Port Forwarding and Name Serving
- We have an internal network and the internet as an external network. All web and ftp serving requests are port forwarded by the firewall to the appropriate host(s) in the internal network. "Gateway", our firewall, is also our name server to the external world. That is it provides the external IP addresses (24.113.94.87, and 24.113.98.164) for the hosted domains (novatek.co.nz, and cmex.org) respectively.
- There is a wrinkle with port forwarding in the ip-masqerading firewall in that if an internal host looks up the address of say www.cmex.org, it will get the external IP address of the firewall 24.113.98.164. The internal host will send the server request to to 24.113.98.164, via the internal gateway 192.168.0.254. The firewall (gateway) uses its routing table to decide where to send packets. Seeing 24.113.98.164 as its own external interface, it keeps the packet in the system and does not give it a chance to get to the port forwarding function. If it is a ftp request, the firewall's (Gateway's) ftp server is reached, and if it is a www request, it is lost as there is no www server on the gateway.
- This wrinkle requires us to have internal network resolution that is different to the external name resolution. External network name resolution is done on Gateway as the primary name server. On the internal network, internal name resolution is done on Henry. This, in a way, is a disguised blessing, as it reduces the internal traffic and workload at the firewall. The disadvantages of DNS is complexity, and the desirablity of secondary name server for reliability. We live on the edge, no secondary internal DNS here yet.
- Note that Gateway provides the external internet name serving function, however as Gateway is part of the internal network, resolv.conf looks to 192.168.0.3 (henry) for its name serving function.
- References
- Bind Online Documentation
- DNS-HOWTO
- Trinity OS Ch 24.
- DNS and Bind, Second Edition from O'Reiley and Associates
Installing and Configuring the Name Server
- This section is not a tutorial on how to do DNS, it just specifies Gateway's external DNS configuration with limitted explanation of why some things are done. The reader is referred to Trinity OS , DNS-HOWTO, and DNS and Bind for very good descriptions on how DNS works, and how to work DNS.
- If Bind is not present on the system (rpm -qi bind), get it (say from rpmfind.net) and install it (rpm -Uhv bind*). Create the following configuration files:
- named.conf
- >>>>>>>>>>>>>>>>>/etc/named.conf
# /etc/named.conf options { // Root directory for master (db) files. directory "/var/named"; // If a lookup is not in our cache, query these nameservers // (usually our ISP's) our ISP's nameservers before attempting // to resolve. forward first; forwarders { 24.2.10.33; 24.2.10.34; }; // only accept DNS requests on port 53 and valid IP addresses listen-on port 53 { 127.0.0.1; // localhost 192.168.0.254; // internal network interface 24.113.94.87; // external network interface 24.113.98.164; // aliased external netowrk }; // may be required if this name server is behind a firewall // query-source address * port 53; }; // The next two zones are the minimum required for a caching nameserver. zone "." { type hint; file "db.root"; }; zone "0.0.127.in-addr.arpa" { type master; notify no; file "db.127.0.0"; }; // Master (primary) serving zones zone "novatek.co.nz" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 140.200.128.13; // ns1.waikato.ac.nz 24.113.94.87; 24.113.98.164; 127.0.0.1; 192.168.0/24; }; file "primary/db.novatek.co.nz"; }; zone "cmex.org" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 24.113.94.87; 24.113.98.164; 127.0.0.1; 192.168.0/24; }; file "primary/db.cmex.org"; }; zone "87.94.113.24.in-addr.arpa" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 140.200.128.13; // ns1.waikato.ac.nz 24.113.94.87; 24.113.98.164; 127.0.0.1; 192.168.0/24; }; file "primary/db.24.113.94.87"; }; zone "164.98.113.24.in-addr.arpa" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 24.113.94.87; 24.113.98.164; 127.0.0.1; 192.168.0/24; }; file "primary/db.24.113.98.164"; };<<<<<<<<<<<<<<<<<<<<<<<</etc/named.conf
- Getting the root hints file for the first time (without a properly configured DNS)
- Recall, Gateway's own default DNS is intended to be Henry, not itself. However, Henry is not set up yet. So how do we resolve a root name server's name to dig the hints file? The answer is we cheat. We go and add the ip addresses of our ISP's nameservers to our /etc/resolv.conf file. The cheat resolv.conf now looks like:
- cheat resolv.conf (change back when finished)
- >>>>>>>>>>>>>/etc/resolv.conf
domain novatek.co.nz nameserver 192.168.0.3 nameserver 24.2.10.33 nameserver 24.2.10.34<<<<<<<<<<<<</etc/resolv.conf
- This should allow us to resolve names using our ISP's name servers so we can dig. To go digging, enter the following command.
- dig @a.root-servers.net . ns > /var/named/db.root
- Check that the file /var/named/db.root looks something like the following, and remove the last two nameserver entries from /etc/relsolv.conf.
- db.root
- >>>>>>>>>>>>>/var/named/db.root
; <<>> DiG 8.2 <<>> @a.root-servers.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 ;; Total query time: 147 msec ;; FROM: gateway.novatek.co.nz to SERVER: a.root-servers.net 198.41.0.4 ;; WHEN: Sat Jul 3 16:05:12 1999 ;; MSG SIZE sent: 17 rcvd: 436<<<<<<<<<<<<</var/named/db.root
- db.127.0.0
- >>>>>>>>>>>>>/var/named/db.127.0.0
$TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999070313 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; min TLL IN NS gateway.novatek.co.nz. 1 IN PTR localhost.<<<<<<<<<<<<</var/named/db.127.0.0
- db.novatek.co.nz
- >>>>>>>>>>>>>/var/named/primary/db.novatek.co.nz
$TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 2000022601 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1 IN NS ns1.granitecanyon.com. IN NS ns1.waikato.ac.nz. IN RP jon.novatek.co.nz. hostmaster.novatek.co.nz. IN TXT "Jonathan Marks - Fax (707) 221-3689" IN MX 10 mail gateway IN A 24.113.94.87 IN MX 10 mail ; specific mutlihomed i/f's mail IN A 24.113.94.87 ns1 IN A 24.113.94.87 ftp IN A 24.113.94.87 www IN A 24.113.94.87 novatek.co.nz. IN A 24.113.94.87 ; Aliases jon IN CNAME www vanessa IN CNAME www steven IN CNAME www cara IN CNAME www<<<<<<<<<<<<<<<<<<<<<</var/named/primary/db.novatkek.co.nz
- db.cmex.org
- >>>>>>>>>>>>>>>>>>>>>>/var/named/primary/db.cmex.org
$TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 2000022701 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN RP jon.novatek.co.nz. hostmaster.novatek.co.nz. IN TXT "Jonathan Marks - Fax (707) 221-3689" IN MX 10 mail mail IN A 24.113.94.164 ftp IN A 24.113.98.164 www IN A 24.113.98.164 cvs IN A 24.113.98.164 cmex.org. IN A 24.113.98.164<<<<<<<<<<<<<<<<<<<<<<</var/named/primary/db.cmex.org
- db.24.113.94.87
- >>>>>>>>>>>>>>>>>>>>>>>/var/named/primary/db.24.113.94.87
$TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999072302 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN NS ns1.waikato.ac.nz. IN RP jon.novatek.co.nz hostmaster.novatek.co.nz IN TXT "Jonathan Marks - Fax (707) 221-3689" 87.94.113.24.in-addr.arpa. IN PTR gateway.novatek.co.nz.<<<<<<<<<<<<<<<<<<<<<<<</var/named/primary/db.24.113.94.87
- db.24.113.98.164
- >>>>>>>>>>>>>>>>>>>>>>>>>/var/named/primary/db.24.113.98.164
$TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999072302 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN RP jon.novatek.co.nz hostmaster.novatek.co.nz IN TXT "Jonathan Marks - Fax (707) 221-3689" 164.98.113.24.in-addr.arpa. IN PTR cmex.org.<<<<<<<<<<<<<<<<<<<<<</var/named/primary/db.24.113.98.164
- Thats all the files set up for gateway. Issue a
- /etc/rc.d/init.d/named restart
- and watch /var/log/messages for the following similar trace. In a separate xterm / console issue a:
- tail -f /var/log/mesages
---------------------------- Feb 27 23:19:11 gateway named: named shutdown succeeded Feb 27 23:19:13 gateway named[22367]: starting. named 8.2.2-P5 Fri Feb 4 15:25:10 EST 2000 ^Iroot@porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P5/src/bin/named Feb 27 23:19:13 gateway named[22367]: hint zone "" (IN) loaded (serial 0) Feb 27 23:19:14 gateway named[22367]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 1999070314) Feb 27 23:19:14 gateway named[22367]: master zone "novatek.co.nz" (IN) loaded (serial 2000022601) Feb 27 23:19:14 gateway named[22367]: master zone "cmex.org" (IN) loaded (serial 2000022701) Feb 27 23:19:14 gateway named[22367]: master zone "87.94.113.24.in-addr.arpa" (IN) loaded (serial 1999072302) Feb 27 23:19:14 gateway named[22367]: master zone "164.98.113.24.in-addr.arpa" (IN) loaded (serial 1999072302) Feb 27 23:19:14 gateway named[22367]: listening on [127.0.0.1].53 (lo) Feb 27 23:19:14 gateway named[22367]: listening on [24.113.94.87].53 (eth0) Feb 27 23:19:14 gateway named[22367]: listening on [24.113.98.164].53 (eth0:0) Feb 27 23:19:14 gateway named[22367]: listening on [192.168.0.254].53 (eth1) Feb 27 23:19:14 gateway named[22367]: Forwarding source address is [0.0.0.0].1054 Feb 27 23:19:14 gateway named: named startup succeeded Feb 27 23:19:14 gateway named[22368]: group = 102 Feb 27 23:19:15 gateway named[22368]: user = named Feb 27 23:19:15 gateway named[22368]: Ready to answer queries. Feb 27 23:19:22 gateway named[22368]: suppressing duplicate notify ("87.94.113.24.in-addr.arpa" IN SOA) Feb 27 23:19:38 gateway named[22368]: Sent NOTIFY for "164.98.113.24.in-addr.arpa IN SOA" (164.98.113.24.in-addr.arpa); 1 NS, 1 A Feb 27 23:19:42 gateway named[22368]: Sent NOTIFY for "novatek.co.nz IN SOA" (novatek.co.nz); 2 NS, 2 A Feb 27 23:19:43 gateway named[22368]: Received NOTIFY answer from 140.200.128.13 for "novatek.co.nz IN SOA" Feb 27 23:19:43 gateway named[22368]: Sent NOTIFY for "cmex.org IN SOA" (cmex.org); 1 NS, 1 A Feb 27 23:19:43 gateway named[22368]: Sent NOTIFY for "87.94.113.24.in-addr.arpa IN SOA" (87.94.113.24.in-addr.arpa); 2 NS, 2 A -----------------------------------------Ensuring things are working
- I carried out the following sequence to check that things work.
- nslookup - localhost
---------------------- Default Server: localhost Address: 127.0.0.1 > ora.com Server: localhost Address: 127.0.0.1 Name: ora.com Address: 204.148.40.9 > ora.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: ora.com Address: 204.148.40.9 > 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: localhost Address: 127.0.0.1 > ^d -------------------------Name Server Maintenance
- Once DNS is running, we need to periodically (say, once a month) update the hints database. The following script is plagiarised from the DNS HOWTO and TrinityOS.
- >>>>>>>>>>>>>>>>>>>>>>>>/var/named/update-db.root
#!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # export PATH=/sbin:/usr/sbin:/bin:/usr/bin: cd /var/named dig @a.root-servers.net . ns > root.hints 2> result DIG_OUTCOME=FAIL if [ `grep -c SERVFAIL root.hints` = 0 ] && [ `grep -c ROOT-SERVERS root.hints` -gt 0 ] then DIG_OUTCOME=SUCCESS mv -f db.root db.root.old cp -f root.hints db.root chown root:root db.root chmod 444 db.root echo -n "Restarting named: " >> result /etc/rc.d/init.d/named restart >> result fi ( echo "To: hostmaster <root>" echo "From: system <root>" echo "Subject: DNS monthly hints.db update status: $DIG_OUTCOME." echo cat root.hints result echo ) | /usr/sbin/sendmail -t rm -f result root.hints exit 0<<<<<<<<<<<<<<<<<<<<<</var/named/update-db.root
- Now make the file rwx only by root.
chmod 700 /var/named/root-hints-update
And put it in the monthly cron job.
ln -s /var/named/update-db.root /etc/cron.monthly/update-db.root'
- Now that we have got so far, I would suggest installing Henry to the point where its name servering is working, and then continuing with the rest of Gateway's configuration. this will give us the ability to use names instead of ip addresses.
Last modified: Tue Feb 8 22:00:00 PST 2000
Copyright © Jonathan Marks, 1999, 2000. All rights
reserved.
http:/www.novatek.co.nz/linux/config/gateway-ns.html.