SuSEfirewall2 BIND NAT

Hi everyone,

I have a network with some servers openSUSE 11.1.

I am having trouble doing NAT for my BIND servers that are behind the firewall server (SuSEfirewall2)

The problem is that out of my DNS servers are OK, but inside my internal network when I run the command below in a domain that is configured in my DNS servers I get an error message.

internal-server-01: / # dig + trace aisle.com.br
...
aisle.com.br. 86400 IN NS ns2.aisle.com.br.
aisle.com.br. 86400 IN NS ns1.aisle.com.br.
;; Received 98 bytes from 200.219.159.10 # 53 (F.DNS.br) in 186 ms

;; Connection timed out, the servers could be reached


If I give the same command to an external domain, it works perfectly:

internal-server-01: / # dig + trace opensuse.org
...
opensuse.org. 86400 IN NS ns.novell.co.uk.
opensuse.org. 86400 IN NS ns.novell.com.
opensuse.org. 86400 IN NS ns2.novell.com.
;; Received 104 bytes from 199.19.56.1 # 53 (A0.ORG.AFILIAS-NST.INFO) in 30 ms

opensuse.org. 600 IN A 130.57.5.70
opensuse.org. 600 IN NS ns.novell.com.
opensuse.org. 600 IN NS ns2.novell.com.
opensuse.org. 600 IN NS ns.novell.co.uk.
;; Received 168 bytes from 137.65.1.2 # 53 (ns2.novell.com) in 35 ms

If I give the same command on an external server, it works perfectly:

external-01-server: / # dig + trace aisle.com.br
...
aisle.com.br. 86400 IN NS ns2.aisle.com.br.
aisle.com.br. 86400 IN NS ns1.aisle.com.br.
;; Received 98 bytes from 200.192.232.10 # 53 (C.DNS.br) in 52 ms

aisle.com.br. 300 IN A 174132205188
aisle.com.br. 300 IN NS ns2.aisle.com.br.
aisle.com.br. 300 IN NS ns1.aisle.com.br.
;; Received 114 bytes from 174,132,205,187 # 53 (ns1.aisle.com.br) in 166 ms

I did a NAT apontanto to udp port 53 on my firewall for the master and slave BIND servers.

The section of named.conf option is this:

options (
directory "/ var / lib / named";
dump-file "/ var / log / named_dump.db";
statistics-file "/ var / log / named.stats";
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
allow-query (any;);
notify explicit;
also-notify (10.0.2.4;);
version "[secured]";
transfer-format many-answers;
);

My resolv.conf in all internal machines:

search dop.com.br
nameserver 10.0.1.4
nameserver 10.0.2.4

A dig +trace requires access to outside DNS servers from the inside through the firewall (can be with NAT), because the query is resolved starting from the global root. Does the machine on which you are running have such access?

How can I verify this?

You can try a dig @outside.dns.server domain.name to see if this returns a result.

I suspect what you are doing is trying to get a reply from the public address of your DNS server from the inside. Without a special DNAT rule in your firewall this will fail. That is what will happen if you follow the chain from DNS root as required by +trace. But it is not a realistic test because if you have split horizon DNS, then resolving the names on the inside will not be done from DNS root.

From opendns.com

internal-server-01:/# dig @208.67.222.222 aisle.com.br

; <<>> DiG 9.5.0-P2 <<>> @208.67.222.222 aisle.com.br
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aisle.com.br.                  IN      A

;; ANSWER SECTION:
aisle.com.br.           300     IN      A       174.132.205.188

;; Query time: 419 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Jun 22 22:54:19 2009
;; MSG SIZE  rcvd: 46

From my external IP Master Server

internal-server-01:/# dig @174.132.205.187 aisle.com.br

; <<>> DiG 9.5.0-P2 <<>> @174.132.205.187 aisle.com.br
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

Hi all,

Read this post to resolv the problem.

SuSEfirewall2 NAT Forward - openSUSE Forums

Thanks.