[ previous ] [ next ] [ threads ]
 
 From:  "Krist van Besien" <krist dot vanbesien at gmail dot com>
 To:  "m0n0wall list" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  DNS Forwarder oddity...
 Date:  Mon, 7 Aug 2006 21:32:28 +0200 
Hello,

I have the following situation:

I have a webserver sitting behing a m0n0wall. The m0n0wall has a DNS
name assigned to it's virtual address. Port 80 is forwarded to the
webserver. I have a few sites running on the webserver, and for these
my "public" DNS has a number of aliases defined.

This looks like this:

tine.vanbesien.net   CNAME webserver.vanbesien.net
broen.vanbesien.net    CNAME    webserver.vanbesien.net
webserver.vanbesien.net CNAME bremgarten.vanbesien.net
bremgarten.vanbesien.net A  <current WAN IP address of my m0n0wall>

The problem is that with this setup I can't access my sites from
behind my firewall, as the names resolv to the WAN address.

To try  solve this I entered a static DNS entry in the m0n0wall DNS forwarder:

webserver.vanbesien.net A 192.168.2.91

This refers to the local webservers' address.

When I now try to resolve the name it still doesn't work as expected:

krist@aare:~$ dig  broen.vanbesien.net

; <<>> DiG 9.3.2 <<>> broen.vanbesien.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13788
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;broen.vanbesien.net.           IN      A

;; ANSWER SECTION:
broen.vanbesien.net.    6140    IN      CNAME   webserver.vanbesien.net.
webserver.vanbesien.net. 6140   IN      CNAME   bremgarten.vanbesien.net.
bremgarten.vanbesien.net. 300   IN      A       62.203.246.126

;; Query time: 186 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Aug  7 21:29:37 2006
;; MSG SIZE  rcvd: 102

but:

krist@aare:~$ dig webserver.vanbesien.net

; <<>> DiG 9.3.2 <<>> webserver.vanbesien.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 668
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;webserver.vanbesien.net.       IN      A

;; ANSWER SECTION:
webserver.vanbesien.net. 0      IN      A       192.168.2.91

;; Query time: 1 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Aug  7 21:30:12 2006
;; MSG SIZE  rcvd: 57

So you can see when I ask to get the IP of webserver.vanbesien.net I
get the correct (from the point of view of my server) IP address. When
I for a name aliased to webserver.vanbesien.net I get as final answer
my WAN ip addres.

Why is this? In both cases the DNS requests go to the m0n0wall.

Krist

-- 
krist dot vanbesien at gmail dot com
Bremgarten b. Bern, Switzerland