Re: [Shorewall-users] Local Lan computer can't connect to edu.hk domain name

Thu, 30 Oct 2008 11:46:32 -0700 

>  ...I had receive from a user that can't connect one edu.hk domain name. 
> I checked is all edu.hk domain name can't connect but other .com .org 
> and .net can connect. ...

Just scanning, this sounds real familiar to me, I've had the same symptom 
several times: probably somewhere some sort of rule assumes (incorrectly) that 
all top-level domains are three characters. It works for the U.S domains (.com, 
.edu, .org, .net, etc.) but chokes on domains in other countries as usually in 
those cases the top-level (rightmost segment) domain is the two-letter country 
code. 

Try some domains with names that end in say .au and see if they fail too. If 
so, the problem is somewhere that's still dealing with "domain names", not yet 
"IP addresses". Also try it from different locations (an end user computer, an 
administrative computer, the firewall itself) which may help locate the 
problem. 

If the end user computers use Windows, execute `ipconfig -all` on a failing 
computer and see what the "DNS Servers" are. If the computers get their IP 
address from DHCP, they probably get their DNS Servers from DHCP too. So the 
DNS servers might not be what you think they are. (You might need to attend to 
the configuration of the DHCP server.)

What does a DNS diagnostic like `dig` say? Maybe debug output that describes 
every DNS server in the chain when there are recursive requests will help. 

(I've no idea whether the erroneous rule is in a browser or an end user OS or a 
web filter or a DNS repeater or a DNS cacher or a firewall or ...  In any case, 
I suspect you're right to look first at DNS and not suspect Shorewall or NAT 
unless quite a bit more evidence points in that direction:-)

thanks! -Chuck Kollars


      

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to