LAN DNS server behind dialup firewall

LAN DNS server behind dialup firewall

Post by The Nose Who Kno » Sun, 11 Mar 2001 13:57:06



Howdy all,

I'm having trouble configuring BIND to do exactly what I want, and
lately I'm despairing of it even being possible.

My LAN has a firewall (LRP) that controls the dial-up line and acts as
the gateway router for the other hosts.  A separate host provides DNS to
the LAN.

        [ The Net ]---/  /---[ Firewall/Gateway ]
                                       | 192.168.1.1
                                       |
            [ DNS Server ]-------------+-----[ Other hosts ]
             192.168.1.5                        192.168.1.*

What I want is for all the hosts on the LAN to use the local primary DNS
server 192.168.1.5 (I will be adding a secondary soon) for all DNS
queries.  This means the local DNS server must also give responses for
global DNS queries.

The point it falls apart, of course, is that the connection to the
internet is intermittent, and there is no simple way for the DNS server
to know the link status without trying a connection.  I've seen
solutions suggested for dialup lines, but they all assume BIND is
running on the same host that controls the PPP link, which is not the
case here, and I don't want it to be because that would complicate the
firewall (bad security).

When I use 192.168.1.5 as the sole nameserver, its BIND must be
restarted every time the link status changes to clear its cache
otherwise it will continue to return "host unknown" if that result is
cached.  When I use other nameservers provided by my ISP, name
resolution takes interminably long when the link is down because the
hosts are waiting for DNS request timeouts to hosts that are not
contactable, and takes a long time even for local hosts because the
ISP's name servers know nothing about my local hosts.

I've tried messing with the forwarding options for BIND, but they still
seem dependent on the permanent availability of the uplink DNS servers.

My ideal solution would be to configure the 192.168.1.5 BIND so that it
can be used as the sole nameserver entry for my LAN hosts, and will
immediately respond with "host unknown" for hosts outside my LAN when
the link is down instead of waiting for several timeouts.

If ICMP can tell me the network is unreachable, why can't a DNS query
figure it out?  Is that because it's UDP?  Can I somehow get BIND to use
ICMP to check the availability of an upline DNS server before sending
its UDP packet?

Is what I'm trying to achieve even possible?  From reading the DNS-HOWTO
and O'Reilly "DNS and BIND", I can't tell; they have pathetically little
coverage of the specific issues faced on an intermittent link.

--
 \
  `\
_o__) BIGNOSE

 
 
 

LAN DNS server behind dialup firewall

Post by root » Mon, 12 Mar 2001 05:17:56


Quote:>  I've seen
> solutions suggested for dialup lines, but they all assume BIND is
> running on the same host that controls the PPP link, which is not the
> case here, and I don't want it to be because that would complicate the
> firewall (bad security).

This is just a thought ... have you considered setting up a caching
only nameserver on the firewall (192.168.1.1) but keeping 192.168.1.5
the master nameserver for the zone 0.1.168.192.in-addr.arpa.  I do not
think that this compromises security any worse than opening the DNS
port on the firewall.

 
 
 

LAN DNS server behind dialup firewall

Post by Craig Orsinge » Mon, 12 Mar 2001 06:03:23




> Howdy all,

> I'm having trouble configuring BIND to do exactly what I want, and
> lately I'm despairing of it even being possible.

> My LAN has a firewall (LRP) that controls the dial-up line and acts as
> the gateway router for the other hosts.  A separate host provides DNS to
> the LAN.

>         [ The Net ]---/  /---[ Firewall/Gateway ]
>                                        | 192.168.1.1
>                                        |
>             [ DNS Server ]-------------+-----[ Other hosts ]
>              192.168.1.5                        192.168.1.*

> What I want is for all the hosts on the LAN to use the local primary DNS
> server 192.168.1.5 (I will be adding a secondary soon) for all DNS
> queries.  This means the local DNS server must also give responses for
> global DNS queries.

> The point it falls apart, of course, is that the connection to the
> internet is intermittent, and there is no simple way for the DNS server
> to know the link status without trying a connection.  I've seen
> solutions suggested for dialup lines, but they all assume BIND is
> running on the same host that controls the PPP link, which is not the
> case here, and I don't want it to be because that would complicate the
> firewall (bad security).

        If you're using a recent BIND, you might try playing with
the "max-ncache-ttl" option, but that's really not what it's for.

Quote:> When I use 192.168.1.5 as the sole nameserver, its BIND must be
> restarted every time the link status changes to clear its cache
> otherwise it will continue to return "host unknown" if that result is
> cached.  When I use other nameservers provided by my ISP, name
> resolution takes interminably long when the link is down because the
> hosts are waiting for DNS request timeouts to hosts that are not
> contactable, and takes a long time even for local hosts because the
> ISP's name servers know nothing about my local hosts.

        I use a similar setup, except my firewall does dialup. In a way,
this is much easier, since there's a fairly predictable time in which
there will (usually) be a connection.

Quote:> I've tried messing with the forwarding options for BIND, but they still
> seem dependent on the permanent availability of the uplink DNS servers.

        Sort of. The only solution I've found that works for dialup is to have
several forwarders in the list. Usually the first one or two entries fail
before I'm connected. I suppose if there were enough possible entries,
you could do this too, but maybe not.

Quote:> My ideal solution would be to configure the 192.168.1.5 BIND so that it
> can be used as the sole nameserver entry for my LAN hosts, and will
> immediately respond with "host unknown" for hosts outside my LAN when
> the link is down instead of waiting for several timeouts.

        Perhaps you can have two different name server configurations?
Run one when the Internet link is down, the other when it's up. You
can switch between them in the manner I describe below. The config
you use when you're isolated would only be a master for 192.168.1.0,
and would have no root cache or forwarding capability.

Quote:> If ICMP can tell me the network is unreachable, why can't a DNS query
> figure it out?  Is that because it's UDP?  Can I somehow get BIND to use
> ICMP to check the availability of an upline DNS server before sending
> its UDP packet?

        BIND seems to assume that if it doesn't receive an answer from one
nameserver within the timeout period, it should just try another or give
up. UDP is a protocol that doesn't define and send/response handshakes
like TCP does, but what happens after not receiving an answer to your
query is up to the programmer.

Quote:> Is what I'm trying to achieve even possible?  From reading the DNS-HOWTO
> and O'Reilly "DNS and BIND", I can't tell; they have pathetically little
> coverage of the specific issues faced on an intermittent link.

        Unfortunately, BIND isn't very good at this sort of thing. We had
to deal with this situation quite a bit in my last job, and never came up
with a good solution. It is also unfortunate that many programs are
written assuming that 'gethostbyname()' will succeed quickly, as
though everyone had a fast, permanent Internet connection like the
guys who wrote the program do.

        The only thing I can suggest is to write a program (a shell script
would probably work) that restarts named when you know that you
have a connection. This is messy, of course, but it will clear your
cache. The process ID of the named is in a file called "named.pid",
and depending what Unix/Linux you're running it's either in /etc,
/usr/local/etc, or /var/run (the latter more likely on new systems).
Two shell commands of the form:

        kill `cat /etc/named.pid`
        named

        should restart named. Those quotes are backquotes, of course.

        Another thing you should check, if you haven't already, is that
in your /etc/nsswitch.conf file, you have things set up so that you're
not trying to access DNS for network names, etc.

 
 
 

LAN DNS server behind dialup firewall

Post by root » Mon, 12 Mar 2001 06:39:34



> >  I've seen
> > solutions suggested for dialup lines, but they all assume BIND is
> > running on the same host that controls the PPP link, which is not the
> > case here, and I don't want it to be because that would complicate the
> > firewall (bad security).

> This is just a thought ... have you considered setting up a caching
> only nameserver on the firewall (192.168.1.1) but keeping 192.168.1.5
> the master nameserver for the zone 0.1.168.192.in-addr.arpa.  I do not
> think that this compromises security any worse than opening the DNS
> port on the firewall.

Ooops 1.168.192.in-addr.arpa.  And use 192.168.1.1 as the only root
server for 192.168.1.5 in root hints.
 
 
 

LAN DNS server behind dialup firewall

Post by The Nose Who Kno » Mon, 12 Mar 2001 10:08:43





> >         [ The Net ]---/  /---[ Firewall/Gateway ]
> >                                        | 192.168.1.1
> >                                        |
> >             [ DNS Server ]-------------+-----[ Other hosts ]
> >              192.168.1.5                        192.168.1.*

> > What I want is for all the hosts on the LAN to use the local primary DNS
> > server 192.168.1.5 (I will be adding a secondary soon) for all DNS
> > queries.  This means the local DNS server must also give responses for
> > global DNS queries.

> I use a similar setup, except my firewall does dialup. In a way, this
> is much easier, since there's a fairly predictable time in which there
> will (usually) be a connection.

My firewall does the dialup to the net (that's what the diagram is
trying to indicate).  I want the setup to work seamlessly whether the
Internet connection is up or down -- I can't afford to have it up the
whole time.

Here's a summary of what I want the local DNS server to do:
  - Local DNS queries: Respond immediately, don't forward the request.
  - Global DNS queries:
      - Link is up: Forward queries to ISP DNS servers.
      - Link is down: Return failure, don't cache.

Again, the DNS server isn't running on the firewall; the link can be up
or down arbitrarily; I'd much rather not add any more software to the
firewall (to keep it simple).

I find it hard to believe this is so uncommon, yet I have difficulty
explaining it to anyone.  Is it clearer now?  I'm in the frustrating
position that I know enough to feel that there's no reason it shouldn't
be possible, even simple; yet I know too little to explain it exactly.

Quote:> Sort of. The only solution I've found that works for dialup is to have
> several forwarders in the list. Usually the first one or two entries
> fail before I'm connected. I suppose if there were enough possible
> entries, you could do this too, but maybe not.

It's not a matter of limping along until the link comes up, because it
can't expect that the link *will* be up in the near future; I want
things to work indefinitely while the link is down, and when the link is
up I can automatically get to outside sites without restarting BIND.

Quote:> Perhaps you can have two different name server configurations?  Run
> one when the Internet link is down, the other when it's up. You can
> switch between them in the manner I describe below. The config you use
> when you're isolated would only be a master for 192.168.1.0, and would
> have no root cache or forwarding capability.

This seems to be the common solution.  However, the DNS server is not on
the firewall, and I have no way for the DNS server to be notified when
the link is up or down; the firewall intentionally makes no connections
into the LAN (in fact, these are firewalled out).

Quote:> Unfortunately, BIND isn't very good at this sort of thing. We had to
> deal with this situation quite a bit in my last job, and never came up
> with a good solution. It is also unfortunate that many programs are
> written assuming that 'gethostbyname()' will succeed quickly, as
> though everyone had a fast, permanent Internet connection like the
> guys who wrote the program do.

Yeah, tell me about it.  Netscape in particular will hang *all* of its
windows for ten minutes or more sometimes waiting for a timeout from a
hostname typo.

Quote:> Another thing you should check, if you haven't already, is that in
> your /etc/nsswitch.conf file, you have things set up so that you're
> not trying to access DNS for network names, etc.

I'm using DNS to serve my local host mappings; what are you suggesting
instead?  NIS?

For that matter, if BIND is no good at this, are there DNS servers
around that would handle this situation better?

Thanks for your suggestions, it's good just to be getting people's
opinions on this.

--
 \
  `\
_o__) BIGNOSE

 
 
 

LAN DNS server behind dialup firewall

Post by The Nose Who Kno » Mon, 12 Mar 2001 10:10:24



> > case here, and I don't want it to be because that would complicate the
> > firewall (bad security).

> This is just a thought ... have you considered setting up a caching
> only nameserver on the firewall (192.168.1.1) but keeping 192.168.1.5
> the master nameserver for the zone 0.1.168.192.in-addr.arpa.  I do not
> think that this compromises security any worse than opening the DNS
> port on the firewall.

It's not that I think the particular piece of software would be a
security hole, but that a more complex firewall is a less secure
firewall in general.  Also, the firewall is running from an LRP floppy,
which keeps me very honest in terms of adding software -- I can't
because there's no more room :-)

--
 \
  `\
_o__) BIGNOSE

 
 
 

LAN DNS server behind dialup firewall

Post by keit » Mon, 12 Mar 2001 11:11:18




> > > case here, and I don't want it to be because that would complicate the
> > > firewall (bad security).

> > This is just a thought ... have you considered setting up a caching
> > only nameserver on the firewall (192.168.1.1) but keeping 192.168.1.5
> > the master nameserver for the zone 0.1.168.192.in-addr.arpa.  I do not
> > think that this compromises security any worse than opening the DNS
> > port on the firewall.

> It's not that I think the particular piece of software would be a
> security hole, but that a more complex firewall is a less secure
> firewall in general.  Also, the firewall is running from an LRP floppy,
> which keeps me very honest in terms of adding software -- I can't
> because there's no more room :-)

> --
>  \
>   `\
> _o__) BIGNOSE

If you install "bind" and the "caching-nameserver" RPMs on the
firewall then it's all setup for you automatically.  Then just
make your master nameserver (192.168.1.5) (authoritative for
only your local domain) a non-recursive nameserver so that it
will refer all requests that not on your local domain to the
caching nameserver (192.168.1.1).  Then you only reference your
master nameserver (192.168.1.5) as the only nameserver for all
your local hosts.  This way you only need to worry about the
firewall bind cache (as there will be no cache on 192.168.1.5).
All your local domain management will be limited to your master
nameserver (192.168.1.5) and no request for your local domain
will be sent to the caching nameserver (or beyond) because
the requests will be first sent to your master nameserver which
will give an authoritative response to any names on your local
domain (even if they are unknown).  This seems simple to me,
but maybe I'm missing something (I've never tried this setup
but I don't see why it wouldn't work).

I think with this setup you would definitely want to setup some
slaves on your local domain, because if the master is down
then no names would be resolved (even external names since the
local hosts would not query the caching nameserver automatically,
they need to be referred to the caching nameserver by your local
domain nameserver).

 
 
 

LAN DNS server behind dialup firewall

Post by Craig Orsinge » Tue, 13 Mar 2001 04:36:56







>> >         [ The Net ]---/  /---[ Firewall/Gateway ]
>> >                                        | 192.168.1.1
>> >                                        |
>> >             [ DNS Server ]-------------+-----[ Other hosts ]
>> >              192.168.1.5                        192.168.1.*

>> > What I want is for all the hosts on the LAN to use the local primary
>> > DNS server 192.168.1.5 (I will be adding a secondary soon) for all
>> > DNS queries.  This means the local DNS server must also give
>> > responses for global DNS queries.

>> I use a similar setup, except my firewall does dialup. In a way, this
>> is much easier, since there's a fairly predictable time in which there
>> will (usually) be a connection.

> My firewall does the dialup to the net (that's what the diagram is
> trying to indicate).  I want the setup to work seamlessly whether the
> Internet connection is up or down -- I can't afford to have it up the
> whole time.

        This is what my network setup at home does. I have the named
set up to try several nameservers before giving up on an outside
address. I've found no better way of dealing with this. When you wrote
that you have an intermittent connection, I assumed you meant it went
up or down in a way beyond your control.

Quote:> Here's a summary of what I want the local DNS server to do:
>   - Local DNS queries: Respond immediately, don't forward the request.
>   - Global DNS queries:
>       - Link is up: Forward queries to ISP DNS servers.
>       - Link is down: Return failure, don't cache.

> Again, the DNS server isn't running on the firewall; the link can be up
> or down arbitrarily; I'd much rather not add any more software to the
> firewall (to keep it simple).

        The solution I was proposing wouldn't add any software to the
firewall. You can use ping to test for an external connection (one of
your ISP's routers, say), and when it's up, change out the name
server configuration. Like I said, it's messy. Does your connection
come up at particular times? If so, you might be able to run a script
using cron at those times that would change the name server
configuration if the link was actually up.

Quote:> I find it hard to believe this is so uncommon, yet I have difficulty
> explaining it to anyone.  Is it clearer now?  I'm in the frustrating
> position that I know enough to feel that there's no reason it shouldn't
> be possible, even simple; yet I know too little to explain it exactly.

        It's clearer, yes, and it is a common situation. I don't know of
a really elegant solution.

Quote:> It's not a matter of limping along until the link comes up, because it
> can't expect that the link *will* be up in the near future; I want
> things to work indefinitely while the link is down, and when the link is
> up I can automatically get to outside sites without restarting BIND.

        [snip]

Quote:>> Another thing you should check, if you haven't already, is that in your
>> /etc/nsswitch.conf file, you have things set up so that you're not
>> trying to access DNS for network names, etc.

> I'm using DNS to serve my local host mappings; what are you suggesting
> instead?  NIS?

        No, I'm suggesting that for things like service and network names,
you restrict your lookups to files only. I don't use NIS, and, in fact, I
remove all references to it in /etc/nsswitch.conf.
 
 
 

LAN DNS server behind dialup firewall

Post by The Nose Who Kno » Tue, 13 Mar 2001 15:30:04



Quote:> I'm having trouble configuring BIND to do exactly what I want, and
> lately I'm despairing of it even being possible.

> My LAN has a firewall (LRP) that controls the dial-up line and acts as
> the gateway router for the other hosts.  A separate host provides DNS to
> the LAN.

> What I want is for all the hosts on the LAN to use the local primary DNS
> server 192.168.1.5 (I will be adding a secondary soon) for all DNS
> queries.  This means the local DNS server must also give responses for
> global DNS queries.

Okay, I've solved this.  Thanks to all who provided advice and
encouragement; I was finally forced to re-learn what I thought I knew
about how BIND works.

The solution lies in the fact that I was blinkered by the terms
"caching-only nameserver" and "forward-only nameserver" into thinking
that the *only* function such a server could provide would be to cache
or forward, respectively.

I was wrong.  I started from scratch, setting up a new BINd on another
machine to be both a caching-only server, and a forward-only server; and
then adding the master entries for the local LAN domain.

If anyone wants more info, I can only say that the DNS HOWTO and
O'Reilly's "DNS and BIND" has all the info, but you need to be aware of
some terminology.

"caching-only nameserver" does *not* mean that the server can't do
anything but cache.  It means it will cache resolutions but will not
perform lookups.  (If the server is authoritative for any domain, i.e.
it is master or slave for a domain, it is no longer "caching-only" but
instead is a "caching" nameserver.)

"forward-only nameserver" does *not* mean that the server can't do
anything but forward requests.  It means that it will forward requests
but will not perform recursive requests by itself.

Neither of the above functions prevent the server from being a master or
slave server of a domain, for example for the local LAN.

So, what I now have is a master and slave nameserver for my local
domain, which are both caching and forward-only style servers.  This
means that they will happily be authoritative for my local domain, but
will forward other responses to my ISP and give up immediately if that
fails; they will also cache positive responses for domains they are not
authoritative for.

This is exactly how I wanted it to work, and it's working.  It only took
the stubbornness to try again, and the humility to assume I was wrong
about everything and learn it again :-)

Thanks again to all who helped.

--
 \
  `\
_o__) BIGNOSE

 
 
 

1. FTP server behind linux firewall communicating w/ FTP behind linux firewall

I have a Windows-based FTP server (G6) behind a linux firewall box
running ipchain and ipmasqadm portfw rules to enable communication
with the out side world. I can connect to this server from the
outside, but PASV doesn't work. I have rules that allow ports above
1023 for the PASV traffic and I also had put the FTP server on a
haigher port other than 21.  I portfw'd the same port through to the
internal Windows machine running the ftp server as well as forwarding
the ftp-data. I have the ip_masq_ftp module loaded. I'm not sure why
PASV doesn't work.

Also, the other thing I'm trying to get working is communicating with
this same FTP server from a client within another linux-firewalled
(also using ipchains and portfw rules) LAN. I can connect, but can't
get any data transfers going, including directory listings, using
either PASV or regular FTP. I'm not sure if I should be forwarding
ftp-data to the internal machine running the ftp client.

What I ultimately want to do is be able to connect from a client
within on linux firewalled LAN to an ftp server inside another linux
firewalled LAN on a non-standard port and using PASV if possible. Any
help would be appreciated.

2. KFM not ready

3. Cannot access server behind firewall from internal LAN

4. Archive System / Other Services

5. setup DNS server behind firewall

6. Cancelling a Require valid-user directive in a lowre level directory ?

7. FTP server behind on firewall FTP client behind another

8. why my ps/2 mouse don't work in rh6.0

9. FreeBSD and natd - routing from behind firewall to behind firewall.

10. Detect LAN behind a masquerading firewall?

11. Limit bandwidth by IP for a LAN behind a linux firewall

12. BIND config for DNS on dialup masq proxy for private LAN

13. DNS behind a FIREWALL