?
Solved

DNS relay

Posted on 2011-10-29
37
Medium Priority
?
1,059 Views
Last Modified: 2012-05-12
Hello experts,
I am totally newbue to DNS managment.

I have a dedicated server and I am using it as my DNS for my PC. (Linux srever with BIND installed)
Works fine !

My idea would be to use opendns for filtering web.
So a kind of system like:

My PC<----> my DNS server<----->OpenDNS<-----> check if website is ok

Do you think this is possible ? Any clue on where to start  ?


0
Comment
Question by:yarekGmail
  • 19
  • 17
37 Comments
 
LVL 19

Expert Comment

by:xterm
ID: 37049980
What do you mean by "filtering web" - as in blocking objectionable content?
0
 

Author Comment

by:yarekGmail
ID: 37050001
yes : that's correct !
0
 
LVL 19

Expert Comment

by:xterm
ID: 37050054
Blocking content really doesn't have anything much to do with DNS - in order to do filtering on outbound web requests, you have to access the port 80/tcp stream out of your network.  If you can get your user machines configured to use a proxy server, that is probably the cheapest/easiest solution, however that is easily bypassed/disabled.
u
The higher-end solution would be to put a network appliance at the outermost point of your network which inspects all your http (and/or https) traffic outbound.

Finally, you have to get your list of "bad sites" from somewhere.  Usually this is a subscription based service, but in the squid/proxy environment, you could statically code in your own rules for objectionable words/titles, etc.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:yarekGmail
ID: 37050084
Obviously you do not know opendns.com

I do not need help about how a paretal control works, just some help about  BIND rules or configuration on :
 My PC<----> my DNS server<--*****---->OpenDNS<-----> check if website is ok

espcially this <---****----> gateway

regards

0
 
LVL 19

Expert Comment

by:xterm
ID: 37050181
I've been doing this for 15 years, and I know opendns.com well, along with many other similar technologies and this is not how it has been done at the telecom providers I've worked for.

Nevertheless, if you simply want to have your DNS server send all qureries to opendns.com do in the options section of named.conf:

    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;

Substitute those sample IPs for the IP addresses of opendns' DNS servers.
0
 

Author Comment

by:yarekGmail
ID: 37050195
thanks, will check that !
Do I need to change something so I can use my dedicated server instead of ISP DNS ?
(a kind of authorization so any IP can connect to this my dedicatred server BIND ?)

Thanks again
0
 
LVL 19

Expert Comment

by:xterm
ID: 37050211
I thought you said that your PC was already set up to use your Linux dedicated server for DNS?
0
 

Author Comment

by:yarekGmail
ID: 37050221
yes, but I realized it works with 1 server.
I tried with 2 anothers dedicated server I have , with no success.
(As you realized, my linux knwoledge is very weak.)

Thanks again for your help.
Regards
0
 
LVL 19

Expert Comment

by:xterm
ID: 37050235
Can you please give me a detailed description of what does not work, and I will try to help you fix it.
0
 

Author Comment

by:yarekGmail
ID: 37050249
ok:
when I use server1 dns configuration instead of my ISP: it works: I can navigate the web on my windows browser.

 DNS confifuratin on my PC
But when I use other server DNS server2  or server3 (I have 2 others dedicated server), IT DOES NOT WORK: I have an error on my browser.

0
 

Author Comment

by:yarekGmail
ID: 37050251
By the way, I can pay you for this, there is no reason you try to help me for free.
Are you ok to handle that project ?
0
 
LVL 19

Expert Comment

by:xterm
ID: 37050300
Let's fix one at a time, so server2 - that is a Linux machine too right?

Please log in to server2 and type "ps ax | grep named" and tell me what it says.

Thank you for the offer of payment, but let's see if it's an easy fix first.
0
 

Author Comment

by:yarekGmail
ID: 37050330
Linux of course.
Here is the output:

ns28315 ~ # ps ax | grep named
 2656 pts/0    D+     0:00 grep --colour=auto named
19801 ?        Ss     0:00 /usr/sbin/named -u named -n 1


It is BIND and it is running (since I host some websites on it)

Regards
0
 
LVL 19

Expert Comment

by:xterm
ID: 37050345
Please run the following command on server2:
nslookup www.experts-exchange.com 0.0.0.0

Open in new window

0
 

Author Comment

by:yarekGmail
ID: 37050717
ns28315 ~ # nslookup www.experts-exchange.com 0.0.0.0
Server:         0.0.0.0
Address:        0.0.0.0#53

Non-authoritative answer:
www.experts-exchange.com        canonical name = experts-exchange.com.
Name:   experts-exchange.com
Address: 64.156.132.140
0
 
LVL 19

Expert Comment

by:xterm
ID: 37051019
Okay, so we know it's listening (and working) on localhost:53.

But we need to see if it's working on the main IP of the box.  So please do "netstat -na | grep :53"

If you see something like this:

udp        0      0 0.0.0.0:53              0.0.0.0:*

Then it means that named is listening fine, and perhaps there is a firewall blocking your Windows machine from using it.  Please also do:

/sbin/iptables -Nl
0
 

Author Comment

by:yarekGmail
ID: 37051066
ns28315 ~ # netstat -na | grep :53
tcp        0      0 91.121.93.45:53         0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      
tcp        0   5027 91.121.93.45:80         190.251.178.40:53638    ESTABLISHED
tcp        0      0 91.121.93.45:80         181.40.169.97:53708     FIN_WAIT2  
tcp        0    702 91.121.93.45:80         190.251.178.40:53635    ESTABLISHED
tcp        0    676 91.121.93.45:80         190.251.178.40:53639    ESTABLISHED
tcp        0    681 91.121.93.45:80         190.251.178.40:53636    ESTABLISHED
tcp        0  46464 91.121.93.45:80         190.251.178.40:53629    ESTABLISHED
tcp        0   3548 91.121.93.45:80         190.251.178.40:53637    ESTABLISHED
tcp        0      0 91.121.93.45:80         190.251.178.40:53468    TIME_WAIT  
tcp        0      0 91.121.93.45:80         181.40.169.97:53707     TIME_WAIT  
udp        0      0 91.121.93.45:53         0.0.0.0:*                          
udp        0      0 127.0.0.1:53            0.0.0.0:*              


No there is no firewall running

ns28315 ~ # /sbin/iptables -Nl
ns28315 ~ #


Maybe what I am trying to do has no sense.

- Is it possible to use DNS BIND service from my dedicated server instead of DNS servers provided by my intenet provider to access internet (I use windows XP) ?

(It seems it can be done since I put IP of my server as primary DNS and IP provided by the hosting company ovh.com as my secondary Ip) and that work for server1 and not for server2 , nor server3.

if you need to contact me directly, use yarekc at gmail com

Thanks again for your time



0
 
LVL 19

Expert Comment

by:xterm
ID: 37051102
Yes, of course it is possible - you are already doing it with server1.  All you have to do is uncheck "obtain DNS servers automatically" in XP, and put in the IP address(es) of your own ones.

I can use your server2 fine to do lookups - are you sure you're putting the IP in correctly into your XP settings?

xterm@dellxps:~$ nslookup www.ibm.com 91.121.93.45
Server:         91.121.93.45
Address:        91.121.93.45#53

Non-authoritative answer:
www.ibm.com     canonical name = www.ibm.com.cs186.net.
Name:   www.ibm.com.cs186.net
Address: 129.42.60.216
0
 

Author Comment

by:yarekGmail
ID: 37051283
I have put 91.121.93.45 and 127.0.0.1

 dns
(I do not know what to put as second DNS) and I got:

Server not found
Firefox can't find the server at www.ibm.com.



When I put
91.121.93.45 and 8.8.8.8 : this works (google dns) !

Regards

0
 
LVL 19

Expert Comment

by:xterm
ID: 37054240
What about 91.121.93.45 by itself?  You don't have to fill in both.
0
 

Author Comment

by:yarekGmail
ID: 37054250
I dont understand what you mean. Windows do not accept sam ip for primary and secondary
0
 
LVL 19

Expert Comment

by:xterm
ID: 37054266
No, just leave the secondary empty, put nothing in there.
0
 

Author Comment

by:yarekGmail
ID: 37054347
I just filled 1st with 91.121.93.45 and left blank the second:
I cannot access internet

regards
0
 
LVL 19

Expert Comment

by:xterm
ID: 37054456
xterm@dellxps:~/Downloads$ nslookup www.ibm.com 91.121.93.45
Server:         91.121.93.45
Address:        91.121.93.45#53

** server can't find www.ibm.com.lsn.net: REFUSED

Did you change something on server2?  Yesterday when I did this lookup off it, it worked fine.  Today it fails.  What is the date of the file /etc/named.conf?
0
 

Author Comment

by:yarekGmail
ID: 37055641
I changed it and restored it(and restarted the BIND server) : all this was done on saturday when testing.

ns28315 etc # ls -l resolv.conf
-rw-r--r-- 1 root root 70 jun  1  2009 resolv.conf


And here is the content of resolv.conf:

nameserver 127.0.0.1
nameserver 91.121.93.45
nameserver 213.186.33.99

Regards

0
 

Author Comment

by:yarekGmail
ID: 37055646
When I use:
213.251.134.156 (my server1)
BLANK

It works !

Regards
0
 
LVL 19

Expert Comment

by:xterm
ID: 37059989
Okay, so what did you change on server2 ( 91.121.93.45 ) - it was working on Saturday.

Can you please paste /etc/named.conf (not resolv.conf - that is not relevant for this problem) in here so I can look at it.  I suspect you have recursion turned off.

Thanks.

0
 

Author Comment

by:yarekGmail
ID: 37061344
there is no /etc/named.conf

But I found  /etc/bind/named.conf
Here is its content:

named.conf.txt
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061350
The things I would do to your named.conf ...
0
 

Author Comment

by:yarekGmail
ID: 37061354
???
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061357
Okay, you have recursion blocked, see this line:

allow-recursion {127.0.0.1;};

Recursion means allowing queries to go to the Internet to get answers.  Obviously for all your domains on there, that is not necessary, because the zone files are located on the system.

You have two options to make it work.  You can either add your Windows XP machine's IP to the allowed recursion directive on server2 like this:

allow-recursion {127.0.0.1; 10.0.0.1; };

Or you can just comment out that line entirely, and allow it to everybody by replacing it with:

recursion yes;  

So, do one or the other, restart named, and then you can go into XP settings and set for DNS servers

  91.121.93.45
  BLANK

And you'll be all good.
0
 

Author Comment

by:yarekGmail
ID: 37061374
Ok GREAT !!!
Help for your help !
Now : back to the original question : is it possible that 91.121.93.45 uses these 2 servers: 208.67.222.123 , 208.67.220.123

so I have: My PC<----> my DNS server (this part is ok now) <----->OpenDNS<-----> check if website is ok



Regards
0
 
LVL 19

Accepted Solution

by:
xterm earned 2000 total points
ID: 37061395
Yes, you can forward your queries to 208.67.222.123 and 208.67.220.123 (as I showed you in my first post) but then the domains on there will stop working - you need a DNS server that's not doing other things if you want to use it as a forwarder to an external 3rd party for lookups.

0
 

Author Comment

by:yarekGmail
ID: 37061506
Thanks for everything.
I am trying now to use a new server with no domain names, with no chance:
It's IP is 88.190.30.200

When I type in :  nslookup www.ibm.com 88.190.30.200 from another server:
ns28315 ~ #  nslookup www.ibm.com 88.190.30.200
Server:         88.190.30.200
Address:        88.190.30.200#53

** server can't find www.ibm.com: REFUSED

SO I guess I have no rights to use from an external source



When I type in:
ocate named.conf

/etc/named.conf
/etc/bind/named.conf
/etc/bind/named.conf.default-zones
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/usr/share/man/man5/named.conf.5.gz
/var/named/run-root/etc/named.conf
/var/named/run-root/etc/named.conf.default

which of the conf files should I edit and what should I change there ?
 etc-named.conf.txt

 etc-bind.named.conf.txt


Regards
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061530
I have to get going, but I'll upload a fixed /etc/named.conf for you tomorrow.
0
 

Author Comment

by:yarekGmail
ID: 37061553
great, thanks !
0
 
LVL 19

Expert Comment

by:xterm
ID: 37070310
In options {} section:

Take out the allow-recursion {} 3 lines, and replace with

    recursion yes;

Then add the following lines just below

    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;

Replace the IPs above with opendns.com's DNS servers, and restart, and then your queries should go there.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question