Unable to resolve LAN, can resolve internet

v0idE · #1 April 27th, 2010, 05:44

Hi,

I have a FreeBSD router/firewall/DNS/DHCP server that has suddenly stopped resolving local machine IPs (192.168.3.84), but I can still resolve external IPs/hostnames. I can't give any insight into what might have changed with the machine because nothing has changed on it for quite a while - it's out of reach in the bottom of a closet.

I've spent a few hours last night and this morning trying different tests and slight changes to the BIND configuration but nothing has worked yet and I'm out of ideas/things to Google.

The FreeBSD machine is running FBSD 8.0-RELEASE-p1 and has BIND, ISC-DHCP, PF and PPP installed and running fine. I am positive it's not PF as it hasn't changed, but to be sure I have disabled it with

I am using these two computers to try to fix this:
blackhole - 192.168.3.101 (FBSD server)
hackedpackard - 192.168.3.84 (Arch Linux)

Below are the contents of the various files:

/etc/namedb/named.conf
http://pastebin.org/183802

/etc/namedb/master/gtfo-forward.db
http://pastebin.org/183796

/etc/namedb/master/3.168.192.db
http://pastebin.org/183800

/etc/namedb/master/localhost-forward.db (Standard from installation)
http://pastebin.org/183808

/etc/namedb/master/localhost-reverse.db (Standard from installation)
http://pastebin.org/183807

/var/log/messages

Code:

Apr 27 15:20:36 blackhole named[1402]: starting BIND 9.7.0rc1 -t /var/named -u bind
Apr 27 15:20:36 blackhole named[1402]: built with '--localstatedir=/var' '--disable-linux-caps'
'--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-libxml2=/usr/local'
'--without-idn' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info/' '--build=i386-portbld-freebsd8.0' 'build_alias=i386-portbld-freebsd8.0'
'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++'
'CXXFLAGS=-O2 -pipe -fno-strict-aliasing'
Apr 27 15:20:36 blackhole named[1402]: command channel listening on 127.0.0.1#953
Apr 27 15:20:36 blackhole named[1402]: the working directory is not writable

I can ping external IPs and hostnames without a problem:

Code:

blackhole# ping google.com
PING google.com (66.102.11.104): 56 data bytes
64 bytes from 66.102.11.104: icmp_seq=0 ttl=58 time=65.855 ms

Code:

blackhole# ping 66.102.11.104
PING 66.102.11.104 (66.102.11.104): 56 data bytes
64 bytes from 66.102.11.104: icmp_seq=0 ttl=58 time=16.766 ms

And I can dig external hostnames and IPs:

Code:

blackhole# dig google.com

; <<>> DiG 9.7.0rc1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27263
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             116     IN      A       66.102.11.104

;; AUTHORITY SECTION:
google.com.             86021   IN      NS      ns4.google.com.
google.com.             86021   IN      NS      ns3.google.com.
google.com.             86021   IN      NS      ns2.google.com.
google.com.             86021   IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         84784   IN      A       216.239.32.10
ns2.google.com.         84800   IN      A       216.239.34.10
ns3.google.com.         84801   IN      A       216.239.36.10
ns4.google.com.         84801   IN      A       216.239.38.10

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:35:01 2010
;; MSG SIZE  rcvd: 180

Code:

blackhole# dig -x 66.102.11.104

; <<>> DiG 9.7.0rc1 <<>> -x 66.102.11.104
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6099
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;104.11.102.66.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
104.11.102.66.in-addr.arpa. 84725 IN    PTR     syd01s01-in-f104.1e100.net.

;; AUTHORITY SECTION:
11.102.66.in-addr.arpa. 84725   IN      NS      ns2.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns3.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns1.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         84701   IN      A       216.239.32.10
ns2.google.com.         84717   IN      A       216.239.34.10
ns3.google.com.         84718   IN      A       216.239.36.10
ns4.google.com.         84718   IN      A       216.239.38.10

;; Query time: 56 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:36:24 2010
;; MSG SIZE  rcvd: 230

But for internal IPs and hostnames, I can only ping IPs:

Code:

blackhole# ping 192.168.3.84
PING 192.168.3.84 (192.168.3.84): 56 data bytes
64 bytes from 192.168.3.84: icmp_seq=0 ttl=64 time=0.444 ms

Code:

blackhole# ping hackedpackard
ping: cannot resolve hackedpackard: Host name lookup failure

Code:

blackhole# ping hackedpackard.gtfo.local
ping: cannot resolve hackedpackard.gtfo.local: Host name lookup failure

And I can't dig local hostnames but I can dig IPs:

Code:

blackhole# dig hackedpackard

; <<>> DiG 9.7.0rc1 <<>> hackedpackard
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7569
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.                 IN      A

;; AUTHORITY SECTION:
.                       1147    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2010042601 1800 900 604800 86400

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:37:06 2010
;; MSG SIZE  rcvd: 106

Code:

blackhole# dig hackedpackard.gtfo.local

; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.gtfo.local.      IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:38:30 2010
;; MSG SIZE  rcvd: 42

Code:

blackhole# dig -x 192.168.3.84

; <<>> DiG 9.7.0rc1 <<>> -x 192.168.3.84
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33161
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;84.3.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
84.3.168.192.in-addr.arpa. 3600 IN      PTR     hackedpackard.gtfo.local.

;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600    IN      NS      blackhole.gtfo.local.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:37:48 2010
;; MSG SIZE  rcvd: 105

hackedpackard:

Code:

[thom@hackedpackard ~]$ cat /etc/resolv.conf
domain gtfo.local
nameserver 192.168.3.101

Code:

[thom@hackedpackard ~]$ cat /etc/hosts
127.0.0.1               hackedpackard.gtfo.local hackedpackard localhost
192.168.3.84            hackedpackard.gtfo.local hackedpackard

blackhole:

Code:

blackhole# cat /etc/resolv.conf
domain gtfo.local
nameserver 127.0.0.1
nameserver 192.168.3.101

Code:

blackhole# cat /etc/hosts
::1                     localhost localhost.gtfo.local
127.0.0.1               localhost localhost.gtfo.local
192.168.3.101           blackhole.gtfo.local blackhole

I'm out of other ideas at the moment, so if you guys have anything please let me know.

Cheers.

**SirDice** · #2 April 27th, 2010, 07:48

Try dig hackedpackard.gtfo.local @192.168.3.101

**DutchDaemon** · #3 April 27th, 2010, 14:14

Currently, your nameserver does not see itself as the authoritative nameserver for the gtfo.local domain (the aa flag is missing in the dig output). Use something like dig @192.168.3.101 $somehost +aaonly +norecurse

Also see other nice troubleshooting flags like +trace in dig(1). Use tcpdump on the DNS server's Internet interface to see whether 'local' queries are inadvertently forwarded to external nameservers.

v0idE · #4 April 28th, 2010, 15:22

Thanks for the replies.

Quote:

Originally Posted by SirDice

Try dig hackedpackard.gtfo.local @192.168.3.101

Here is the output:

Code:

blackhole# dig hackedpackard.gtfo.local @192.168.3.101

; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local @192.168.3.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.gtfo.local.      IN      A

;; Query time: 3 msec
;; SERVER: 192.168.3.101#53(192.168.3.101)
;; WHEN: Thu Apr 29 01:06:52 2010
;; MSG SIZE  rcvd: 42

Quote:

Originally Posted by DutchDaemon

Currently, your nameserver does not see itself as the authoritative nameserver for the gtfo.local domain (the aa flag is missing in the dig output). Use something like dig @192.168.3.101 $somehost +aaonly +norecurse

Also see other nice troubleshooting flags like +trace in dig(1). Use tcpdump on the DNS server's Internet interface to see whether 'local' queries are inadvertently forwarded to external nameservers.

Would it not see itself as the authoritative nameserver because I am forwarding to my ISPs nameservers in named.conf?
I will try your suggestion of tcpdump and post back with the results.

**DutchDaemon** · #5 April 28th, 2010, 15:37

Quote:

Would it not see itself as the authoritative nameserver because I am forwarding to my ISPs nameservers in named.conf?

It should. We want to know if it does

These queries should not leave your server, and they should be answered authoritatively (aa).

**DutchDaemon** · #6 April 28th, 2010, 15:40

Quote:

Code:

blackhole# dig hackedpackard.gtfo.local @192.168.3.101

; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local @192.168.3.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Not good. You should see

Code:

flags: qr aa rd;

on that query. If 192.168.3.101 is the authoritative namserver for gtfo.local, it must reply with 'aa'.

**DutchDaemon** · #7 April 28th, 2010, 15:46

Note: I appear to be missing any active 'allow-query' statement in your named.conf. Try for example:

Code:

zone "gtfo.local" {
        type master;
        file "master/gtfo-forward.db";
        allow-query { any; };
};

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] Install of libxml2 fails - how to resolve this?	kutu62	Installation and Maintenance of FreeBSD Ports or Packages	9	January 14th, 2010 23:55
Compile error, popt, can not resolve.	chuckycharms	Installation and Maintenance of FreeBSD Ports or Packages	2	November 16th, 2009 08:50
[Solved] Cannot resolve names?	klabacita	Firewalls	5	June 15th, 2009 16:44
Why does my jail not resolve hostnames?	osx-addict	Firewalls	17	March 4th, 2009 22:13
oh no, top level domain name doesn't resolve	porcelaindev	Web & Network Services	11	January 9th, 2009 15:12