Another thing to look at... Make sure the ISP DNS server that you are forwarding to is a recursive server. If you are forwarding your requests to a non-recursive server, you won't get the answers you're looking for... You'll just get a reference to the root servers.
Generally, when trying to set this sort of thing up, follow this testing methodology: Note: dig or nslookup will be your best friend during this testing.... 1. Make sure that your server is up and working (test your local domains for which it should be authoratative). One to always make sure works properly is the 0.0.127.in-addr.arpa reverse domain. Many versions of BIND get real unhappy if this isn't set up correctly. It is preferable to do this on your primary DNS first. 2. Check the server you want to use for your forwarder to make sure that it correctly processes recursive queries. For example: nslookup www.yahoo.com dns.yourisp.com should provide something like: Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: www.yahoo.com canonical name = www.yahoo.akadns.net. Name: www.yahoo.akadns.net Address: 64.58.76.176 Name: www.yahoo.akadns.net Address: 64.58.76.177 Name: www.yahoo.akadns.net Address: 64.58.76.178 Name: www.yahoo.akadns.net -snip- Not Server: a non-recursive server.com Address: 1.1.1.1#53 Non-authoritative answer: *** Can't find www.yahoo.com: No answer Authoritative answers can be found from: yahoo.com nameserver = NS3.EUROPE.yahoo.com. yahoo.com nameserver = NS5.DCX.yahoo.com. yahoo.com nameserver = NS4.DAL.yahoo.com. yahoo.com nameserver = NS2.san.yahoo.com. yahoo.com nameserver = NS1.SNV.yahoo.com. NS3.EUROPE.yahoo.com internet address = 217.12.4.71 NS5.DCX.yahoo.com internet address = 216.32.74.10 NS4.DAL.yahoo.com internet address = 63.250.206.50 NS2.san.yahoo.com internet address = 209.132.1.29 NS1.SNV.yahoo.com internet address = 216.115.108.33 If you get a response like the second one, that DNS server won't handle your requests the way that you want it to. You'll need to ask your ISP tech support folks for a recursive server. 3. If you got the correct response from the ISP name server, then make sure the forwarder statement in your DNS config is correctly pointing to that server(s). Once you've verified that, run dig or nslookup against your server to see if it is properly resolving things for you. If you come up with bad or no results, I recommend using something like tcpdump or another sniffer to make sure that your server is actually forwarding requests to (and receiving a response from) the ISP's DNS server. From here, the testing will diverge depending on results, but these steps usually catch most of the simple things. If your firewall is in the way, you'll see evidence of this on the sniffer run (you'll see the outbound request, but no reply). If you see no outbound request, then your server may be authoratative for "." (see previous response below). David Taylor >There isn't, by any chance, a zone labeled "." on the DNS server, is there? >If so, delete it. Also, check the root hints tab in the server properties >and see what's listed there. > >Laura >----- Original Message ----- >From: "Laura A. Robinson" <[EMAIL PROTECTED]> >To: "Rick Brown" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Sent: Thursday, December 06, 2001 10:34 AM >Subject: Re: DNS vs. the firewall > > > > What is your DNS running on? > > > > Laura > > ----- Original Message ----- > > From: "Rick Brown" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, December 06, 2001 10:31 AM > > Subject: DNS vs. the firewall > > > > > > > I'm still struggling trying to get my internal DNS > > > server to forward requests to my ISP's DNS server. I > > > can access web sites via the IP address but I can't > > > get DNS resolution to work. I can ping the ISP's DNS > > > servers from my DNS servers and I have the ISP's DNS > > > servers set up as forwarders for my internal DNS > > > servers. I am allowing UPD and TCP 53 from the my DNS > > > servers to the ISP's servers. What am I missing? > > > When I do an nslookup on something like www.google.com > > > it immediately responds that my DNS server doesn't > > > know what it is. Is this some start of authority > > > thing? The internal domain is registered and the name > > > servers are listed by Network Solutions as my ISP's > > > name servers. I'm stuck and it's putting me in a real > > > bind. PLEASE HELP! > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Send your FREE holiday greetings online! > > > http://greetings.yahoo.com > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls | David Taylor |If a nation values anything more than | | KF4ULR |freedom, it will lose its freedom; and| |Email:[EMAIL PROTECTED]|the irony is that if it is comfort or | | Coca-Cola Enterprises, Inc. |money it values more, it will lose | | Network Security Engineer |that, too. -- W. Somerset Maugham | | PGP Fingerprint: 9287 6333 95B3 B2DF 9932 89BD 37FF 7E69 0D00 1246 | _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
