Forgot to include the LEAF list in my earlier reply below to Charles...
~Doug
-----Original Message-----
From: Doug Sampson
Sent: Thursday, June 19, 2003 3:56 PM
To: 'Charles Steinkuehler'
Subject: RE: [leaf-user] DCD 102 & MaraDNS
Charles,
Thanks for your reply. Replies inline below.
> > Now, when I ping www.dawnsign.com I see that my request
> resolves to an IP
> > address of 207.158.59.34 but then it drops dead announcing
> it is unable to
> > reach the host. The same thing occurs if I try to ping
> www.dawnsignpress.com
> > which is under our control as well. We use easyDNS to
> manage our external
> > domain names and hosts records. When I attempt to ping
> internal hosts from
> > the DCD router, it does not resolve- instead it announces
> the internal host
> > as an unknown host. However, when I ping internal hosts
> from an client
> > inside the internal network, it resolves correctly.
> >
> > I had hoped that the router would use its own zone file but
> I might not be
> > thinking correctly. At least MaraDNS appears to behave
> differently from
> > tinyDNS which had it's internal and external zone files.
> >
> > If anyone could enlighten me on this subject, I would be grateful.
> > Especially if there is a method where the router could
> resolve its own
> > queries for internal hosts. I also apologize for this lengthy post.
>
> I'm not familiar with MaraDNS, but I can think of at least
> two possible
> problems you could be having. The first is the DNS configuration of
> your router. You need to make sure the router is setup to
> use itself as
> a DNS server if you're running a name server on the router. It's
> possible your internal systems are properly querying the
> router for DNS
> info, while your router is still querying your ISP, which may (but
> probably does not) have correct DNS info for your local domain.
I've set up the dns server address as 127.0.0.1. Is that correct?
>
> The other potential problem is hinted at by your indication that
> www.dawsign.com resolves to 207.158.59.34 (a public IP). If you're
> port-forwarding from your routers external IP (purely
> speculation on my
> part), or otherwise doing some form of NAT, masquerading, or other
> manipulation of the IP address portion of traffic between the system
> running your website and the internet in general, you
> typically have to
> present different IP's to querying hosts, depending on where they are
> located. For instance, your internal systems and the firewall should
> probably access the internal (and likely private IP) address
> of your web
> server. Systems on the internet in general (ie connecting via your
> upstream link) should be given the public IP of your firewall. The
> interaction with firewall rules you may (or may not) have in
> place gives
> three major "zones": the external internet, your internal network(s),
> and the firewall itself. A problem with the IP address presented by
> DNS, particulars of your port-forwarding/NAT/MASQ/etc setup, and IP
> Chains rules currently in place all affect whether everything works
> properly from each of the three major "zones".
>
> Since you didn't provide anything but the MaraDNS setup
> (which I'm not
> familiar with, so pretty much skipped over), I can't help with more
> specifics. If the above isn't enough to help you figure out whats
> causing the problem (assuming it's not fundamentally a
> MaraDNS problem),
> please post the complete output of "net ipfilter list", along
> with the
> exact ping results from both your firewall and an internal system. A
> general overview, discussing how you're trying to setup
> access to your
> public webserver would help as well.
>
Correction:
I'm using a DMZ in this network schematic as follows:
Internet <---> DCD router <---> internal network
^
|
v
DMZ
Am using NAT and using modules to masqurade various services.
Here's the output of the "net ipfilter list" command:
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
216.70.236.236 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
65 5070 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
21 960 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0
66.37.0.0/16 0.0.0.0/0 * -> 22
13 4392 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 8080
3669 1972K ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 8000
4 180 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 443
1 60 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
256K 254M ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
2780 572K ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
1708 102K ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
72 5201 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
222K 19M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
2673 173K MASQ tcp ------ 0xFF 0x00 *
192.168.1.4 0.0.0.0/0 25 -> *
0 0 MASQ tcp ------ 0xFF 0x00 *
192.168.1.15 0.0.0.0/0 80 -> *
0 0 MASQ tcp ------ 0xFF 0x00 *
192.168.1.4 0.0.0.0/0 80 -> *
10 844 MASQ tcp ------ 0xFF 0x00 *
192.168.1.2 0.0.0.0/0 80 -> *
3 124 MASQ tcp ------ 0xFF 0x00 *
192.168.1.2 0.0.0.0/0 443 -> *
0 0 MASQ all ------ 0xFF 0x00 eth2
192.168.1.0/24 192.168.2.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
202K 18M MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth2
0.0.0.0/0 192.168.2.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
483K 280M fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
60 4680 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
483K 280M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
433 17752 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
324 13392 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
2787 181K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
2787 298K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
1441 78232 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
3922 917K RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
AutoFW:
Type Prot Low High Vis Hid Where Last CPto CPrt Timer Flags
MarkFW:
fwmark rediraddr rport pcnt pref
PortFW:
prot localaddr rediraddr lport rport pcnt pref
TCP 216.70.236.236 192.168.1.2 443 443 9 10
TCP 216.70.236.236 192.168.1.2 80 80 8 10
TCP 216.70.236.236 192.168.1.4 8000 80 10 10
TCP 216.70.236.236 192.168.1.15 8080 80 10 10
TCP 216.70.236.236 192.168.1.4 25 25 9 10
Output of ip addr list as follows:
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:0f:00:a0:70 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:4d:1a:a0 brd ff:ff:ff:ff:ff:ff
inet 216.70.236.236/29 brd 216.70.236.239 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:78:61:ce brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:2a:ee:c0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
Output of name resolution on myrouter.dawnsign.com running maradns:
myrouter: -root-
# ping altair.dawnsign.com
<------------- internal host
PING altair.dawnsign.com (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=128 time=2.1 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=0.9 ms
--- altair.dawnsign.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.9/1.5/2.1 ms
myrouter: -root-
# ping www.yahoo.com
PING www.yahoo.akadns.net (66.218.71.88): 56 data bytes
64 bytes from 66.218.71.88: icmp_seq=0 ttl=54 time=23.8 ms
64 bytes from 66.218.71.88: icmp_seq=1 ttl=54 time=23.9 ms
64 bytes from 66.218.71.88: icmp_seq=2 ttl=54 time=23.7 ms
64 bytes from 66.218.71.88: icmp_seq=3 ttl=54 time=23.3 ms
64 bytes from 66.218.71.88: icmp_seq=4 ttl=54 time=22.6 ms
64 bytes from 66.218.71.88: icmp_seq=5 ttl=54 time=24.7 ms
--- www.yahoo.akadns.net ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 22.6/23.6/24.7 ms
myrouter: -root-
# ping www.dawnsign.com
PING dawnsign.com (207.158.59.34): 56 data bytes
<do ctrl+c>
<here I wait and wait and wait...>
<still waiting after 10 minutes....>
--- dawnsign.com ping statistics ---
367 packets transmitted, 0 packets received, 100% packet loss
Output of pinging on an internal Win2K system behind DCD router:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
H:\>ping www.dawnsign.com
Pinging dawnsign.com [207.158.59.34] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.158.59.34:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping www.yahoo.com
Pinging www.yahoo.akadns.net [66.218.71.88] with 32 bytes of data:
Reply from 66.218.71.88: bytes=32 time=31ms TTL=53
Reply from 66.218.71.88: bytes=32 time=16ms TTL=53
Reply from 66.218.71.88: bytes=32 time=16ms TTL=53
Reply from 66.218.71.88: bytes=32 time=16ms TTL=53
Ping statistics for 66.218.71.88:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 31ms, Average = 19ms
H:\>ping www.3com.com
Pinging www.3com.com [192.136.32.249] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.136.32.249:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Why isn't www.3com.com responding? Is it because it's server is configured
*not* to respond to pings? I am wondering if www.dawnsign.com is also
configured to *not* respond to pings also. I'm going to ask the webmaster
about this. Apparently ournetwork monitoring system checks our public web
server (www.dawnsign.com) by checking it's http port (port 80) via winsock
and not by pinging it. And it has shown the web server to be up and running
just fine. In each of the ping cases above, the name resolves to an ip
address correctly.
I want to be sure I understand this name resolution process while running
dnscache and tinydns. When loaded, dnscache looks for any name resolution
queries and, when caught, resolves these by checking the content of the
tinydns private or public zone files depending on the origin of the name
resolution query. Is that correct?
How does MaraDNS function under Dachstein? dnscache isn't running under the
maradns configuration.
HTH.
~Doug
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
