> this has just started after introducing a new firewall config but i have
> _no_ idea what the difference between a fresh vs cached lookup should be
> from the client side! this is surely a misunderstanding on my part. can
> you see what i'm missing?
>
> what's there:
> openbsd 4.0 dns servers 10.0.0.11 & 12
> openbsd 4.1 firewall
> sis2 internet, 121.73.27.x
> sis1/2 bridged 10.0.0.11 & 12 via crossover
> ath0 wifi 172.16.x.x dhcp for clients
>
> dhcp side:
> the clients (macos, windows, whatever) receive a dhcp address & can
> access services such as email on the 10.x network, and anything on the
> internet via IP address.
>
> but when a name lookup is done from 172. to the 10. dns servers, the
> request goes through to the 10. dns server just fine - which then
> replies with a 'not found' type error. running the same lookup again on
> the 10. dns server directly works. then re-running the same query from
> the client side retrieves the new cached version correctly.
>
> presumably the fw rules are ok as traffic is passing each time. but what
> am i missing?
>
> i've not changed the dns servers since 3.9, but there is a new pfSense
> firewall in between.
>
> pf.conf & named.conf follow the dns trace.
>
> en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> tunnel inet -->
> inet 172.16.0.10 netmask 0xffffff00 broadcast 172.16.0.255
> ether 00:19:e3:0f:1a:6b
> media: autoselect status: active
> supported media: autoselect
> vlan: 0 parent interface: <none>
> bond interfaces: <none>
>
>
> non-cached from client:
> May 17 07:19:52.391667 172.16.0.10.49319 > 10.0.0.11.53: [udp sum ok]
> 21247+ A?
www.novell.com. (32) (ttl 63, id 17885, len 60)
>
> return to client:
> May 17 07:19:52.392233 10.0.0.11.53 > 172.16.0.10.49319: 21247- 0/13/13
> (451) (ttl 64, id 20192, len 479)
>
> non-cached from dns server:
> May 17 07:20:08.675725 10.0.0.2.40578 > 203.96.152.4.53: [udp sum ok]
> 13112+ [1au] A?
www.novell.com. (43) (ttl 64, id 6400, len 71)
>
> reply from dns forwarder:
> May 17 07:20:08.686623 203.96.152.4.53 > 10.0.0.2.40578: 13112 1/3/3
>
www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190)
>
> cached from client:
> May 17 07:20:13.695183 172.16.0.10.49320 > 10.0.0.11.53: [udp sum ok]
> 50027+ A?
www.novell.com. (32) (ttl 63, id 17961, len 60)
>
> cached reply from dns server:
> May 17 07:20:13.695563 10.0.0.11.53 > 172.16.0.10.49320: 50027- 1/3/2
>
www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179)
>
>
> pf.conf
> ===================================================================
> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ############################################################
> # macro definitions
> ############################################################
> # interfaces
>
> ext_if = "sis2"
> wii_if = "ath0"
> dmz_if = "{ sis0 sis1 bridge0 }"
> int_if = "{ sis0 sis1 bridge0 ath0 }"
>
> # networks
> ext_nw = "{ 121.73.27.0/24 }"
> wii_nw = "{ 172.16.0.0/24 }"
> dmz_nw = "{ 10.0.0.0/24 }"
> int_nw = "{ 10.0.0.0/24 172.16.0.0/24 }"
>
> # dmz hosts
> dmz_web = "10.0.0.20"
> dmz_mail = "10.0.0.21"
> dmz_ssh = "10.0.0.31"
>
> # port groups
> mail_ports = "{ imap, imaps, smtp }"
> web_ports = "{ http, https }"
> ############################################################
> # tables
> ############################################################
>
> table <spamd-white> persist
> table <internal_net> persist {10.0.0.0/24, 172.16.0.0/24}
>
> ############################################################
> # options
> ############################################################
>
> set skip on lo
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
> set loginterface ath0
>
> ############################################################
> # normalisation
> ############################################################
>
> scrub in all
> scrub out all
>
> ############################################################
> # translation & redirection
> ############################################################
>
> nat on $ext_if inet proto {icmp, tcp, udp} \
> from !($ext_if) -> ($ext_if:0)
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port $web_ports -> $dmz_web
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port $mail_ports -> $dmz_mail
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port ssh -> $dmz_ssh
>
> ############################################################
> # filtering
> ############################################################
>
> block in all
> block out log all
>
> block quick proto { tcp, udp } from any port = 0 to any
> block quick proto { tcp, udp } from any to any port = 0
>
> # block anything from private networks on WAN interface
> antispoof for $ext_if
> block in log quick on $ext_if from 10.0.0.0/8 to any
> block in log quick on $ext_if from 127.0.0.0/8 to any
> block in log quick on $ext_if from 172.16.0.0/12 to any
> block in log quick on $ext_if from 192.168.0.0/16 to any
>
> # pass all ICMP connections
> pass out inet proto icmp all icmp-type echoreq
>
> # permit wan interface to ping out (ping_hosts.sh)
> pass quick proto icmp from 121.73.27.12 to any
>
> # allow outgoing DNS
> pass out quick proto { tcp, udp } from any to any port 53
>
> # allow access to DHCP server on wii
> pass in quick on $wii_if proto udp \
> from any port = 68 to 255.255.255.255 port = 67
> pass in quick on $wii_if proto udp \
> from any port = 68 to 172.16.0.1 port = 67
> pass out quick on $wii_if proto udp \
> from 172.16.0.1 port = 67 to any port = 68
> block in log quick on $ext_if proto udp \
> from any port = 67 to 10.0.0.0/24 port = 68
>
> # pass all connections originating from the firewall
> pass out quick on $ext_if inet \
> from ($ext_if) to any
> # pass all connections originating from dmz
> pass in quick on $dmz_if \
> from <internal_net> to any
>
> pass quick on $int_if no state
> antispoof for $ext_if
>
> #pass out on $int_if proto tcp to ($int_if) port ssh
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> pass in quick on $wii_if from any to any
> pass in quick on $dmz_if from any to any
>
>
> named.conf
> ====================================================================
> // $OpenBSD: named-simple.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $
> //
> // Example file for a simple named configuration, processing both
> // recursive and authoritative queries using one cache.
>
>
> // Update this list to include only the networks for which you want
> // to execute recursive queries. The default setting allows all hosts
> // on any IPv4 networks for which the system has an interface, and
> // the IPv6 localhost address.
> //
> acl clients {
> localnets;
> ::1;
> };
>
> options {
> version ""; // remove this to allow version queries
>
> listen-on { any; };
> listen-on-v6 { any; };
>
> allow-recursion { clients; };
>
> forwarders {
> 203.96.152.4;
> 203.96.152.12;
> };
> };
>
> logging {
> category lame-servers { null; };
> };
>
> // Standard zones
> //
> zone "." {
> type hint;
> file "standard/root.hint";
> };
>
> zone "localhost" {
> type master;
> file "standard/localhost";
> allow-transfer { localhost; };
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> allow-transfer { localhost; };
> };
>
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
> type master;
> file "standard/loopback6.arpa";
> allow-transfer { localhost; };
> };
>
> zone "com" {
> type delegation-only;
> };
>
> zone "net" {
> type delegation-only;
> };
>
> // muse.net.nz
> zone "muse.net.nz" {
> type master;
> file "master/muse.net.nz";
> };
>
> // 10.0.0 reverse lookups
> zone "0.0.10.in-addr.arpa" {
> type master;
> file "master/10.0.0";
> allow-transfer { localhost; };
> };
> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ############################################################
> # macro definitions
> ############################################################
> # interfaces
>
> ext_if = "sis2"
> wii_if = "ath0"
> dmz_if = "{ sis0 sis1 bridge0 }"
> int_if = "{ sis0 sis1 bridge0 ath0 }"
>
> # networks
> ext_nw = "{ 121.73.27.0/24 }"
> wii_nw = "{ 172.16.0.0/24 }"
> dmz_nw = "{ 10.0.0.0/24 }"
> int_nw = "{ 10.0.0.0/24 172.16.0.0/24 }"
>
> # dmz hosts
> dmz_web = "10.0.0.20"
> dmz_mail = "10.0.0.21"
> dmz_ssh = "10.0.0.31"
>
> # port groups
> mail_ports = "{ imap, imaps, smtp }"
> web_ports = "{ http, https }"
> ############################################################
> # tables
> ############################################################
>
> table <spamd-white> persist
> table <internal_net> persist {10.0.0.0/24, 172.16.0.0/24}
>
> ############################################################
> # options
> ############################################################
>
> set skip on lo
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
> set loginterface ath0
>
> ############################################################
> # normalisation
> ############################################################
>
> scrub in all
> scrub out all
>
> ############################################################
> # translation & redirection
> ############################################################
>
> nat on $ext_if inet proto {icmp, tcp, udp} \
> from !($ext_if) -> ($ext_if:0)
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port $web_ports -> $dmz_web
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port $mail_ports -> $dmz_mail
> rdr pass on $ext_if inet proto tcp \
> from any to $ext_nw port ssh -> $dmz_ssh
>
> ############################################################
> # filtering
> ############################################################
>
> block in all
> block out log all
>
> block quick proto { tcp, udp } from any port = 0 to any
> block quick proto { tcp, udp } from any to any port = 0
>
> # block anything from private networks on WAN interface
> antispoof for $ext_if
> block in log quick on $ext_if from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
> block in log quick on $ext_if from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
> block in log quick on $ext_if from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
> block in log quick on $ext_if from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
>
> # pass all ICMP connections
> pass out inet proto icmp all icmp-type echoreq
>
> # permit wan interface to ping out (ping_hosts.sh)
> pass quick proto icmp from 121.73.27.12 to any
>
> # allow outgoing DNS
> pass out quick proto { tcp, udp } from any to any port 53
>
> # allow access to DHCP server on wii
> pass in quick on $wii_if proto udp from any port = 68 to 255.255.255.255 port = 67
> pass in quick on $wii_if proto udp from any port = 68 to 172.16.0.1 port = 67
> pass out quick on $wii_if proto udp from 172.16.0.1 port = 67 to any port = 68
> block in log quick on $ext_if proto udp from any port = 67 to 10.0.0.0/24 port = 68
>
> # pass all connections originating from the firewall
> pass out quick on $ext_if inet \
> from ($ext_if) to any
> # pass all connections originating from dmz
> pass in quick on $dmz_if \
> from <internal_net> to any
>
> pass quick on $int_if no state
> antispoof for $ext_if
>
> #pass out on $int_if proto tcp to ($int_if) port ssh
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> pass in quick on $wii_if from any to any
> pass in quick on $dmz_if from any to any
