DNS Setup Woes - Please save me from wanting to shoot myself in the FACE!!!

[overturfa]

I'm ready to beat my head against the wall with this one. My goal was to set up a simple caching-dns/dhcp and proxy server using an old box for my home network. I'm using an older Fedora distro (FC-5) and I'm almost where I want to be but I just can't get my windows clients to successfully communicate with my name server.

Conceptually my network goes like this:

[ISP] >--public IP-->[cable modem]>--192.168.0.x-->{DNS/Proxy/DHCP]>--10.0.0.x-->{Switch]-->[Clients]

1) Public IP assigned to cable modem by ISP
2) Cable modem assigns Linux box a 192.168.0.x on eth0
3) Linux box eth1 has a static IP of 10.0.0.1 and runs DHCP server to assign 10.0.0.x addresses to clients.
4) My server's FQDN is mybox.no-ip.org

So far I have tested DNS caching and verified it works server-side only. DHCP works client side and IPV4 forwarding is enabled as well (I tested this by doing a 'dig' on google server side and entering the real IP address into a browser on a client PC).

My nitty-gritty configuration thus far:
iptables are configured to forward IPV4 traffic between eth1 and eth0 using

Code:

/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

command

Port 53 is opened to 10.0.0.0 network for DNS requests as follows:

Code:

iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 53 -j ACCEPT

UPDATE: Since originally posting, I've re-built the system and cleaned up some of my original code. Files reflected below are the latest iteration as of 30-May-08. All replies posted prior to May 30th are referencing the old code.

DNS is installed and configured per the following files: Updated 30-May-08 (no changes)
/etc/resolv.conf

Code:

search no-ip.org
nameserver 127.0.0.1

/etc/named.conf - Updated 30-May-08

Code:

//
// named.conf for Red Hat caching-nameserver 
//

acl no-ip.org { 10.0.0.0/24; 127.0/8; };
options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
        query-source address * port 53;
	allow-query { no-ip.org; };
	forward first;
	forwarders { 68.105.28.12; 68.105.29.12; 68.105.28.11; };
};

// 
// a caching only nameserver config
// 
controls {
	inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

// Add local zone definitions here.
zone "no-ip.org" IN {
        type master;
        file "no-ip.org.zone";
	allow-update { 127.0.0.1; 10.0.0.1; };
};

zone "0.0.10.in-addr.arpa" IN {
        type master;
        file "0.0.10.in-addr.arpa.zone";
	allow-update {127.0.0.1; 10.0.0.1; };
};


zone "." IN {
	type hint;
	file "named.ca";
};

zone "localdomain" IN {
	type master;
	file "localdomain.zone";
	allow-update { none; };
};

zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
	type master;
	file "named.ip6.local";
	allow-update { none; };
};

zone "255.in-addr.arpa" IN {
	type master;
	file "named.broadcast";
	allow-update { none; };
};

zone "0.in-addr.arpa" IN {
	type master;
	file "named.zero";
	allow-update { none; };
};

include "/etc/rndc.key";

These are my local zone configurations - Updated 30-May-08
/var/named/chroot/var/named/no-ip.org

Code:

$ORIGIN .
$TTL 86400	; 1 day
no-ip.org		IN SOA	mybox.no-ip.org. foo.bar.tld. (
				2008052903 ; serial
				28800      ; refresh (8 hours)
				7200       ; retry (2 hours)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	mybox.no-ip.org.
			MX	10 mail.no-ip.org.
$ORIGIN no-ip.org.
mybox			A	10.0.0.1
$TTL 10800	; 3 hours
vsagateway		A	10.0.0.253
			TXT	"3105ceba36a35756c5a108790f90eed83b"
$TTL 86400	; 1 day
www			CNAME	mybox

/var/named/chroot/var/named/0.0.10.in-addr.arpa.zone - Updated 30-May-08

Code:

$ORIGIN .
$TTL 86400	; 1 day
0.0.10.in-addr.arpa	IN SOA	mybox.no-ip.org. foo.bar.tld. (
				2008052903 ; serial
				28800      ; refresh (8 hours)
				7200       ; retry (2 hours)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	mybox.no-ip.org.
$ORIGIN 0.0.10.in-addr.arpa.
1			PTR	mybox.no-ip.org.
$TTL 10800	; 3 hours
253			PTR	vsagateway.no-ip.org.

DHCP is configured as follows - Updated 30-May-08
/etc/dhcpd.conf

Code:

authoritative;
include "/etc/rndc.key";

#Server configuration;

server-identifier	mybox;
ddns-domainname		"no-ip.org.";
ddns-rev-domainname	"in-addr.arpa.";
ddns-update-style 	interim;
ddns-updates		on;
ignore 			client-updates;

# This is the communication zone

zone no-ip.com. {
	primary 10.0.0.1;
	key rndckey;
}

# Client configuration:
 
subnet 10.0.0.0 netmask 255.255.255.0 {

# --- default gateway
	option routers			10.0.0.1;
	option subnet-mask		255.255.255.0;
	option broadcast-address	10.0.0.255;
	option nis-domain		"no-ip.org";
	option domain-name		"no-ip.org";
	option domain-name-servers	mybox.no-ip.org;

#	option time-offset		-18000;	# Eastern Standard Time
#	option ntp-servers		192.168.1.1;
#	option netbios-name-servers	192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#	option netbios-node-type 2;

	zone	0.0.0.10.in-addr.arpa. {
		primary 10.0.0.1;
		key rndckey;
	}

	zone	localdomain.	{
		primary 10.0.0.1;
		key rndckey;
	}

	range dynamic-bootp 10.0.0.128 10.0.0.254;
	default-lease-time 21600;
	max-lease-time 43200;
}

My Networking is configured as follows:
/etc/sysconfig/network

Code:

NETWORKING=yes
HOSTNAME=mybox.no-ip.org
FORWARD_IPV4=true
GATEWAYDEV=eth0
NOZEROCONF=yes

My Ethernet cards are configured as follows: (No Changes)
/etc/sysconfig/network-scripts/ifcfg-eth0

Code:

# Linksys Gigabit Network Adapter
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=dhcp
HWADDR=00:18:F8:08:F5:36
ONBOOT=yes
USERCTL=no
PEERDNS=no
DHCP_HOSTNAME=mybox.no-ip.org
IPV6INIT=no

/etc/sysconfig/network-scripts/ifcfg-eth1(No Changes)

Code:

# Intel Corporation 82801BA/BAM/CA/CAM Ethernet Controller
DEVICE=eth1
TYPE=Ethernet
USERCTL=no
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:07:E9:BC:45:78
IPADDR=10.0.0.1
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
IPV6INIT=no

This is what a dig to google.com returns when I run the command server-side:

Code:

; <<>> DiG 9.3.2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32634
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 6

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         25      IN      CNAME   www.l.google.com.
www.l.google.com.       19      IN      A       209.85.171.147
www.l.google.com.       19      IN      A       209.85.171.99
-----content truncated-----
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 28 13:13:17 2008
;; MSG SIZE  rcvd: 324

Meaning that local DNS caching is working but again, it only works server side. When I run an nslookup to www.google.com from a windows client pulling everything by DHCP it returns the following error.

Code:

DNS request timed out.
     timeout was 2 seconds.
     ***Can't find server name for address 10.0.0.1: Timed out
     ***Default servers are not available
     Server:   Unknown
     Address:  10.0.0.1

DNS request timed out.
     timeout was 2 seconds.
     ***Request to Unknown timed-out

So that's where I'm at right now. Stumped!!! I just can't seem to get my client side boxes to communicate with my DNS server... Any ideas on what I'm missing here??

Thanks!

[TheMadIndian]

I didnt notice

but you need

allow-query { any; };


in your named.conf for clients to query it

[overturfa]

It's in there under the options section (line 19)

[TheMadIndian]

Quote:

Originally Posted by overturfa

It's in there under the options section (line 19)

sorry missed that, I also have tcp enabled for 53 not just udp

[algej]

Quote:

Originally Posted by overturfa

This is what a dig to google.com returns when I run the command server-side:

Code:

; <<>> DiG 9.3.2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32634
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 6

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         25      IN      CNAME   www.l.google.com.
www.l.google.com.       19      IN      A       209.85.171.147
www.l.google.com.       19      IN      A       209.85.171.99
-----content truncated-----
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) <-----See #2 below
;; WHEN: Wed May 28 13:13:17 2008
;; MSG SIZE  rcvd: 324

Hm.

Just a couple thoughts come to mind:

1. Check /var/log/messages and see if named is complaining about anything.

2. "***Can't find server name for address 10.0.0.1: Timed out" could also mean that the reverse lookup for 10.0.0.1 didn't work. When you ran dig on the server you were using localhost (and thus, the localhost zone files, which obviously *do* work) for your lookup. Remotely, you're using your no-ip.org zone files. On the server, what happens when you issue "dig -x 10.0.0.1"?

[overturfa]

Quote:

Originally Posted by algej

Hm.

Just a couple thoughts come to mind:

1. Check /var/log/messages and see if named is complaining about anything.

2. "***Can't find server name for address 10.0.0.1: Timed out" could also mean that the reverse lookup for 10.0.0.1 didn't work. When you ran dig on the server you were using localhost (and thus, the localhost zone files, which obviously *do* work) for your lookup. Remotely, you're using your no-ip.org zone files. On the server, what happens when you issue "dig -x 10.0.0.1"?

1. Here is an output from my /var/log/messages when I restart dhcpd, named, and network, followed by an ipconfig /release, ipconfig /renew on a windows client box.

Code:

May 29 08:23:14 mybox named[9552]: running
May 29 08:23:22 mybox dhcpd: Wrote 0 deleted host decls to leases file.
May 29 08:23:22 mybox dhcpd: Wrote 0 new dynamic host decls to leases file.
May 29 08:23:22 mybox dhcpd: Wrote 2 leases to leases file.
May 29 08:23:22 mybox dhcpd: DHCPRELEASE of 10.0.0.253 from 00:e0:b8:53:63:9d (vsagateway) via eth1 (found)
May 29 08:23:30 mybox dhcpd: DHCPDISCOVER from 00:e0:b8:53:63:9d via eth1
May 29 08:23:31 mybox dhcpd: DHCPOFFER on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 08:23:31 mybox dhcpd: Unable to add forward map from vsagateway.no-ip.org to 10.0.0.253: timed out
May 29 08:23:31 mybox dhcpd: DHCPREQUEST for 10.0.0.253 (10.0.0.1) from 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 08:23:31 mybox dhcpd: DHCPACK on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 08:29:26 mybox named[9552]: shutting down: flushing changes
May 29 08:29:26 mybox named[9552]: stopping command channel on 127.0.0.1#953
May 29 08:29:26 mybox named[9552]: no longer listening on 127.0.0.1#53
May 29 08:29:26 mybox named[9552]: no longer listening on 192.168.0.3#53
May 29 08:29:26 mybox named[9552]: no longer listening on 10.0.0.1#53
May 29 08:29:26 mybox named[9552]: exiting
May 29 08:29:28 mybox named[9620]: starting BIND 9.3.2 -u named -t /var/named/chroot
May 29 08:29:28 mybox named[9620]: found 1 CPU, using 1 worker thread
May 29 08:29:28 mybox named[9620]: loading configuration from '/etc/named.conf'
May 29 08:29:28 mybox named[9620]: listening on IPv4 interface lo, 127.0.0.1#53
May 29 08:29:28 mybox named[9620]: listening on IPv4 interface eth0, 192.168.0.3#53
May 29 08:29:28 mybox named[9620]: listening on IPv4 interface eth1, 10.0.0.1#53
May 29 08:29:28 mybox named[9620]: command channel listening on 127.0.0.1#953
May 29 08:29:28 mybox kernel: audit(1212074968.136:176): avc:  denied  { getattr } for  pid=9621 comm="named" name="random" dev=dm-0 ino=9012125 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=chr_file
May 29 08:29:28 mybox named[9620]: could not open entropy source /dev/random: permission denied
May 29 08:29:28 mybox named[9620]: using pre-chroot entropy source /dev/random
May 29 08:29:28 mybox named[9620]: zone 0.in-addr.arpa/IN: loaded serial 42
May 29 08:29:28 mybox named[9620]: zone 0.0.10.in-addr.arpa/IN: loaded serial 20080529
May 29 08:29:28 mybox named[9620]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
May 29 08:29:28 mybox named[9620]: zone 255.in-addr.arpa/IN: loaded serial 42
May 29 08:29:28 mybox named[9620]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
May 29 08:29:28 mybox named[9620]: zone localdomain/IN: loaded serial 42
May 29 08:29:28 mybox named[9620]: zone localhost/IN: loaded serial 42
May 29 08:29:28 mybox named[9620]: zone no-ip.org/IN: loaded serial 20080529
May 29 08:29:28 mybox named[9620]: running
May 29 08:29:42 mybox avahi-daemon[2384]: Withdrawing address record for 192.168.0.3 on eth0.
May 29 08:29:42 mybox avahi-daemon[2384]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.0.3.
May 29 08:29:42 mybox avahi-daemon[2384]: IP_DROP_MEMBERSHIP failed: No such device
May 29 08:29:42 mybox avahi-daemon[2384]: iface.c: interface_mdns_mcast_join() called but no local address available.
May 29 08:29:42 mybox avahi-daemon[2384]: Interface eth0.IPv4 no longer relevant for mDNS.
May 29 08:29:42 mybox avahi-daemon[2384]: Withdrawing address record for 10.0.0.1 on eth1.
May 29 08:29:42 mybox avahi-daemon[2384]: Leaving mDNS multicast group on interface eth1.IPv4 with address 10.0.0.1.
May 29 08:29:42 mybox avahi-daemon[2384]: IP_DROP_MEMBERSHIP failed: No such device
May 29 08:29:42 mybox avahi-daemon[2384]: iface.c: interface_mdns_mcast_join() called but no local address available.
May 29 08:29:42 mybox avahi-daemon[2384]: Interface eth1.IPv4 no longer relevant for mDNS.
May 29 08:29:42 mybox dhcpd: receive_packet failed on eth1: Network is down
May 29 08:29:42 mybox kernel: r8169: eth0: link up
May 29 08:29:42 mybox dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
May 29 08:29:42 mybox dhclient: DHCPACK from 192.168.0.1
May 29 08:29:42 mybox avahi-daemon[2384]: New relevant interface eth0.IPv4 for mDNS.
May 29 08:29:42 mybox avahi-daemon[2384]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.0.3.
May 29 08:29:42 mybox avahi-daemon[2384]: Registering new address record for 192.168.0.3 on eth0.
May 29 08:29:42 mybox dhclient: bound to 192.168.0.3 -- renewal in 123903 seconds.
May 29 08:29:43 mybox kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
May 29 08:29:43 mybox kernel: e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
May 29 08:29:43 mybox kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
May 29 08:29:47 mybox avahi-daemon[2384]: New relevant interface eth1.IPv4 for mDNS.
May 29 08:29:47 mybox avahi-daemon[2384]: Joining mDNS multicast group on interface eth1.IPv4 with address 10.0.0.1.
May 29 08:29:47 mybox avahi-daemon[2384]: Registering new address record for 10.0.0.1 on eth1.
May 29 08:31:08 mybox dhcpd: /etc/dhcpd.conf line 16: . (46): expecting IP address or hostname
May 29 08:31:08 mybox dhcpd: 	primary.
May 29 08:31:08 mybox dhcpd:                 ^
May 29 08:31:08 mybox dhcpd: /etc/dhcpd.conf line 16: expecting IP addr or hostname.
May 29 08:31:08 mybox dhcpd: 	primary.127.0.0.1;
May 29 08:31:08 mybox dhcpd:                           ^
May 29 08:31:08 mybox dhcpd: Configuration file errors encountered -- exiting
May 29 08:31:08 mybox dhcpd: 
May 29 08:31:08 mybox dhcpd: If you did not get this software from ftp.isc.org, please
May 29 08:31:08 mybox dhcpd: get the latest from ftp.isc.org and install that before
May 29 08:31:08 mybox dhcpd: requesting help.
May 29 08:31:08 mybox dhcpd: 
May 29 08:31:08 mybox dhcpd: If you did get this software from ftp.isc.org and have not
May 29 08:31:08 mybox dhcpd: yet read the README, please read it before requesting help.
May 29 08:31:08 mybox dhcpd: If you intend to request help from the dhcp-server@isc.org
May 29 08:31:08 mybox dhcpd: mailing list, please read the section on the README about
May 29 08:31:08 mybox dhcpd: submitting bug reports and requests for help.
May 29 08:31:08 mybox dhcpd: 
May 29 08:31:08 mybox dhcpd: Please do not under any circumstances send requests for
May 29 08:31:08 mybox dhcpd: help directly to the authors of this software - please
May 29 08:31:09 mybox dhcpd: send them to the appropriate mailing list as described in
May 29 08:31:09 mybox dhcpd: the README file.
May 29 08:31:09 mybox dhcpd: 
May 29 08:31:09 mybox dhcpd: exiting.
May 29 08:31:17 mybox dhcpd: DHCPRELEASE of 10.0.0.253 from 00:e0:b8:53:63:9d (vsagateway) via eth1 (found)
May 29 08:31:23 mybox dhcpd: DHCPDISCOVER from 00:e0:b8:53:63:9d via eth1
May 29 08:31:24 mybox dhcpd: DHCPOFFER on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 08:31:24 mybox dhcpd: Unable to add forward map from vsagateway.no-ip.org to 10.0.0.253: timed out
May 29 08:31:24 mybox dhcpd: DHCPREQUEST for 10.0.0.253 (10.0.0.1) from 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 08:31:24 mybox dhcpd: DHCPACK on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1

2. Running dig -x 10.0.0.1 from the shell running server side I get this:

Code:

; <<>> DiG 9.3.2 <<>> -x 10.0.0.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

;; ANSWER SECTION:
1.0.0.10.in-addr.arpa.  86400   IN      PTR     mybox.no-ip.org.

;; AUTHORITY SECTION:
0.0.10.in-addr.arpa.    86400   IN      NS     mybox.no-ip.org.

;; ADDITIONAL SECTION:
mybox.no-ip.org.     86400   IN      A       10.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 29 06:46:38 2008
;; MSG SIZE  rcvd: 101

I don't have a linux box running client side. However I doubt it matters much since Windows boxes are failing nslookups anyway.

I get the feeling that the problem lies somehow with getting my DNS server to communicate on eth1.

Thoughts?

[overturfa]

Ok, so I found one mistake in my dhcpd.conf file under the communication zone. I had a '.' where there should have been a space. After getting that sorted out. This is the output from /var/log/message after repeating the process I mentioned in my last post.

Code:

May 29 09:11:16 mybox dhcpd: dhcpd shutdown succeeded
May 29 09:11:16 mybox dhcpd: Internet Systems Consortium DHCP Server V3.0.3-RedHat
May 29 09:11:16 mybox dhcpd: Copyright 2004-2005 Internet Systems Consortium.
May 29 09:11:16 mybox dhcpd: All rights reserved.
May 29 09:11:16 mybox dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
May 29 09:11:16 mybox dhcpd: Wrote 2 leases to leases file.
May 29 09:11:16 mybox dhcpd: Listening on LPF/eth1/00:07:e9:bc:45:78/10.0.0/24
May 29 09:11:16 mybox dhcpd: Sending on   LPF/eth1/00:07:e9:bc:45:78/10.0.0/24
May 29 09:11:16 mybox dhcpd:
May 29 09:11:16 mybox dhcpd: No subnet declaration for eth0 (192.168.0.3).
May 29 09:11:16 mybox dhcpd: ** Ignoring requests on eth0.  If this is not what
May 29 09:11:16 mybox dhcpd:    you want, please write a subnet declaration
May 29 09:11:16 mybox dhcpd:    in your dhcpd.conf file for the network segment
May 29 09:11:16 mybox dhcpd:    to which interface eth0 is attached. **
May 29 09:11:16 mybox dhcpd:
May 29 09:11:16 mybox dhcpd: Sending on   Socket/fallback/fallback-net
May 29 09:11:16 mybox dhcpd: dhcpd startup succeeded
May 29 09:11:45 mybox dhcpd: DHCPDISCOVER from 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 09:11:46 mybox dhcpd: DHCPOFFER on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 09:11:46 mybox named[10414]: client 10.0.0.1#32878: update 'no-ip.org/IN' denied  <--- This looks suspicious...  
May 29 09:11:46 mybox dhcpd: Unable to add forward map from vsagateway.no-ip.org. to 10.0.0.253: timed out
May 29 09:11:46 mybox dhcpd: DHCPREQUEST for 10.0.0.253 (127.0.0.1) from 00:e0:b8:53:63:9d (vsagateway) via eth1
May 29 09:11:46 mybox dhcpd: DHCPACK on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagateway) via eth1

[algej]

From an earlier post:

Quote:

May 29 08:29:28 mybox kernel: audit(1212074968.136:176): avc: denied { getattr } for pid=9621 comm="named" name="random" dev=dm-0 ino=9012125 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=chr_file
May 29 08:29:28 mybox named[9620]: could not open entropy source /dev/random: permission denied
May 29 08:29:28 mybox named[9620]: using pre-chroot entropy source /dev/random

SELinux isn't quite happy with the chroot'd /dev/random and might be messing up authentication as a result, assuming you're in Enforcing mode. Check for other AVC errors in /var/log/messages. You might try either adding some local type enforcement rules (repeat adding new rules for each error as it occurs) or setting SELinux to permissive mode (to make SELinux a non-issue and so you can see/fix all the errors at once and turn it back on later). Here is a fairly easy-to-follow tutorial on setting up local type enforcement rules.

Quote:

May 29 09:11:46 mybox named[10414]: client 10.0.0.1#32878: update 'no-ip.org/IN' denied

That just means that the Windows client isn't allowed to update its A record on the server. I'm guessing either authentication is failing (perhaps because SELinux borked your entropy source?) or you have misconfigured dhcp clients on the Windows side.

[overturfa]

NOTE: Please review my updated code in the original post when trying to spot errors. It is all that is relevant from this post forward.

Ok, Just some updates:

I decided to go back and do a clean install of everthing fearing that SELinux could be the culprit so I re-installed with no firewall and no SELinux. I also cleaned up my dns files per a good RedHat Magazine tutorial I stumbled onto.

I have finally gotten to the point where named does not report any errors in /var/log/messages and when a client does an IP renewal the message log shows the forwared and reverse mappings being added in my no-ip.org and my 0.0.10.in-addr zone files so that part is working now.

Excerpt from message log showing dhcp startup and a new client getting assigned an address without errors:

Code:

May 30 08:18:33 mybox dhcpd: dhcpd startup succeeded
May 30 08:19:05 mybox named[3474]: starting BIND 9.3.2 -u named -t /var/named/ch root
May 30 08:19:05 mybox named[3474]: found 1 CPU, using 1 worker thread
May 30 08:19:05 mybox named[3474]: loading configuration from '/etc/named.conf'
May 30 08:19:05 mybox named[3474]: listening on IPv4 interface lo, 127.0.0.1#53
May 30 08:19:05 mybox named[3474]: listening on IPv4 interface eth0, 192.168.0.3 #53
May 30 08:19:05 mybox named[3474]: listening on IPv4 interface eth1, 10.0.0.1#53
May 30 08:19:05 mybox named[3474]: zone 'no-ip.org' allows updates by IP address , which is insecure
May 30 08:19:05 mybox named[3474]: zone '0.0.10.in-addr.arpa' allows updates by IP address, which is insecure
May 30 08:19:05 mybox named[3474]: command channel listening on 127.0.0.1#953
May 30 08:19:05 mybox named[3474]: zone 0.in-addr.arpa/IN: loaded serial 42
May 30 08:19:05 mybox named[3474]: zone 0.0.10.in-addr.arpa/IN: loaded serial 20 08052902
May 30 08:19:05 mybox named[3474]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1 997022700
May 30 08:19:05 mybox named[3474]: zone 255.in-addr.arpa/IN: loaded serial 42
May 30 08:19:05 mybox named[3474]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
May 30 08:19:05 mybox named[3474]: zone localdomain/IN: loaded serial 42
May 30 08:19:05 mybox named[3474]: zone localhost/IN: loaded serial 42
May 30 08:19:05 mybox named[3474]: zone no-ip.org/IN: loaded serial 2008052902
May 30 08:19:05 mybox named[3474]: running
May 30 08:21:26 mybox dhcpd: DHCPDISCOVER from 00:e0:b8:53:63:9d via eth1
May 30 08:21:27 mybox dhcpd: DHCPOFFER on 10.0.0.253 to 00:e0:b8:53:63:9d (vsaga teway) via eth1
May 30 08:21:27 mybox named[3474]: client 10.0.0.1#32790: updating zone 'no-ip.o rg/IN': adding an RR at 'vsagateway.no-ip.org' A
May 30 08:21:27 mybox named[3474]: client 10.0.0.1#32790: updating zone 'no-ip.o rg/IN': adding an RR at 'vsagateway.no-ip.org' TXT
May 30 08:21:27 mybox named[3474]: journal file no-ip.org.zone.jnl does not exis t, creating it
May 30 08:21:27 mybox dhcpd: Added new forward map from vsagateway.no-ip.org. to  10.0.0.253
May 30 08:21:27 mybox named[3474]: client 10.0.0.1#32790: updating zone '0.0.10. in-addr.arpa/IN': deleting rrset at '253.0.0.10.in-addr.arpa' PTR
May 30 08:21:27 mybox named[3474]: client 10.0.0.1#32790: updating zone '0.0.10. in-addr.arpa/IN': adding an RR at '253.0.0.10.in-addr.arpa' PTR
May 30 08:21:27 mybox named[3474]: journal file 0.0.10.in-addr.arpa.zone.jnl doe s not exist, creating it
May 30 08:21:27 mybox dhcpd: added reverse map from 253.0.0.10.in-addr.arpa. to vsagateway.no-ip.org.
May 30 08:21:27 mybox dhcpd: DHCPREQUEST for 10.0.0.253 (127.0.0.1) from 00:e0:b 8:53:63:9d (vsagateway) via eth1
May 30 08:21:27 mybox dhcpd: DHCPACK on 10.0.0.253 to 00:e0:b8:53:63:9d (vsagate way) via eth1

Like before, client machines can browse web pages only by entering the actual ip address of the page (e.g. enter 209.85.171.147 if you want to go to www.google.com) via IP Masquerading but no DNS resolution from my caching-nameserver. OTOH, if i set the clients to use one of my upstream DNS servers, they browse the internet just fine (obviously).

The interesting part is that with Windows set to Obtain DNS server address automatically, it gets assined a DNS server of address127.0.0.1 when before it would pull 10.0.0.1 (which is correct). No matter; even if I force Windows to use DNS server address 10.0.0.1, name resolution still fails. Curious!

So that's where I'm at... Cleaned up some code and took care of all the /var/log/messages errors related to named. Caching-DNS service works fanstastical on the server side (local) only with no joy for the client side.

[algej]

In your dhcpd.conf you have:

Code:

option domain-name-servers	mybox.no-ip.org;

Try changing this to

Code:

option domain-name-servers	10.0.0.1;

Since in order to resolve mybox.no-ip.org, the client would need to already know its IP address, *without* DNS.

Also, in your DNS zone files' SOA records, foo.bar.tld. should probably be root.mybox.no-ip.org., although that's just me nit-picking and shouldn't cause the clients to not work.

Other stuff to try:

1. Increase the debug level on named (named -d 1 or perhaps named -d 3) and tail -f the messages files during an nslookup to see if that tells you what's wrong.
2. Use wireshark (formerly known as ethereal) or tcpdump to check network activity on 10.0.0.1.

[overturfa]

Quote:

Originally Posted by algej

In your dhcpd.conf you have:

Code:

option domain-name-servers	mybox.no-ip.org;

Try changing this to

Code:

option domain-name-servers	10.0.0.1;

Since in order to resolve mybox.no-ip.org, the client would need to already know its IP address, *without* DNS.

HOLY Crap! That makes perfect sense!! Of course it can't resolve the domain name server by it's domain name if it doesn't know it.

Strangely enough though, things have "magically" started working in the last hour without my changing any code. This includes me re-booting the DNS (not the client though). Stranger than fiction... I feel like Alice in Wonderland right about now..

If things go back to hell again I'll implement the change because that does in fact make sense.
Thanks!