Need help with DNS behind firewall

[Joseph S D Yao]

On Tue, Jan 11, 2000 at 03:11:04PM +0100, Casper Doppen wrote:
> I've set up a DNS on my LAN (domain ???.hme). De DNS has IP 192.168.1.3
> The Gateway/Firewall has IP 192.168.1.1, and is using a ppp-connection
> to the internet.
> Some workstations on the LAN are Windows95 systems. It all works when I
> have the DNS's set up in de network properties to look first for an
> external DNS (for example 1.2.3.4) and second for 192.168.1.3. But this
> way all requests for LAN-addresses are also sent to the external DNS,
> and that's what I do not want (.hme is not a registerd domain, just
> local).
> I would like to have set up 192.168.1.3 as only DNS for all
> workstations. If the DNS doesn't know a requested name the DNS should
> contact the external DNS (1.2.3.4).
> 
> I tried this :
> 
> /etc/resolv.conf:
> nameserver 127.0.0.1
> nameserver 1.2.3.4
> search debian.hme slack.hme.xterm.hme win.hme hme
> 
> /etc/named.conf starts with :
> options {
>              directory "var/named";
>              forwarders { 1.2.3.4; };
>              query-source address * port 53;
> };
> 
> With this configuration I am able to surf on the internet with this
> machine (192.168.1.3) because of the second line in resolv.conf. But
> when I start nslookup and ask for external URL's I get the message
> "localhost can't find [URL]: Non-existing host/domain".
> 
> Does anybody know what I am doing wrong ?
> Please reply to ng and email.
> 
> Thanks,
> 
> Casper

You do not understand how resolv.conf works.  The second line has
nothing to do with anything.

If one nameserver is contacted, then NO OTHER nameservers will be
contacted!  It does not go through the whole list and try each one!
Think what would happen, if you tried to resolve a non-existent
address, and had to try each of a large number of name servers!

No, only the first one that works is tried.

You should have your hosts resolve only to the name server itself -
which is NOT 127.0.0.1, unless you are actually on the name server
itself.  You have said that it is 192.168.1.3.

The name server should forward to 192.168.1.1, if that IS a firewall
with a DNS proxy; or 1.2.3.4 [yeah, right!] if there is no firewall,
but only a gateway that lets IP through.  In either case, the "forward
only" option shold be set.

This will allow DNS to work.

For nslookup to work - which is a SEPARATE QUESTION - you must also
have a reverse DNS domain.  If you have the 1.168.192.in-addr.arpa and
0.0.127.in-addr.arpa zones set up, you must figure out why one of them
isn't working [see the syslog output].  If not, then see the DNS & BIND
book for how to do it, or look in the archives of this forum for a
periodic posting of a brief primer.  A reverse DNS zone is a good idea,
whether or not you decide that 'nslookup' is vital to your happiness.
;-)

Incidentally ...

In case anyone misunderstands Mr. Doppen's request, NEVER send anything
to both the newsgroup and the mailing list.  They are gatewayed to each
other.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.