i seem to be having a dns/fw issues that i can't figure out.
basically, wifi clients can't lookup dns successfully unless the entry
is already cached on the openbsd 4.0 box first.
this has just started after introducing a new firewall config but i have
_no_ idea what the difference between a fresh vs cached lookup should be
from the client side! this is surely a misunderstanding on my part. can
you see what i'm missing?
what's there:
openbsd 4.0 dns servers 10.0.0.11 & 12
openbsd 4.1 firewall
sis2 internet, 121.73.27.x
sis1/2 bridged 10.0.0.11 & 12 via crossover
ath0 wifi 172.16.x.x dhcp for clients
dhcp side:
the clients (macos, windows, whatever) receive a dhcp address & can
access services such as email on the 10.x network, and anything on the
internet via IP address.
but when a name lookup is done from 172. to the 10. dns servers, the
request goes through to the 10. dns server just fine - which then
replies with a 'not found' type error. running the same lookup again on
the 10. dns server directly works. then re-running the same query from
the client side retrieves the new cached version correctly.
presumably the fw rules are ok as traffic is passing each time. but what
am i missing?
i've not changed the dns servers since 3.9, but there is a new pfSense
firewall in between.
pf.conf & named.conf follow the dns trace.
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
tunnel inet -->
inet 172.16.0.10 netmask 0xffffff00 broadcast 172.16.0.255
ether 00:19:e3:0f:1a:6b
media: autoselect status: active
supported media: autoselect
vlan: 0 parent interface: <none>
bond interfaces: <none>
non-cached from client:
May 17 07:19:52.391667 172.16.0.10.49319 > 10.0.0.11.53: [udp sum ok]
21247+ A? www.novell.com. (32) (ttl 63, id 17885, len 60)
return to client:
May 17 07:19:52.392233 10.0.0.11.53 > 172.16.0.10.49319: 21247- 0/13/13
(451) (ttl 64, id 20192, len 479)
non-cached from dns server:
May 17 07:20:08.675725 10.0.0.2.40578 > 203.96.152.4.53: [udp sum ok]
13112+ [1au] A? www.novell.com. (43) (ttl 64, id 6400, len 71)
reply from dns forwarder:
May 17 07:20:08.686623 203.96.152.4.53 > 10.0.0.2.40578: 13112 1/3/3
www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190)
cached from client:
May 17 07:20:13.695183 172.16.0.10.49320 > 10.0.0.11.53: [udp sum ok]
50027+ A? www.novell.com. (32) (ttl 63, id 17961, len 60)
cached reply from dns server:
May 17 07:20:13.695563 10.0.0.11.53 > 172.16.0.10.49320: 50027- 1/3/2
www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179)
pf.conf
===================================================================
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
############################################################
# macro definitions
############################################################
# interfaces
ext_if = "sis2"
wii_if = "ath0"
dmz_if = "{ sis0 sis1 bridge0 }"
int_if = "{ sis0 sis1 bridge0 ath0 }"
# networks
ext_nw = "{ 121.73.27.0/24 }"
wii_nw = "{ 172.16.0.0/24 }"
dmz_nw = "{ 10.0.0.0/24 }"
int_nw = "{ 10.0.0.0/24 172.16.0.0/24 }"
# dmz hosts
dmz_web = "10.0.0.20"
dmz_mail = "10.0.0.21"
dmz_ssh = "10.0.0.31"
# port groups
mail_ports = "{ imap, imaps, smtp }"
web_ports = "{ http, https }"
############################################################
# tables
############################################################
table <spamd-white> persist
table <internal_net> persist {10.0.0.0/24, 172.16.0.0/24}
############################################################
# options
############################################################
set skip on lo
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set loginterface ath0
############################################################
# normalisation
############################################################
scrub in all
scrub out all
############################################################
# translation & redirection
############################################################
nat on $ext_if inet proto {icmp, tcp, udp} \
from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $web_ports -> $dmz_web
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $mail_ports -> $dmz_mail
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port ssh -> $dmz_ssh
############################################################
# filtering
############################################################
block in all
block out log all
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# block anything from private networks on WAN interface
antispoof for $ext_if
block in log quick on $ext_if from 10.0.0.0/8 to any
block in log quick on $ext_if from 127.0.0.0/8 to any
block in log quick on $ext_if from 172.16.0.0/12 to any
block in log quick on $ext_if from 192.168.0.0/16 to any
# pass all ICMP connections
pass out inet proto icmp all icmp-type echoreq
# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 121.73.27.12 to any
# allow outgoing DNS
pass out quick proto { tcp, udp } from any to any port 53
# allow access to DHCP server on wii
pass in quick on $wii_if proto udp \
from any port = 68 to 255.255.255.255 port = 67
pass in quick on $wii_if proto udp \
from any port = 68 to 172.16.0.1 port = 67
pass out quick on $wii_if proto udp \
from 172.16.0.1 port = 67 to any port = 68
block in log quick on $ext_if proto udp \
from any port = 67 to 10.0.0.0/24 port = 68
# pass all connections originating from the firewall
pass out quick on $ext_if inet \
from ($ext_if) to any
# pass all connections originating from dmz
pass in quick on $dmz_if \
from <internal_net> to any
pass quick on $int_if no state
antispoof for $ext_if
#pass out on $int_if proto tcp to ($int_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
pass in quick on $wii_if from any to any
pass in quick on $dmz_if from any to any
named.conf
====================================================================
// $OpenBSD: named-simple.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
localnets;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on { any; };
listen-on-v6 { any; };
allow-recursion { clients; };
forwarders {
203.96.152.4;
203.96.152.12;
};
};
logging {
category lame-servers { null; };
};
// Standard zones
//
zone "." {
type hint;
file "standard/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
zone "com" {
type delegation-only;
};
zone "net" {
type delegation-only;
};
// muse.net.nz
zone "muse.net.nz" {
type master;
file "master/muse.net.nz";
};
// 10.0.0 reverse lookups
zone "0.0.10.in-addr.arpa" {
type master;
file "master/10.0.0";
allow-transfer { localhost; };
};
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
############################################################
# macro definitions
############################################################
# interfaces
ext_if = "sis2"
wii_if = "ath0"
dmz_if = "{ sis0 sis1 bridge0 }"
int_if = "{ sis0 sis1 bridge0 ath0 }"
# networks
ext_nw = "{ 121.73.27.0/24 }"
wii_nw = "{ 172.16.0.0/24 }"
dmz_nw = "{ 10.0.0.0/24 }"
int_nw = "{ 10.0.0.0/24 172.16.0.0/24 }"
# dmz hosts
dmz_web = "10.0.0.20"
dmz_mail = "10.0.0.21"
dmz_ssh = "10.0.0.31"
# port groups
mail_ports = "{ imap, imaps, smtp }"
web_ports = "{ http, https }"
############################################################
# tables
############################################################
table <spamd-white> persist
table <internal_net> persist {10.0.0.0/24, 172.16.0.0/24}
############################################################
# options
############################################################
set skip on lo
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set loginterface ath0
############################################################
# normalisation
############################################################
scrub in all
scrub out all
############################################################
# translation & redirection
############################################################
nat on $ext_if inet proto {icmp, tcp, udp} \
from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $web_ports -> $dmz_web
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port $mail_ports -> $dmz_mail
rdr pass on $ext_if inet proto tcp \
from any to $ext_nw port ssh -> $dmz_ssh
############################################################
# filtering
############################################################
block in all
block out log all
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# block anything from private networks on WAN interface
antispoof for $ext_if
block in log quick on $ext_if from 10.0.0.0/8 to any label "block private
networks from wan block 10/8"
block in log quick on $ext_if from 127.0.0.0/8 to any label "block private
networks from wan block 127/8"
block in log quick on $ext_if from 172.16.0.0/12 to any label "block private
networks from wan block 172.16/12"
block in log quick on $ext_if from 192.168.0.0/16 to any label "block private
networks from wan block 192.168/16"
# pass all ICMP connections
pass out inet proto icmp all icmp-type echoreq
# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 121.73.27.12 to any
# allow outgoing DNS
pass out quick proto { tcp, udp } from any to any port 53
# allow access to DHCP server on wii
pass in quick on $wii_if proto udp from any port = 68 to 255.255.255.255 port =
67
pass in quick on $wii_if proto udp from any port = 68 to 172.16.0.1 port = 67
pass out quick on $wii_if proto udp from 172.16.0.1 port = 67 to any port = 68
block in log quick on $ext_if proto udp from any port = 67 to 10.0.0.0/24 port
= 68
# pass all connections originating from the firewall
pass out quick on $ext_if inet \
from ($ext_if) to any
# pass all connections originating from dmz
pass in quick on $dmz_if \
from <internal_net> to any
pass quick on $int_if no state
antispoof for $ext_if
#pass out on $int_if proto tcp to ($int_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
pass in quick on $wii_if from any to any
pass in quick on $dmz_if from any to any
