DNS server - Same LAN but using the WAN address

CrashOverride

Hi,

Have a problem. If I have a BIND nameserver on local IP: 192.168.1.10 and WANIP: xx.yy.zz.xx and I'm sitting a computer on the same LAN lets say the computer have local IP: 192.168.1.20 and I'm trying to use:

dig @xx.yy.zz.xx domain.tld

I will get:

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

But if I use:

dig @192.168.1.10 domain.tld

I will get the proper respone with:

domain.tld.                360    IN      A      xx.yy.zz.xx

It seems something are blocking the request.

If I in a webbrowser are typing xx.yy.zz.xx I will get the appropiate webserver that are on the same LAN as both the BIND Nameserver and the computer requesting. So on Web I can do it but not with DNS request. What can be wrong ?

/CP

podilarius

Hello,
So, if you have NAT reflection off, you cannot use the WAN ip address from an internal machine.
If you do have NAT reflection on, then do you have rules for allow TCP and UDP to port 53?

Podilarius

CrashOverride

Disable NAT Reflection: Is not ticked so I will say it's on.

Since if I go to xx.yy.zz.xx that are my public IP I i'm coming to be correct internal Webserver as I want.

According to rules: I actually right now have a rule saying:
Proto Source Port Destination Port Gateway

• *         *     *               *     *

If I'm trying from outside from for example my home address I can't ask the server without any problems.

CrashOverride

No solution for this issue ?

cmb

@CrashOverride:

No solution for this issue ?

NAT reflection is the solution, or don't query it internally by its public IP ideally, routing traffic back in like that is ugly. It's possible if you have the local DNS forwarder enabled on the firewall it will interfere though I'm not 100% sure offhand on that, if you have it enabled try disabling it.

CrashOverride

@cmb:

@CrashOverride:

No solution for this issue ?

NAT reflection is the solution, or don't query it internally by its public IP ideally, routing traffic back in like that is ugly. It's possible if you have the local DNS forwarder enabled on the firewall it will interfere though I'm not 100% sure offhand on that, if you have it enabled try disabling it.

1. Now: DNS Forwarder is Disabled and "Disable NAT Reflection" is not ticked.

Then I can access my local webserver by using the External Address, but I can't access the local DNS server by using the External Address

2. If I have: DNS Forwarder is Disabled and "Disable NAT Reflection" is ticked.

I can't access anything on there external address