topic Re: NATed DNS server Problem in Operating System - HP-UX

NATed DNS server Problem

Tommy Brown — Thu, 07 Aug 2003 18:05:40 GMT

Hello, I searched, but found nothing Similar..
My external DNS server now resides behind a firewall with a NATed address. If I query the server, I get:
[horton] (root)nslookup -q=ns .
Name Server: dns1.augustaga.gov
Address: 167.196.20.59

Trying DNS
*** Request to dns1.augustaga.gov timed-out
looking up FILES
*** No address information is available for "."

I am logged in locally, and on a private address. I cannot access any of my public addresses within the firewall. I have only one NIC and need help to resolve this. How can I access this External DNS server using a local address and not post the private address externally?
Thanks,
Tommy

Re: NATed DNS server Problem

Ron Kinner — Thu, 07 Aug 2003 23:32:06 GMT

Your default gateway should be set to the IP of the firewall. Is it? ipconfig /all or winipcfg will tell you what it is on a Windwo box. netstat -rn will tell you just about any box. Just look for 0.0.0.0

It is the firewall's job to NAT your local IP and pass your traffic to the external DNS server and then receive and unNat any replies.

Try a traceroute (tracert -d on a window box) to the DNS server. See where it stops. Then complain to the firewall admin.

Ron

Re: NATed DNS server Problem

Steven E. Protter — Thu, 07 Aug 2003 23:44:14 GMT

wondering if you can contact the nameservers in

/etc/resolv.conf

If not, this could be the problem.

SEP

Re: NATed DNS server Problem

Tommy Brown — Fri, 08 Aug 2003 12:02:05 GMT

Thanks, Ron and Steven, The DNS was working until we NATed the DNS server.. In talking to HP support, IT appears we may need to put the server outside the Firewall. It has a single NIC and the FW performs the NAT. Since the DNS server looks to its public address to perform queries it fails, since we do not allow public addresses on the internal side of trhe firewall.
Thanks, for your input.

Re: NATed DNS server Problem

Jordan Bean — Fri, 08 Aug 2003 17:05:48 GMT

You just moved the name server behind a firewall and your trying to resolve from that same box? Did you change the IP address in /etc/resolve.conf to the new private IP? Better yet, set it 0.0.0.0 so you don't have to worry about it again. Local resolution should work fine now.

The name server really doesn't need to know what the public IP is. If this is only used by the public, then you don't have to worry about publishing the private IP.

However, if this is also used by the internal network, then you really should consider using a split-dns configuration. If you are using BIND 9, then two views can be created: one for public and one for private. Each view may have the same zones, but with different data: one public and one private. The name server will choose the appropriate view based on client IP. See the attached example named.conf.

Re: NATed DNS server Problem

Andy Beal — Fri, 08 Aug 2003 18:10:01 GMT

You could be asking several different questions here, you may need to embellish some more.

If you moved your dns server behind a NAT, it should work fine, as long as hosts inside the nat access it with it's private IP. Even that box itself will need to access itself with it's private address. If it's serving external DNS, hosts on the internet should be using it's public address. Now the real complication comes in when your internal hosts also use this dns for lookups, it will work only as a local cache, any domains that are hosted on it will not work properly when inside the firewall, the server serves out public addresses, and in 99.9% of the cases those won't work for internal hosts. You may need a second DNS server, one for internal stuff and one that just serves the outside world so the information can be different.

Re: NATed DNS server Problem

Tommy Brown — Tue, 20 Jul 2004 09:47:26 GMT

This server has been put outside the firewall with "real" ip addresses. as soon as that was done, the nslookup problem was resolved.
Thanks to all.
Tommy