[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3397
  • Last Modified:

Client DNS requests filling up error log

I have been seeing many of these types of errors in server1.mydomain.com /var/log/messages:
client 192.168.1.103#33475: query 'jbstech.com.au.mydomain.com/IN' denied
client 192.168.1.103#45207: query (cache) denied
192.168.1.103 corresponds to server1's IP address on my LAN, and I never use it to run client applications.
Subnet 1 on my network is NAT'd behind a PIX firewall, but subnet 2 is not (both subnets use 192.168. series addresses).  It's possible that this problem started after I implemented IP forwarding between the 2 NICs on server2 (one for each subnet), but I'm not sure.  What could be causing this?
0
sara_bellum
Asked:
sara_bellum
  • 3
  • 3
1 Solution
 
tkfastCommented:
In you bind config what ip range do you have set allowed to run queries?  In your /etc/bind/named.conf  do you have any setting for acl that is setting contain range of ip's that can run queries.  I know you said you have 192.168.x.x but do you have an acl that only allows 192.168.1.x.  Also do you allow your dns server to do recursion?  if so do you allow everyone or do you have that acl only allowing it.  

I know this is crazy to ask but you only have one gateway set in your network config?  

Also what distro are you running that might allow me to give you more exact locations of the config files.  
0
 
sara_bellumAuthor Commented:
Thanks for writing, I'm still lost.  The acl in /etc/named.conf accepts queries from both subnets: 192.168.x.0 and 192.168.x.128.  My dhcp range is only about 10 IPs, but I didn't know how to limit the acl to a specific range within a subnet, and right now that's the least of my problems.
I got rid of the DNS errors on server1, which may have come up because I set the IP address of server2's DHCP server to NIC1's IP address where it should have been NIC2 (not sure about this but the errors are gone).  The errors that remain when a DHCP client tries to connect to server1 (via IP forwarding) thru NIC2 on server2:
Oct 14 14:59:03 server2 named[11532]: client 192.168.x.2(server2)#33273: update forwarding 'mydomain.com/IN' denied
Oct 14 14:59:03 server2 dhcpd: Unable to add forward map from host.mydomain.com to 192.168.x.client: timed out
The dhcp client can't update its record in the zone file, as I read it, and the effect of the error is to limit DNS resolution to www.mydomain.com.  External urls such as www.yahoo.com fail with this error on the dhcp client: pinging www.yahoo.com.the.rest [1.2.3.4] with 32 bytes of data
Request timed out.
There's nothing in the logfiles on server1 right now so I don't believe that the dhcp requests are being forwarded to the primary dns server (server1).  Server2's NIC1 is the backup dns server, and the log entries in /var/log/messages on server2 don't help:
Oct 14 15:09:21 server2 dhcpd: DHCPINFORM from 192.168.x.client via eth1
Oct 14 15:09:21 server2 dhcpd: DHCPACK to 192.168.x.client (12:23:56:78:90:00) via eth1
Earlier, dhcp clients could not update the zone file mydomain.com on server1 via journal (.jnl) files for forward and reverse lookup in /var/named/chroot/var/named.  I created the .jnl files, but when that happened, DNS failed to resolve at all, so I deleted them.  Now there are no jnl files at all, but the error doesn't appear because the DNS request stops at server2.  Any ideas?
Thanks in advance...
 
0
 
tkfastCommented:
I'm trying to figure out what you are having problems with the DNS or DHCP?  You need to make sure you have recursion and test it from the dns server and then test from one of your workstations.  Linux you can do a dig or a nslookup and does does it return when you try to resolve www.google.com or www.yahoo.com what does it return?  This will tell us if the dns is replying of what it is going you should also see the request on the dns server when you run the query for www.google.com or whatever.  It sounds like you have problems with recursion.  Also just to make sure what are you subnets on those system if you have it right no problem I just want to make sure it is not something like a routing problem.  

Please let me know more one thing at a time.  Sorry you have some much for me to help you with we need to work on one part at a time.  
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
sara_bellumAuthor Commented:
From server2,
# nslookup www.google.com
Server:         192.168.1.103
Address:        192.168.1.103#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 72.14.253.104
Name:   www.l.google.com
Address: 72.14.253.147
Name:   www.l.google.com
Address: 72.14.253.99
Name:   www.l.google.com
Address: 72.14.253.103

So that looks ok.  But I don't know how to do nslookup from the 2d NIC card on server2, which is on subnet 2, and provides the IP address of my dhcp server.  
nslookup is working from the first [default] NIC, i.e., from subnet 1.  Is there a way to specify the source IP of nslookup?  I know this can be done on a router with an extended ping, but I don't know how to do this on a server.
0
 
tkfastCommented:
all you have to do is nslookup - dns server name or ip.  It will always use your default gateway as the NIC to use for the request.

example
nslookup - ns.cox.net

this will use the ns.cox.net name server to do the request that you desire.  

If you need to determine the DNS server that each nic is set to use then you can do a ipconfig /all and you will see this.  

Please let me know if you have any other questions.
0
 
sara_bellumAuthor Commented:
My comment wasn't posted so I try again, for the record.
When I enable forwarding of DNS requests from NIC2 to NIC1 in /etc/named.conf, DHCP client journal files are created but domain forward and reverse zone files are corrupted: the server reverts to caching only and looks for another SOA (presumably, NIC2 as host).
If I do not enable forwarding of DNS requests from DHCP clients, domain zone files remain intact but client .jnl files cannot be created (permission is denied).  Either way, DHCP clients can't resolve DNS outside my LAN.  
I've done a lot of reading on this and there appears to be no solution.
Maybe I'm the only one with this problem :(
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now