Date: Mon, 22 May 2000 12:17:33 PDT From: "Ron Smith" <ronnetron@hotmail.com> To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Non-existent domain Message-ID: <20000522191733.61404.qmail@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,
O.K. gang I need your help on this one. I have a particular problem that I
can't seem to solve on my own. Here's what's happening:
I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
works fine for those on the LAN when browsing HTTP. DNS is also running on
this machine as primary and I have a name server at the ISP as secondary.
However, the problem is that when looking for the domain name "crcfx.com"
out on the web, It's not seen. An error message comes up saying: "A network
error occurred: Unable to connect to server. The server may be down or
unreachable." Also, I don't get a proper response, from outside our LAN,
when doing an 'nslookup stargate.crcfx.com', which has the primary DNS
running locally. This is preventing us from putting other services on-line,
such as 'HTTP' and 'SMTP'. I've talked to several sources (including my
ISP), to no avail. There's lots of confusion all around. I have a suspicion
my problem may stem from the way my zones are set up, or the firewall rules,
but I'm not sure. Anyway, here are the details:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ping 127.0.0.1 (loopback)
ping 192.x.x.1 (inside interface)
ping 63.x.x.218 (outside interface)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All show 0% packet loss.
~~~~~~~~~~~~~~~
'rc.conf' says:
~~~~~~~~~~~~~~~
# This file now contains just the overrides from/etc/defaults/rc.conf #
please make all changes to this file.
# -- sysinstall generated deltas -- #
ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0"
ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
hostname="stargate.crcfx.com"
linux_enable="YES"
moused_enable="YES"
gateway_enable="YES"
defaultrouter="63.x.x.217"
# -- The following deltas were generated by Ron Smith on Apr. 17, 2000
firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"
inetd_enable="NO"
sendmail_enable="NO"
dumpdev=/dev/wd0s1b
natd_enable="YES"
natd_interface="pn0"
named_enable="YES"
~~~~~~~~~~~~~~~~~~~
'rc.firewall' says:
~~~~~~~~~~~~~~~~~~~
# set these to your outside interface network and netmask and ip
oif="pn0"
onet="63.x.x.216"
omask="255.255.255.248"
oip="63.x.x.218"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.x.x.0"
imask="255.255.255.0"
iip="192.x.x.1"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
#$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add
deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow ICMP inside only
#$fwcmd add deny icmp from any to any via ${oif}
#$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
#$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
$fwcmd add pass udp from ${inet}:${imask} to any 53
# Allow stuff to 192 net in from the outside, since we're
# checking after NAT does the conversion
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
~~~~~~~~~~~~~~~~~~~~~~~
'whois crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~
Whois Server Version 1.1
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net for
detailed information.
Domain Name: CRCFX.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: www.register.com
Name Server: NS1.PBI.NET
Name Server: STARGATE.CRCFX.COM
Updated Date: 28-apr-200
>>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
Access to register.com's WHOIS information is for informational purposes
only. Register.com makes this information available
"as is," and does not guarantee its accuracy. The compilation, repackaging,
dissemination or other use of register.com's WHOIS information in its
entirety, or a substantial portion thereof, is expressly prohibited without
the prior written consent of register.com. By accessing and using our WHOIS
information, you agree to these terms.
Organization:
Cinema Research Corp
6860 Lexington Ave
Hollywood, CA 90038
US
Registrar..: Register.com (http://www.register.com)
Domain Name: CRCFX.COM
Created on..............: Fri, Mar 24, 2000
Expires on..............: Sat, Mar 24, 2001
Record last updated on..: Fri, Apr 28, 2000
Administrative Contact:
Smith, Ron ronnetron@hotmail.com
323-460-4111
Technical Contact, Zone Contact:
Internic, Registrar internic-free@register.com
212-594-988
Domain servers in listed order:
STARGATE.CRCFX.COM 63.x.x.218
NS1.PBI.NET 206.13.28.11
Register your domain name at http://www.register.com
~~~~~~~~~~~~~~~~~
ifconfig -a says:
~~~~~~~~~~~~~~~~~
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255
pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'netstat -na crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
icmp 0 0 *.* *.*
tcp 0 0 *.111 *.* LISTEN
tcp 0 0 127.0.0.1.53 *.* LISTEN
tcp 0 0 63.x.x.218.53 *.* LISTEN
tcp 0 0 192.x.x.1.53 *.* LISTEN
udp 0 0 *.111 *.*
udp 0 0 *.1024 *.*
udp 0 0 127.0.0.1.53 *.*
udp 0 0 63.x.x.218.53 *.*
udp 0 0 192.x.x.1.53 *.*
udp 0 0 *.514 *.*
~~~~~~~~~~~~~~~~~~~~~
'db.crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~
; Definition of zone crcfx.com
crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. (
2000042901 ; Serial (date, two digits version of day)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400 ) ; minimum (1 day)
; name servers
IN NS stargate.crcfx.com.
IN NS ns1.pbi.net.
IN NS ns2.pbi.net.
stargate IN A 63.x.x.218
ns1.pbi.net. IN A 206.13.28.11
ns2.pbi.net. IN A 206.13.29.11
~~~~~~~~~~~~~~~~~~~~~
'crcfx-reverse' says:
~~~~~~~~~~~~~~~~~~~~~
@ IN SOA stargate.crcfx.com. root.crcfx.com. (
2000042901 ; Serial (date, 2 digits version of day)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400 ) ; minimum (1 day)
IN NS stargate.crcfx.com.
IN NS ns1.pbi.net.
IN NS ns2.pbi.net.
218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com.
11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net.
11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net.
~~~~~~~~~~~~~~~~~~~~~
'localhost.rev' says:
~~~~~~~~~~~~~~~~~~~~~
; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29
peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;
@ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. (
2000042901 ; Serial
86400 ; Refresh (1 day)
7200 ; Retry (2 hours)
8640000 ; Expire (100 days)
86400 ) ; Minimum
IN NS stargate.crcfx.com.
1 IN PTR localhost.crcfx.com.
~~~~~~~~~~~~~~~~~~~
'resolv.conf' says:
~~~~~~~~~~~~~~~~~~~
domain crcfx.com
nameserver 127.0.0.1
nameserver 192.x.x.1
nameserver 63.x.x.218
nameserver 206.13.28.11
nameserver 206.13.29.11
~~~~~~~~~~~~~~~~~~
'named.conf' says:
~~~~~~~~~~~~~~~~~~
options {
directory "/etc/namedb";
forwarders {
206.13.28.11;
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
zone "crcfx.com" {
type master;
file "db.crcfx.com";
};
zone "0.x.192.IN-ADDR.ARPA" {
type master;
file "crcfx-reverse";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,
This is a lot to swallow, but they are all the pertinent files, in regards
to the problem. I would appreciate any feedback on how to get our local name
server to do proper zone transfers to our upstream ISP, and to get a proper
'nslookup stargate.crcfx.com' from outside our LAN ...same thing.
TIA
Ron
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000522191733.61404.qmail>