HPE Community
Operating System - HP-UX
1834532 Members
3346 Online
110069 Solutions
New Discussion

entry in /etc/hosts to resolve inside DMZ

 
SOLVED
Go to solution
pat hayes
Advisor

‎04-28-2003 01:37 PM

‎04-28-2003 01:37 PM

entry in /etc/hosts to resolve inside DMZ

We have a website on the Internet, www.ehager.com. To the outside world it has one IP address, inside our network it has a 192.x.x.x address. Recently, the network guys installed a DMZ, a Techguard G1000R relay server running Linux. Prior to that, we only had a cisco pix firewall, which we still have. Since the DMZ install, my internal users cannot resolve www.ehager.com from Internet Explorer. They can reach the site with the internal IP address. The network guys say it's a problem with my DNS setup on HP-UX. I have an entry in /etc/hosts for the internal 192 address with host entries: ehager ehager.com www.ehager.com
My nsswitch.conf file has:
hosts: files [NOTFOUND=continue] dns
My internal users can enter "ehager" in their Internet Explorer browsers and they reach the site, but neither ehager.com nor www.ehager.com works. They receive the MSN "we can't find "www.ehager.com"" page. If I do an nslookup from HP-UX on www.ehager.com it returns the 192 address from FILES as name ehager and shows the other two entries as aliases.

Any suggestions for changing the DNS set up, or any additional information that I can take back to the network guys to show it's not DNS, would be greatly appreciated. You've probably gathered by now, I'm not very knowledgable about DNS or networking and have mostly inherited this job because I'm somewhat familiar with HP-UX.

Thanks
0 Kudos
Reply
14 REPLIES 14
Donny Jekels
Respected Contributor

‎04-28-2003 01:40 PM

‎04-28-2003 01:40 PM

Re: entry in /etc/hosts to resolve inside DMZ

pat,

what does your /etc/resolv.conf file looks like.

paste it here.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎04-28-2003 01:43 PM

‎04-28-2003 01:43 PM

Re: entry in /etc/hosts to resolve inside DMZ

in it you must make sure your server domain and your search domain can resolve each other/

domain yoursite.com
search yoursite.com
nameserver 192.1.1.20
nameserver 10.1.1.20

you can also add more search domains for otehr domains.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
pat hayes
Advisor

‎04-28-2003 01:45 PM

‎04-28-2003 01:45 PM

Re: entry in /etc/hosts to resolve inside DMZ

/etc/resolv.conf is:

domain hagerhinge.com
nameserver 10.10.10.4

I also meant to include in my original post, that if I try to get to the site by the external IP address directly (as opposed to by name) from the inside, I still cannot reach the site, that's why I suspect it may not be a DNS issue.

Thanks!!
0 Kudos
Reply
John Dvorchak
Honored Contributor

‎04-28-2003 01:45 PM

‎04-28-2003 01:45 PM

Re: entry in /etc/hosts to resolve inside DMZ

The /etc/hosts and the /etc/nsswitch.conf file are only used by persons logged onto the HPUX box. You didn't mention if that HPUX box is also the company DNS server. If so you will have to change the address, to the new internal address, in the entries in the DNS conf files.

Examining the /etc/named.boot file should tell you where the DNS conf files are stored. Then you will edit both the forward and reverse lookup files changing the appropriate entries, and restarting bind (DNS) with /sbin/init.d/named start
If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
pat hayes
Advisor

‎04-28-2003 01:54 PM

‎04-28-2003 01:54 PM

Re: entry in /etc/hosts to resolve inside DMZ

John

Yes, the HPUX box is the company DNS server. I've always used hosts_to_named to create my DNS configuration files, but it didn't like the www.ehager.com entry. I do know where these files reside on the system. Can I add a CNAME entry for www.ehager.com?
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎04-28-2003 02:02 PM

‎04-28-2003 02:02 PM

Re: entry in /etc/hosts to resolve inside DMZ

add ehager.com in named.boot file.

This file will be in in /etc/named.data directory.

-USA..
Good Luck..
0 Kudos
Reply
John Dvorchak
Honored Contributor

‎04-28-2003 02:05 PM

‎04-28-2003 02:05 PM

Re: entry in /etc/hosts to resolve inside DMZ

Yes but I would just change the address in the existing files/records. If you need to add or change and existing CNAME go for it, but the files are read top to bottom so be carefull of duplicate records. Also don't forget the stop and start named to get the files re-read. Confirm what you have by removing or commenting out the /etc/hosts entry and also go to a Windoz box and confirm the correct address, both by name and address with nslookup. If you are still having problems and nslookup works you will have to tell the users to dump the cache on I.E 6 to resolve the new address.
If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
pat hayes
Advisor

‎04-28-2003 02:16 PM

‎04-28-2003 02:16 PM

Re: entry in /etc/hosts to resolve inside DMZ

First of all, thanks to everyone for all your helpful ideas. I've been attempting to try each suggestion and so far am still unsuccessful reaching www.ehager.com from inside.

In /etc/named.data I have a db.hagerhinge file, it has a record related to ehager as such:

ehager IN A 192.168.10.10

in the db.192 file I have this record related to ehager:

10.10.168 IN PTR ehager.hagerhinge.com

In the named.boot files (I have one in /etc and one in /etc/named.data, I've always been confused about which is "active", so I've kept both files the same) is have an entry related to ehager as:

primary ehager db.hagerhinge

I have signalled named to restart with sig_named restart.

Could it be the "hagerhinge.com" portion of the entry in db.192?

What do you make of the fact that I can't get to the site with the outside IP address? Could there be some other issue that will prevent this from working no matter what changes I make to DNS?

thanks!!
0 Kudos
Reply
Phil Clifford
New Member

‎04-30-2003 02:55 AM

‎04-30-2003 02:55 AM

Re: entry in /etc/hosts to resolve inside DMZ

We have a similarly confusing situation with a pix with a DMZ where there is NAT.

For the DNS issues our kludge is to have seperate internal, DMZ, and external DNS's so hosts resolve addresses dependant on where they are coming from / their "view" of the network. (could be done "better" with a "single" bind v9 but we're still on 8)

My advice is to look out for routing and ACL issues around the firewall/DMZ device and to try to seperately investigate IP/routing/ACL issued from name resolution issues. For example check the routes ( using -n options to avoid DNS issues) using IP . Then check connectivity (again using IP number destinations). Then finally look at name resolution from each "point of view".

Do the internal PC users use a proxy (then you need to look at the name resolution and routing configuration from the proxy point of view as well) or just use a DNS directly themselves (in which case which DNS) ?

The "MSN page" you mention sounds like the generic internal MSIE error page (it's coming from a dll not some MSN site). This sometimes is a bit of a red herring as it reads like there's a DNS problem but usually its not. For example, some of our users get it when there is not a route back to their network from the squid proxy they must use.

0 Kudos
Reply
Todd Whitcher
Esteemed Contributor

‎04-30-2003 04:37 AM

‎04-30-2003 04:37 AM

Solution

Re: entry in /etc/hosts to resolve inside DMZ

Hi,

Some DNS info:

/etc/named.boot is for 4.X BIND
/etc/named.conf is for =>8.X BIND

To tell what you have do:

# what /usr/sbin/named

What happens when you look up the address w/ nslookup pointed to the DNS server ?


# nslookup
> server dns_server_name
> set q=A
> www.ehager.com.


If you have two addresses for www.ehager.com
you want something like this in your db.domain file.


www.ehager.com. IN A 192.2.3.4
www.ehager.com. IN A 192.5.6.7

Also very important to have the reverse lookup
PTR record in the db.192.XXX.XXX.XXX file the
the in-addr.arpa db.

4.3.2.192 IN PTR www.ehager.com.
7.6.5.192 IN PTR www.ehager.com.

Hope that helps !

Todd
Reply
Michael Steele_2
Honored Contributor

‎04-30-2003 04:41 AM

‎04-30-2003 04:41 AM

Re: entry in /etc/hosts to resolve inside DMZ

Investigate these possibilities.

1) /etc/hosts
2) db.domain.name
3) /etc/resolv.conf
4) CNAME record in 'hosts_to_named'

1) Alias's can be included in /etc/hosts.

192.6.1.1 ehager ehager.com www.ehager.com

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90135/B2355-90135_top.html&con=/hpux/onlinedocs/B2355-90135/00/00/24-con.html&toc=/hpux/onlinedocs/B2355-90135/00/00/24-toc.html&searchterms=alias%7c/etc/hosts&queryid=20030430-060742

2) db.domain.name

Provides sub domains with the NS record. For example:

IN NS www.ehager.com

NOTE: My concern here is that 'www' is a reserved word and won't be a valid sub.domain to 'ehager.com'.

3) /etc/resolv.conf

There is a 'search' option for adding up to six additional domains. For example:

domain ehager.com
nameserver 192.XXX.XXX.XXX
search www.ehager.com

NOTE: This option will actually go out on the network looking for 'www.ehager.com' and create a lot of network traffic.

NOTE2: Can go in any order.

search www.ehager.com
domain ehager.com
nameserver 192.XXX.XXX.XXX


http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90147/B2355-90147_top.html&con=/hpux/onlinedocs/B2355-90147/00/00/28-con.html&toc=/hpux/onlinedocs/B2355-90147/00/00/28-toc.html&searchterms=search%7c/etc/resolv.conf&queryid=20030430-062150

4) 'CNAME' - Canonical Name Record. Creates an alias of a canonical name. The alias gains all properties of the original, including IP addresses and mail routes. For example:

alpha2 IN A 1.2.3.4
www IN CNAME alpha2

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B9106-90008/B9106-90008_top.html&con=/hpux/onlinedocs/B9106-90008/00/01/153-con.html&toc=/hpux/onlinedocs/B9106-90008/00/01/153-toc.html&searchterms=CNAME%7chosts_to_named&queryid=20030430-063833

In closing I would add alias's first to the /etc/hosts file before attempting these other 'not often used' solutions
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Todd Whitcher
Esteemed Contributor

‎04-30-2003 04:57 AM

‎04-30-2003 04:57 AM

Re: entry in /etc/hosts to resolve inside DMZ

One Note on /etc/resolv.conf

Check man for resolv.conf on HPUX for syntax.

The domain and search keywords are mutually exclusive. If more than one instance of these keywords is present, the last instance overrides.

So if domain and search exist in /etc/resolv.conf the resolver only pays attention to the last thing it reads. If you use search put your local domain first.

example:
/etc/resolv.conf
search hp.com cup.hp.com atl.hp.com ( up to 6 )
nameserver
nameserver
nameserver

Here hp.com will be used for my domain.

search Search list for host-name lookup. If the search
option is not used the search list will contain
only the the local domain name. The search list
can be changed by listing the desired domain
search path following the search keyword with
spaces or tabs separating the names. Most
resolver queries will be attempted using each
component of the search path in turn until a match
is found. Note that this process may be slow and
generates a lot of network traffic if the servers
for the listed domains are not local, and that
queries time out if no server is available for one
of the domains.

The search list is currently limited to six
domains with a total of 256 characters.

The first domain in the search list must be the
local domain for short names to work properly in
various files (such as .rhosts and inetd.sec)

Also


0 Kudos
Reply
pat hayes
Advisor

‎05-01-2003 12:47 PM

‎05-01-2003 12:47 PM

Re: entry in /etc/hosts to resolve inside DMZ

Thanks to all for the suggestions and ideas. I finally gave up trying to make my change to /etc/hosts and using hosts_to_named and just made my changes directly to db.domain and db.192 files. I could then successfully find www.ehager.com with nslookup from HP-UX and from Windows 2000 PCs but still was unsuccessfull from Windows 98 PC. Have decided to use local hosts files on the few Windows 98 PCs we have.

Thanks!!
0 Kudos
Reply
pat hayes
Advisor

‎05-01-2003 12:47 PM

‎05-01-2003 12:47 PM

Re: entry in /etc/hosts to resolve inside DMZ

Thanks to all for the suggestions and ideas. I finally gave up trying to make my change to /etc/hosts and using hosts_to_named and just made my changes directly to db.domain and db.192 files. I could then successfully find www.ehager.com with nslookup from HP-UX and from Windows 2000 PCs but still was unsuccessfull from Windows 98 PC. Have decided to use local hosts files on the few Windows 98 PCs we have.

Thanks!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.