Sendmail and DNS behind NAT Firewall

[Kevin Darcy]

You say that names resolve from the outside. *Any* names, or just names in
your authoritative zones? Answering a query for a name in one of your
authoritative zones doesn't require your nameserver to talk to any other
nameserver, so it doesn't prove much of anything. Do you have recursion
enabled for internal clients? Do you have a proper Internet root hints
file? Does your firewall permit UDP packets *from* random unprivileged
ports on your nameserver *to* port 53 on other nameservers (you can
restrict the source port on your nameserver via the "query-source" option,
if you wish)?

If *all* queries work from the outside, and *no* queries work from the
inside, not even queries for names in authoritative zones, then I'd say
this is probably not a nameserver configuration issue. Is there any chance
that you have some *asymmetric* NAT'ing going on internally? A client will
generally ignore a response if it doesn't come from the same address to
which the query was sent, so if NAT is being performed in only one
direction, it could sabotage DNS.


- Kevin

Mark O'Brien wrote:

> I have installed an authoritative DNS setup on a Linux 2.2.13 kernel
> using BIND 8.2.1.  Being behind a separate NAT based firewall it has a
> private IP address of 172.31.x.x.  There is only one nic card in this
> machine and it is not bond with multiple addresses.  The DNS is
> authoritative for our public class C network.
>
> The issue that I am having is names will only resolve from the outside
> when pointing to the public NAT IP address (209.131.x.x).  Sendmail
> (8.9.3) requires names to resolve and this of course is failing.  The
> gateway is set correctly and I can ping public numeric IP addresses from
> the inside without any problems.
>
> Is there anything that can be done to make names resolve on the private
> IP address side of the network?