Page 1 of 1

DNS fails on internal network (works on server)

Posted: 2007/05/31 18:05:30
by ucffool
Hi everyone... two of us have been beating our heads against the wall and can't figure this out, so I hope someone can help.
I've attached 4 screenshots of the networking setup also for extra help.
I'm using webmin to configure all the settings.

The Server has two NICs, one connected to a cisco router and the other to the internal network. It is doing NAT translation.

What works:
Server can connect and browse the internet without any issues. DNS lookup works great.
DHCP is serving ip,subnet,gateway, and all 3 dns server ip's properly to the client (winxp box at this time).
Client can browse the web using the IP address (google, ipchicken, whatever), but dns fails.
Client can use the IP to get to google, and perform a search, which works fine. Clicking a link fails because of DNS failure.
Client can ping the DNS servers fine.
Client can see and interact with the internal network, and with apache on the server perfectly.

What fails:
Client cannot use any name to connect outbound, DNS lookup fails.
On WinXP client, nslookup command fails to find the name of the dns servers and times out after 2 seconds.

-----
The Server does not have BIND DNS installed because our ISP provides great DNS service, saw no need to add to the confusion.

We are baffled as to why DNS works at the server, nat traversal works at the client, but dns lookup is not passing along.

Help?

-Andy Lurig

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 18:11:58
by ucffool
Attachments didn't work, so I've put them up elsewhere. Here are the links:
http://home.comcast.net/~ucffool/dhcp-subnet-clientoptions.jpg
http://home.comcast.net/~ucffool/dhcp-subnetdetails.jpg
http://home.comcast.net/~ucffool/linuxfirewall-nat-postroutingsourcenat.jpg
http://home.comcast.net/~ucffool/networkconfig-routinggateways.jpg

DNS fails on internal network (works on server)

Posted: 2007/05/31 18:24:15
by gerald_clark
/etc/resolv.conf
needs a line like

nameserver xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP of your nameserver.
You may have up to 3 of these lines.

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 18:28:34
by ucffool
3 lines already present with the correct IP addresses:
nameserver 209.244.0.3
nameserver 209.244.0.4
nameserver 198.6.100.194

DNS is working great on the server itself.
At the client (internal network NIC of the centos server), an ipconfig /all on the xp machine shows all those DNS addresses are being passed to it.

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 18:47:16
by gerald_clark
The namserver entries need to be made on the client, not the server.

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 19:04:44
by ucffool
CISCO --- CentOS ----- WinXP machine
______ . . . . . . . . . . . ________
eth0 ---- ***** ----- eth1

Running ipconfig on the WindowsXP machine (what I referred to as the client) shows the 3 DNS IP addresses correctly, and yet it still is not working, thus why I've been scratching my head. Even manually configuring the static dns information in TCP/IP properties for windowsXP did not change the results. DNS requests just are not translating across the server.

DNS request from XP ----> Server ||stops||
DNS request from server ----> works

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 19:12:40
by gerald_clark
Did you setup the centos box as the router for the win boxen?
Do you have forwarding turned on on the centos box?
If you are using iptables, do you have it setup properly?

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 19:12:56
by foxb
You need to allow DNS requests to pass firewall.

test from your xp boxes with

nslookup

Maybe easier will be to serup caching DNS server.

Re: DNS fails on internal network (works on server)

Posted: 2007/05/31 19:33:42
by ucffool
foxb for the win... DAMN I knew it was something silly.

Double-checked and there was no ACCEPT UDP 53 on the firewall, so it was filtering the packets coming through it. Added the new rule and magically it works.

Thank you to both of you.... staring at terminal for too long makes your head explode.