PFSense + Kloxo, setting up name-servers.
-
How do I go about forwarding necessary traffic for my name server from an external IP address to an internal IP?
Scenario:
Comcast business class with 5 static IP's.Comcast –> PFSense (50.xx.xx.53) --> LAN/DMZ
I already have my Nameserver registered via my registrar, and mapped as such:
NS1.XXXX.COM --> 50.xx.xx.51
NS2.XXXX.COM --> 50.xx.xx.52I have my two virtual IP's setup as P ARP in PFSense, but am lost after that.
Help!!
-
Add a portforward ( Firewall: NAT: Port Forward )
WAN TCP/UCP * * 50.xx.xx.51 53 first.internal.address 53WAN TCP/UCP * * 50.xx.xx.52 53 second.internal.address 53let these port forwarding rule add firewall rules.
-
Add a portforward ( Firewall: NAT: Port Forward )
WAN TCP/UCP * * 50.xx.xx.51 53 first.internal.address 53WAN TCP/UCP * * 50.xx.xx.52 53 second.internal.address 53let these port forwarding rule add firewall rules.
I put these rules in, and reset all states…
Nothing.External Resolution is not working.
http://www.intodns.com/technoriot.com
-
there is something else, because i can use 50-73-183-52-pennsylvania.hfc.comcastbusiness.net as lookup server in nslookup, but i can't make any queries
-
What could it be? I'm lost :'(
-
Can anyone shed some light into setting up an internal DNS server on a CENT OS machine behind Pfsense for external resolution?
I want all incoming dns queries to be handled by a name server behind the firewall.
-
Have you configured the server to accept such requests?
Does the server log any DNS requests?
-
It is a kloxo install with iptables turned off at the moment.
Pfsense is preventing it from being accessed somehow.
-
if you have created portforward rules, which i gave you earlier, then pfsense isn't blocking those.
-
Could it be my virtual ip mapping? What would be the proper settings for my virtual up addresses?
-
I highly doubt that, because i can connect to your dns/bind server, but can't make any queries.
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\*sanitized*>nslookup Default Server: v*sanitized*m Address: 192.168.0.25 > www.google.com Server: v*sanitized*m Address: 192.168.0.25 Non-authoritative answer: Name: www.l.google.com Addresses: 209.85.148.104 209.85.148.105 209.85.148.106 209.85.148.147 209.85.148.99 209.85.148.103 Aliases: www.google.com > lserver 8.8.8.8 Default Server: google-public-dns-a.google.com Address: 8.8.8.8 > www.google.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: www.l.google.com Addresses: 74.125.39.147 74.125.39.105 74.125.39.104 74.125.39.103 74.125.39.99 74.125.39.106 Aliases: www.google.com > lserver ns1.technoriot.com Default Server: ns1.technoriot.com Address: 50.73.183.51 > www.google.com Server: ns1.technoriot.com Address: 50.73.183.51 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to ns1.technoriot.com timed-out > -
It is a kloxo install with iptables turned off at the moment.
Disabling iptables may not be sufficient; the name server software itself might need to be configured to respond to DNS requests from public IP addresses. (Some SSH server packages need to be configured to specify the IP addresses from which the server is allowed to accept connections.)
Pfsense is preventing it from being accessed somehow.
That might be true. Can you provide evidence? For example, does the pfSense firewall log report blocked DNS requests on the appropriate interface?
-
http://network-tools.com/default.asp?prog=express&host=ns1.technoriot.com
When doing a trace route, it times out after hop 14…
Also, my server does not return any records...
How can I fix this?
-
These failures are "easy" to fix:
- Missing MX-record: add mx-record to your mail-server's public ip
- Missing SOA: add Start Of Authority number, which must increased every update
but all of these seems to be dns-server problems. And that's why doesn't mean that pfsense is only quilty.
-
I think I might have fixed it…
For some reason if you check " Non-cached DNS " on that site, it'll show my SOA record.
Weird.