As suggested by Johan, I too feel that it's a matter of proper access
control
for the named.
You could have something like the following in your 'named.conf' file:
---
# -------------------------------- example named.conf entries for ACL
------------
# Establish site-specific Access Control Lists for the server/Zone
# ----------------------------------------------
# The 127, 172, 192 and 10 Nets are RFC non-routed (local) like behind
your firewall
# This allows client-side access and use of your firewall'd name server
without ACL violation
# The xxx.yy.zz.0/24 is thrown in my example as an outside Network that
might be allowed to use
# your Name server
#
acl "clients" { 127.0.0.1/24; 172.16.0.0/16; 192.168.0.0/16; 10.0.0.0/8;
xxx.yy.zz.0/24; };
#
# ---------------------------------------------------------
# Here (below) is a list of allowed name servers that might be allowed
to use your name server
# for queries. You should avoid having your name server wide open for
free use by other
# name servers IMHO .. The nnn.xxx.zzz.yy; entry would be a name
server (outside) the
# you would allow to query yours. Otherwise, just allow your own...
# -------
acl "nameservers" { nnn.xxx.zzz.yy; 192.168.1.101; };
options {
allow-query { "clients"; };
allow-recursion { "clients"; };
allow-transfer { "nameservers"; };
};
# ----- end of simple ACL example for named.conf
Randy
Vivek Ayer wrote:
> Hey guys,
>
> Need some help with DNS queries behind a router. I set up a DNS server
> in my network and it responds when I'm within my network. I tried
> nslookup from localhost on the dns server and also from the LAN and it
> works just find, but when I use the public IP of the router for the
> network, which should forward the port to the DNS server, it says
> "unexpected reply from 192.168.1.101, expected from the (public IP,
> which I won't display in this email)." Does that mean the port
> forwarding is working? I performed the query from the router itself
> and it seems like it's working because 192.168.1.101 (The DNS server)
> did respond. But with those weird responses, you never get a clear cut
> answer; it just keeps saying the same thing: "unexpected reply from
> 192.168.1.101, expected from the..."
>
> Here's the router's pf.conf:
>
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if = "re0" # External Interface (169.229.158.0/24)
> int_if = "xl0" # Internal Interface (192.168.1.0/24)
> localnet = $int_if:network
> webserver = "192.168.1.50" # Redundant Sun Servers
> nameserver = "192.168.1.101" # Dell L400 Celeron
> webports = "{ http , https }"
> domainport = "{ domain }"
> tcp_services = "{ ssh }"
> icmp_types = "echoreq"
> carpdevs = "{ carp0 , carp1 }"
> syncdev = "{ re1 }"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # nat
> nat on $ext_if from $localnet to any -> ($ext_if)
> no nat on $int_if proto tcp from $int_if to $localnet
> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
> $int_if
>
> # rdr for http
> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
> $webserver
> rdr on $int_if proto tcp from $localnet to $int_if port $webports ->
> $webserver
>
> # rdr for domain (tcp)
> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # rdr for domain (udp)
> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # pass rules
> block in # Default Deny
> pass out keep state
> antispoof quick for { lo }
> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> # Basic CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
>
> # Internet-Facing CARP rules
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $webports flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to (carp0) \
> port $domainport
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $domainport flags S/SA synproxy state
>
> # LAN-Facing CARP rules
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $webports flags S/SA synproxy state
> pass in on $int_if inet proto udp from $localnet to (carp1) \
> port $domainport
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $domainport flags S/SA synproxy state
>
>
> Thanks in advance,
> Vivek
[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a
name of randy.27198DEFANGED-vcf]
