[TCLUG] DNS Server Behind A Firewall

Sun Oct 27 09:39:43 CST 2002

Hi,

I'm not an expert on this but I've been successfully running a couple of DNS
name servers for a couple of years now.

You've run all the checks on your config files, right? I mean
named-checkzone and named-checkconf. I'm assuming you have you hints file in
place.

I use have a local network with an iptables firewall.In iptables I allow the
name server to receive queries at port 53 from anywhere (if you don't accept
queries from everywhere you would want to restrict this). I also allow allow
messages originating from port 53 on the other name servers that serve my
domain. I have the loopback interface open to accept all messages that come
from the localhost via the loopback interface, which allows me to run rndc
among other things.

If your firewall filters outgoing traffic you may want to use an option in
your named.conf file, under "options". What you might use is "query-source
53", but it shouldn't ordinarily be necessary. Usually you don't need this
because the name server will choose a random unprivileged port to talk to
other name servers, and once established it shouldn't be a problem. Older
name servers always used port 53 for nameserver-to-nameserver queries and it
is still a standard for many.

What I wonder is: is named starting up OK? Have you started it with
debugging enabled (try option -d3 to named) and check the debug output in
named.run. That will tell you if your name server is communicating with the
outside world.

You may also try ethereal if you haven't already, to see if your nameservers
communicate OK with the outside world.
If named is running fine but you're not getting answers from outside name
servers, you definitely have a firewall configuration problem.

The other thing that might be an issue is who the officially registered name
server is. This information would be listed with the registrar of the
domain.Those name servers have to be able to locate your name server. If
your name server is the officially registered one (for example if you are
running your own domain), it is possible that your name server is not found
by other name servers, because your name server has to gave a resolvable IP
address. It has to be listed with an official name server from your domain,
if its address isn't already known.  When this happened to me, I had my
ISP's NS temporarily registered as official for my domain. Once my name
servers could be looked up, I changed the official registration for my own
domain to my own name servers. If you don't know the domains registrar you
should be able to say "whois [yourdomain.com]". That should tell you what
you need to know.

Also, I am assuming you are not using DNSSEC, with which you would have keys
to encrypt and authenticate your NS communications. That's a separate
problem.

It sounds like your NS works locally for your network. I assume you have
also used "host" and "dig" to verify that the name server works fine.

I hope this helps. With a firewall and a DNS server it's easy to have them
interfere with each other. If you want to I'd be glad to help further with
this.

Bryan Zimmer (baz at baz-tech.com).

----- Original Message -----
From: "Mark Courtney" <MarkCourtney at markcourtney.com>
To: <tclug-list at mn-linux.org>
Sent: Monday, October 14, 2002 9:01 AM
Subject: [TCLUG] DNS Server Behind A Firewall

> I have been trying to set up a DNS server behind a firewall and I have had
> less than desirable results.
> I can successfully operate a Web server behind the firewall, by opening
> TCP port 80, but the DNS server does not work even when opening port 53
> UPD and TCP.
> I have restarted named and reloaded the configuration after placing the
> DNS server behind the firewall.
> My domains do not resolve from other networks (ISP's) when I put the DNS
> server behind the firewall.
> I also use this DNS server as the primary for my local network.
>
> Is there a change that needs to be made to the named config files?
> Another port that needs to be opened?
>
> Thanks In Advance
>
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>