Check your bind config. It's likely not configured to respond to non-local network IP addresses.
On 11/15/08, Vivek Ayer <[EMAIL PROTECTED]> wrote: > Hey guys, > > Need some help with DNS queries behind a router. I set up a DNS server > in my network and it responds when I'm within my network. I tried > nslookup from localhost on the dns server and also from the LAN and it > works just find, but when I use the public IP of the router for the > network, which should forward the port to the DNS server, it says > "unexpected reply from 192.168.1.101, expected from the (public IP, > which I won't display in this email)." Does that mean the port > forwarding is working? I performed the query from the router itself > and it seems like it's working because 192.168.1.101 (The DNS server) > did respond. But with those weird responses, you never get a clear cut > answer; it just keeps saying the same thing: "unexpected reply from > 192.168.1.101, expected from the..." > > Here's the router's pf.conf: > > # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ > # > # See pf.conf(5) and /usr/share/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > # macros > ext_if = "re0" # External Interface (169.229.158.0/24) > int_if = "xl0" # Internal Interface (192.168.1.0/24) > localnet = $int_if:network > webserver = "192.168.1.50" # Redundant Sun Servers > nameserver = "192.168.1.101" # Dell L400 Celeron > webports = "{ http , https }" > domainport = "{ domain }" > tcp_services = "{ ssh }" > icmp_types = "echoreq" > carpdevs = "{ carp0 , carp1 }" > syncdev = "{ re1 }" > carp_mcast = "224.0.0.18" > > # extra tweaks > set skip on lo > set block-policy return > set loginterface $ext_if > scrub in all > > # nat > nat on $ext_if from $localnet to any -> ($ext_if) > no nat on $int_if proto tcp from $int_if to $localnet > nat on $int_if proto tcp from $localnet to $webserver port $webports -> > $int_if > > # rdr for http > rdr on $ext_if proto tcp from any to any port $webports -> $webserver > rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> > $webserver > rdr on $int_if proto tcp from $localnet to $int_if port $webports -> > $webserver > > # rdr for domain (tcp) > rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver > rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -> > $nameserver > rdr on $int_if proto tcp from $localnet to $int_if port $domainport -> > $nameserver > > # rdr for domain (udp) > rdr on $ext_if proto udp from any to any port $domainport -> $nameserver > rdr on $int_if proto udp from $localnet to $ext_if port $domainport -> > $nameserver > rdr on $int_if proto udp from $localnet to $int_if port $domainport -> > $nameserver > > # pass rules > block in # Default Deny > pass out keep state > antispoof quick for { lo } > pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In > pass in quick on $int_if > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state # Allow SSH Access from Outside > pass in on $ext_if inet proto tcp from any to $webserver port $webports \ > flags S/SA synproxy state > pass in on $ext_if inet proto udp from any to $nameserver port $domainport > pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ > flags S/SA synproxy state > > # Basic CARP/pfsync pass rules > pass on $carpdevs proto carp keep state > pass quick on $ext_if proto carp \ > from $ext_if:network to $carp_mcast keep state > pass on $syncdev proto pfsync > > # Internet-Facing CARP rules > pass in on $ext_if inet proto tcp from any to (carp0) \ > port $tcp_services flags S/SA keep state # Allow SSH Access from Outside > pass in on $ext_if inet proto tcp from any to (carp0) \ > port $webports flags S/SA synproxy state > pass in on $ext_if inet proto udp from any to (carp0) \ > port $domainport > pass in on $ext_if inet proto tcp from any to (carp0) \ > port $domainport flags S/SA synproxy state > > # LAN-Facing CARP rules > pass in on $int_if inet proto tcp from $localnet to (carp1) \ > port $tcp_services flags S/SA keep state # Allow SSH Access from Inside > pass in on $int_if inet proto tcp from $localnet to (carp1) \ > port $webports flags S/SA synproxy state > pass in on $int_if inet proto udp from $localnet to (carp1) \ > port $domainport > pass in on $int_if inet proto tcp from $localnet to (carp1) \ > port $domainport flags S/SA synproxy state > > > Thanks in advance, > Vivek