hparker@homershut.net> wrote: > > > Ok... I''ve searched the mailing list archives, and the > > website... Tried all kinds of stuff, and yet I still have > > problems getting my DNS server to update... It''s secondary > > for some domains, primary for others... Does a great job of > > filling the logfiles with errors :( Here''s a sample: > > > > Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> > MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > > SPT=50738 DPT=53 LEN=35 Dec 28 00:52:12 firewall kernel: > > Shorewall:all2all:REJECT:IN=eth2 OUT> > MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > > SPT=50738 DPT=53 LEN=35 > > Those appear to be outbound queries -- looks to me like you have a > misconfigured ''named'' that it trying to talk to itself (it is > trying to query 65.216.105.3 which is its own external address).Since your DNS server is located in your DMZ (masq''d), these are probably outbound "notifies", but in this case, to the firewall interface (SOA). I see the same thing here when I restart named at my end. But these messages stop in a few minutes. FWIW: Cricket Liu (one of the authors of DNS/BIND) explained why named must notify itself at startup in a post I read on the dns newsgroups. Since your system is masq''d, there is not much you can do about this short of changing the SOA to point to a masq''d IP address in your external view. :-( I have learned to just ignore these messages. The notifies to my secondary DNS server still work fine.> > > > > That is just as DNS restarts.. The DNS server is in the > > DMZ, and is setup using views.. > > Does 127.0.0.0/8 map to the ''internal'' view? How about 192.168.2.1? > > Here''s the pertinant parts of rules: > > > > DNAT net dmz:192.168.2.1 udp domain - > 64.216.105.3 > > DNAT net dmz:192.168.2.1 tcp domain - > 64.216.105.3 > > DNAT net dmz:192.168.2.1 udp 953 > > DNAT net dmz:192.168.2.1 tcp 953Is there a reason you are allowing the named control channel (953) from the internet??? I hope your named.conf file has an ACL defined to only allow systems from your masq''d LAN to control named (rdnc). Like 192.168.2.0/24 127.0.0.1 Steve Cowles
--=.7AKKPDJ5U4ms7y Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 28 Dec 2002 07:01:15 -0800 Tom Eastep <teastep@shorewall.net> wrote....> > Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> > MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > > SPT=50738 DPT=53 LEN=35 > > Dec 28 00:52:12 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> > MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > > DST=64.216.105.3 LEN=55 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > > SPT=50738 DPT=53 LEN=35 > > Those appear to be outbound queries -- looks to me like you have a > misconfigured ''named'' that it trying to talk to itself (it is trying to > query 65.216.105.3 which is its own external address).Ok, I''ll accept that... The way I see it, it''s going to think i needs to talk to 64.216.105.3, because it is 192.168.2.1... I have added "notify no" to all of the zones except the couple I''m authoritative for... I have got all of the rDNS functioning properly for all the IP blocks, and yet it still does that... I''ll have to root throught the Bind doc''s and try to figure out a fix for this..> > > > That is just as DNS restarts.. The DNS server is in the DMZ, and > > is setup > > using views.. > > Does 127.0.0.0/8 map to the ''internal'' view? How about 192.168.2.1?Yes.. All three blocks and local...> > ACCEPT dmz:192.168.2.1 net udp - domain > > ACCEPT dmz:192.168.2.1 net tcp - domain > > The two above are superfluous.Will remove...> I don''t see anything wrong with your ruleset other than what I''ve noted > above.Thanks! --- Homer Parker /"\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!! --=.7AKKPDJ5U4ms7y Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Dft4rgrN227HZ+8RAuAoAJ9Q19slSrFSbQedbSh7/3dGCdoTCQCfWy+N pdDMRJMtGD77RtqhYFryxvw=IZOX -----END PGP SIGNATURE----- --=.7AKKPDJ5U4ms7y--
--=.tGeuU0(6n5K:PM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 28 Dec 2002 09:31:40 -0600 "Cowles, Steve" <Steve@SteveCowles.com> wrote....> Since your DNS server is located in your DMZ (masq''d), these are > probably outbound "notifies", but in this case, to the firewall > interface (SOA). I see the same thing here when I restart named at my > end. But these messages stop in a few minutes. > > FWIW: Cricket Liu (one of the authors of DNS/BIND) explained why named > must notify itself at startup in a post I read on the dns newsgroups. > Since your system is masq''d, there is not much you can do about this > short of changing the SOA to point to a masq''d IP address in your > external view. :-( I have learned to just ignore these messages. The > notifies to my secondary DNS server still work fine.That clears it all up, thanks! I will forget they exist ;)> Is there a reason you are allowing the named control channel (953) from > the internet??? I hope your named.conf file has an ACL defined to only > allow systems from your masq''d LAN to control named (rdnc). Like > 192.168.2.0/24 127.0.0.1Have removed the lines... It was part of my (futile) attempt to figure out what was going on... --- Homer Parker /"\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!! --=.tGeuU0(6n5K:PM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+DgQ+rgrN227HZ+8RAnd5AJ9z4Vkv8Wz5s56unW0yaaiA5V8IlACeLRSK xWIA4Cvzz9i+zlNZhtwYUeI=Xk19 -----END PGP SIGNATURE----- --=.tGeuU0(6n5K:PM--