On Nov 17, 2007 4:01 PM, Rolf Sommerhalder <[EMAIL PROTECTED]> wrote:
> This unexpected behaviuor of the DNS/UDP relay then causes routing > problems as the "white" server is by default unaware of a route for > the source address (yellow.fxp3). So DNS responses from "white" do not > get routed back to "yellow". Of course, I could add a route on "white" > as a workaround. But it would be more elegant if the DNS/UDP relay > would behave the same way as the TCP relays do. In order to figure out As an alternate work-around, I just tried to insert a source NAT rule in /etc/pf.conf on "yellow", which masks/solves the routing problem locally on the reverse proxy machine: [EMAIL PROTECTED]:etc]# cat /etc/pf.conf # source NAT for routing back from white for DNS only nat log on fxp2 from 10.2.2.31 to 10.1.1.30 port 53 -> (fxp2) Probably, I should add at least "static-port" to the NAT rule above in order to prevent "white" from modifying the source port 53 (see tcpdump below). Still, I am unsure if the DNS/UDP relay actually behaves correctly, and if this work-around does make sense. Rolf A) DNS/UDP Example reloaded, now with source NAT on "yellow" Output of "hoststated -v -d" after issuing a DNS lookup on "orange": relay_dns_log: session 1: request id 0xde7 flags 0x1:0x0 qd 1 an 0 ns 0 ar 0 relay_dns_log: session 1: response id 0x9cc flags 0x85:0x80 qd 1 an 1 ns 1 ar 0 relay dnsRelay, session 1 (1 active), 10.2.2.32 -> 10.1.1.30:53, session closed hostated listens on the right NIC fxp3: [EMAIL PROTECTED]:root]# tcpdump -i fxp3 -n tcpdump: listening on fxp3, link-type EN10MB 16:45:19.718243 arp who-has 10.2.2.31 tell 10.2.2.32 16:45:19.718274 arp reply 10.2.2.31 is-at 00:10:f3:0d:32:70 16:45:19.718461 10.2.2.32.32768 > 10.2.2.31.53: 3559+ A? orange. (36) (DF) 16:45:19.720859 10.2.2.31.53 > 10.2.2.32.32768: 3559* 1/1/0 A 172.16.70.32 (69) hostated passes on the proxied requets to the left NIC fxp2, using the source address (fxp2)=10.1.1.31, as forced by source NAT: [EMAIL PROTECTED]:root]# tcpdump -i fxp2 -n tcpdump: listening on fxp2, link-type EN10MB 16:48:57.815366 10.1.1.31.51245 > 10.1.1.30.53: 65223+ A? orange. (36) 16:48:57.816452 10.1.1.30.53 > 10.1.1.31.51245: 65223* 1/1/0 A 172.16.70.32 (69)
