BIND9 behind NAT: no reverse lookup from external net
Markus Wollny
Markus.Wollny at computec.de
Tue Mar 1 13:30:51 UTC 2005
Hello!
We have recently migrated an old BIND8 that was running on a SuSE Linux
7.1 box to BIND9 running on Debian Sarge. I have added the necessary
$TTL and $ORIGIN lines which weren't needed in BIND9 and have got it up
and running. The box is behind a NAT-firewall, so it's got an IP in the
192.168.0.x range and a static NAT mapping to an external IP. It's doing
ordinary domain name resolution fine for both internal and external
clients; however when trying a reverse lookup using its external IP
address, the server doesn't provide an answer.
These are two queries from the outside internet:
extbox:~# dig @ns1.computec.de dozer.computec.de
; <<>> DiG 9.2.4 <<>> @ns1.computec.de dozer.computec.de
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42687
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;dozer.computec.de. IN A
;; ANSWER SECTION:
dozer.computec.de. 86400 IN A 212.123.108.12
;; AUTHORITY SECTION:
computec.de. 86400 IN NS ns1.sec-dns.de.
computec.de. 86400 IN NS ns1.computec.de.
;; ADDITIONAL SECTION:
ns1.sec-dns.de. 80742 IN A 212.123.100.100
ns1.computec.de. 86400 IN A 212.123.108.10
;; Query time: 4 msec
;; SERVER: 212.123.108.10#53(ns1.computec.de)
;; WHEN: Tue Mar 1 14:02:46 2005
;; MSG SIZE rcvd: 127
So that's working alright; but when I try the reverse lookup:
extbox:~# dig @ns1.computec.de -x 212.123.108.12
; <<>> DiG 9.2.4 <<>> @ns1.computec.de -x 212.123.108.12
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7927
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
I don't get an answer. When digging from the internal network while
using the external IP of the nameserver (or its name, which resolves to
the external IP), the result is the same. When I query the server with
its internal IP, the reverse lookup is working fine:
intbox:~# dig @192.168.0.10 -x 212.123.108.12
; <<>> DiG 9.2.4 <<>> @192.168.0.10 -x 212.123.108.12
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22154
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;12.108.123.212.in-addr.arpa. IN PTR
;; ANSWER SECTION:
12.108.123.212.in-addr.arpa. 86400 IN PTR dozer.computec.de.
;; AUTHORITY SECTION:
108.123.212.in-addr.arpa. 86400 IN NS ns1.computec.de.
108.123.212.in-addr.arpa. 86400 IN NS ns1.sec-dns.de.
;; ADDITIONAL SECTION:
ns1.sec-dns.de. 80448 IN A 212.123.100.100
ns1.computec.de. 86400 IN A 212.123.108.10
;; Query time: 1 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Tue Mar 1 14:07:40 2005
;; MSG SIZE rcvd: 152
The same applies for queries executed locally on the server - it works
when I use localhost, 127.0.0.1 or the internal IP as server, but fails
when I use the servername or the external IP.
Here's the relevant bit from /etc/bind/named.conf.local:
zone "108.123.212.in-addr.arpa" in {
type master;
file "db.212.123.108"; =20
};
And this is the zone-file db.212.123.108:
$TTL 86400
@ 2H IN SOA ns1.computec.de. hostmaster (
2005030101 ; serial
1D ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS ns1.computec.de.
1D IN NS ns1.sec-dns.de.
12 1D IN PTR dozer.computec.de.
10 1D IN PTR ns1.computec.de.
Could you please give me a hint as to where I could start looking for
the problem? I am not the administrator of the NAT firewall, but as
ordinary nameresolution from the outside is working fine AND I cannot
get reverse lookup via external IP even on the local machine, I think it
might still be something in my machine's config - or does reverse lookup
require other firewall settings than ordinary name resolution? Port 53
TCP and UDP is open...
Kind regards
Markus
More information about the bind-users
mailing list