PFSense + Kloxo, setting up name-servers.

ghost1one

How do I go about forwarding necessary traffic for my name server from an external IP address to an internal IP?

Scenario:
Comcast business class with 5 static IP's.

Comcast –> PFSense (50.xx.xx.53) --> LAN/DMZ

I already have my Nameserver registered via my registrar, and mapped as such:
NS1.XXXX.COM --> 50.xx.xx.51
NS2.XXXX.COM --> 50.xx.xx.52

I have my two virtual IP's setup as P ARP in PFSense, but am lost after that.

Help!!

Metu69salemi

Add a portforward ( Firewall: NAT: Port Forward )

WAN  TCP/UCP   *   *    50.xx.xx.51  53  first.internal.address   53

WAN  TCP/UCP   *   *    50.xx.xx.52  53  second.internal.address   53

let these port forwarding rule add firewall rules.

ghost1one

@Metu69salemi:

Add a portforward ( Firewall: NAT: Port Forward )

WAN  TCP/UCP   *   *    50.xx.xx.51  53  first.internal.address   53

WAN  TCP/UCP   *   *    50.xx.xx.52  53  second.internal.address   53

let these port forwarding rule add firewall rules.

I put these rules in, and reset all states…
Nothing.

External Resolution is not working.

http://www.intodns.com/technoriot.com

Metu69salemi

there is something else, because i can use 50-73-183-52-pennsylvania.hfc.comcastbusiness.net as lookup server in nslookup, but i can't make any queries

ghost1one

What could it be? I'm lost  :'(

ghost1one

Can anyone shed some light into setting up an internal DNS server on a CENT OS machine behind Pfsense for external resolution?

I want all incoming dns queries to be handled by a name server behind the firewall.

wallabybob

Have you configured the server to accept such requests?

Does the server log any DNS requests?

ghost1one

It is a kloxo install with iptables turned off at the moment.

Pfsense is preventing it from being accessed somehow.

Metu69salemi

if you have created portforward rules, which i gave you earlier, then pfsense isn't blocking those.

ghost1one

Could it be my virtual ip mapping? What would be the proper settings for my virtual up addresses?

Metu69salemi

I highly doubt that, because i can connect to your dns/bind server, but can't make any queries.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\*sanitized*>nslookup
Default Server:  v*sanitized*m
Address:  192.168.0.25

> www.google.com
Server:  v*sanitized*m
Address:  192.168.0.25

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  209.85.148.104
          209.85.148.105
          209.85.148.106
          209.85.148.147
          209.85.148.99
          209.85.148.103
Aliases:  www.google.com

> lserver 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> www.google.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  74.125.39.147
          74.125.39.105
          74.125.39.104
          74.125.39.103
          74.125.39.99
          74.125.39.106
Aliases:  www.google.com

> lserver ns1.technoriot.com
Default Server:  ns1.technoriot.com
Address:  50.73.183.51

> www.google.com
Server:  ns1.technoriot.com
Address:  50.73.183.51

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to ns1.technoriot.com timed-out
>

wallabybob

@ghost1one:

It is a kloxo install with iptables turned off at the moment.

Disabling iptables may not be sufficient; the name server software itself might need to be configured to respond to DNS requests from public IP addresses. (Some SSH server packages need to be configured to specify the IP addresses from which the server is allowed to accept connections.)

@ghost1one:

Pfsense is preventing it from being accessed somehow.

That might be true. Can you provide evidence? For example, does the pfSense firewall log report blocked DNS requests on the appropriate interface?

ghost1one

http://network-tools.com/default.asp?prog=express&host=ns1.technoriot.com

When doing a trace route, it times out after hop 14…

Also, my server does not return any records...

How can I fix this?

Metu69salemi

These failures are "easy" to fix:

1. Missing MX-record: add mx-record to your mail-server's public ip
2. Missing SOA: add Start Of Authority number, which must increased every update

but all of these seems to be dns-server problems. And that's why doesn't mean that pfsense is only quilty.

ghost1one

I think I might have fixed it…

For some reason if you check " Non-cached DNS " on that site, it'll show my SOA record.

Weird.