IP Addy Works Domain Name Not So Much



  • I recently added a new server internal to PFSense (we'll call it mailserv.net) - from another internal machine, here is my conundrum:

    Exhibit 1 -  If I ssh directly to the internal IP address - all is good:

    #> ssh 192.168.1.100 
    me@192.168.1.100's password:
    Last login: Thu Sep 27 22:15:49 2012 from airbook
    [me@mailserv ~]$ 
    

    (all is fine)

    Exhibit 2 - if I perform an nslookup on the domain name, it resolves to 192.168.1.100:

    #> nslookup mailserv.net
    Server:		192.168.1.1
    Address:	192.168.1.1#53
    
    Name:	mailserv.net
    Address: 192.168.1.100
    

    (all is fine)

    Exhibit 3 - if I ssh to the domain name…nothing!

    #> ssh mailserv.net
    ssh: connect to host mailserv.net: Operation timed out
    

    Any thoughts what I may have wrong?  I have been fighting this for about 90 minutes and I am just puzzled.

    A few notes:

    (1) Above, for the nslookup, the server 192.168.1.1 is the PFSense box - thus, it appears the pfsense box is properly responding to the nslookup request.
    (2) If I am external to PFSense the ssh works fine too!  I just cannot access the new server via ssh (or any other protocol for that matter) from within the network.



  • What you get from tcpdump on this new server?



  • As is expected, request to the IP Address show up in TCPDump; however, requests to the domain name do not.

    Thus, I feel the firewall must be blocking; however, I am confused as to why it would be allowing the IP address, responding properly to a nslookup, but denying requests via the domain name.


  • LAYER 8 Global Moderator

    You know if your going to use example names.. Use ones that do not resolve on the public net

    ;; QUESTION SECTION:
    ;mailserv.net.                  IN      A

    ;; ANSWER SECTION:
    mailserv.net.           300     IN      A       64.95.64.218

    No that server does not respond to ssh ;)

    ubuntu:~$ ssh mailserv.net
    ssh: connect to host mailserv.net port 22: Connection timed out

    Not a very good name for a host either.. So for example ubuntu.local.lan for my ubuntu box works just great!

    ;; QUESTION SECTION:
    ;ubuntu.local.lan.              IN      A

    ;; ANSWER SECTION:
    ubuntu.local.lan.      1      IN      A      192.168.1.7

    C:\Windows\system32>ping ubuntu.local.lan
    Pinging ubuntu.local.lan [192.168.1.7] with 32 bytes of data:

    So ping your box via fqdn does it resolve via ping, why would you be trying to resolve actual public domains if the host is local?  Don't you use a local domain name like foo.bar or local.lan or something.localdomain

    Then put a HOST in front of it, mailserv.net is host mailserv on the .net domain..  You are clearly not authoritative for .net ;)  So make it host.mailserv.net would be better..


  • Netgate Administrator

    I'm assuming you've used mailserv.net just as an example in this thread, your real server is named differently?
    However either way it's possible your local machine has cached some other IP address for your server url. nslookup is returning the correct IP since it always asks.

    Steve


  • LAYER 8 Global Moderator

    ^ exactly – it is possible for your machine to have a locally cached record for what your doing that got cached from elsewhere.

    Really need to understand how your resolve, and what what your actually wanting to resolve to make sure your resolving the fqdn your wanting to use correctly.

    a simple ping should show you what the box resolves your fqdn too, which should be the exact same thing your ssh client resolves.

    as mentioned before using actual resolvable stuff as example is bad.  And again I would stress if running your own local zones - I would use something that can never be resolved on the public for your tld, like .local or .lan or .localdomain -- when you use actual tlds that can be resolved public you might be having an issue where its being resolve using public dns vs locally if you don't have something setup correctly on your local nameserver.


Log in to reply