DNS Forwarding server

[Timik]

Ahojte,
potreboval by som poradit. Dostal som sa totiz do slepej ulicky a posledne dni si lamem hlavu ako spojazdnit DNS server, ktory som nastavil vo virtualke ako forwarding.

Pokusim sa objasnit o co ide co najpresnejsie a co najzrozumitelnejsie. Ak budete mat voci hocicomu nejake vyhrady, prosim, kludne ich napiste. Budem len rad ak budem moct nieco zlepsit 


Vo vmware-ku som si nainstaloval 3 (Test1, Test2 a Test3 server) guest systemy s OS openSuSE. Test1 ma sluzit ako DNS forwarding server pre lokalne servre test2 a test3. Siet je vo vmware nastavena nasledovne:
Test1: ma dve sietove karty. Jedna je "Bridged" aby mohla komunikovat so svetom. Druha je nastavena ako "host-only" aby mohol komunikovat v lokalnej sieti so servermi test2 a test3.
Test2: ma iba jednu sietovu kartu a to "host-only"
Test3: ma tak isto iba jednu sietovu kartu "host-only"

-malo by to fungovat tak, ze ak test 2 alebo 3 sa budu dotazovat tak kontaktuju test1, ktory sa spoji s mojim routerom a ten nasledne odpovie test1. Dalej sa uz iba podava informacia naspat ku test2 alebo 3.


NASTAVENIA SERVEROV:

----------------------

TEST1 server:

test1:/etc # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:4a:54:89 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.102/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::20c:29ff:fe4a:5489/64 scope link
       valid_lft forever preferred_lft forever
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:4a:54:93 brd ff:ff:ff:ff:ff:ff
    inet 192.168.136.131/24 brd 192.168.136.255 scope global eth1
    inet6 fe80::20c:29ff:fe4a:5493/64 scope link
       valid_lft forever preferred_lft forever

test1:/etc # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use  Iface
0.0.0.0         192.168.0.1        0.0.0.0            UG    0      0        0     eth0
127.0.0.0         0.0.0.0           255.0.0.0         U      0      0        0       lo
169.254.0.0      0.0.0.0           255.255.0.0      U      0      0        0     eth0
192.168.0.0      0.0.0.0           255.255.255.0   U      0      0        0     eth0
192.168.136.0   0.0.0.0           255.255.255.0   U      0      0        0     eth1


-komentare som vymazal. Jedine co som zmenil je, ze som odkomentoval "forwarders" cast a doplnil IP routera a google DNS server.
test1:/etc #less /etc/named.conf
options {
        directory "/var/lib/named";
        managed-keys-directory "/var/lib/named/dyn/";

        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";

        forwarders { 192.168.0.1; 8.8.4.4; };

        # Enable the next entry to prefer usage of the name server declared in
        # the forwarders section.

        forward only;

        #listen-on port 53 { 127.0.0.1; };

        listen-on-v6 { any; };

        #query-source address * port 53;
        #transfer-source * port 53;
        #notify-source * port 53;

        #allow-query { 127.0.0.1; };

        notify no;

    disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};

zone "." in {
        type hint;
        file "root.hint";
};

zone "localhost" in {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "127.0.0.zone";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "127.0.0.zone";
};


# Include the meta include file generated by createNamedConfInclude.  This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named

include "/etc/named.conf.include";


test1:/etc # service named status
named.service - LSB: Domain Name System (DNS) server, named
          Loaded: loaded (/etc/init.d/named)
          Active: active (running) since Wed, 2014-04-30 00:39:08 CEST; 17h ago
         Process: 50973 ExecStop=/etc/init.d/named stop (code=exited, status=0/SUCCESS)
         Process: 50993 ExecStart=/etc/init.d/named start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/named.service
                  └ 51032 /usr/sbin/named -t /var/lib/named -u named

Apr 30 00:39:08 test1 named[51032]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.a...ial 42
Apr 30 00:39:08 test1 named[51032]: zone localhost/IN: loaded serial 42
Apr 30 00:39:08 test1 named[51032]: all zones loaded
Apr 30 00:39:08 test1 named[50993]: ..done
Apr 30 00:39:08 test1 systemd[1]: Started LSB: Domain Name System (DNS) server, named.
Apr 30 00:39:08 test1 named[51032]: running
Apr 30 10:15:55 test1 named[51032]: listening on IPv4 interface eth0, 192.168.0.102#53
Apr 30 13:15:55 test1 named[51032]: listening on IPv4 interface eth1, 192.168.176.129#53
Apr 30 13:15:55 test1 named[51032]: no longer listening on 192.168.0.100#53
Apr 30 13:15:55 test1 named[51032]: no longer listening on 192.168.10.132#53

test1:/etc # rcSuSEfirewall2 status
SuSEfirewall2.service - SuSEfirewall2 phase 2
          Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
          Active: inactive (dead) since Wed, 2014-04-30 00:07:34 CEST; 17h ago
         Process: 49957 ExecStop=/usr/sbin/SuSEfirewall2 systemd_stop (code=exited, status=0/SUCCESS)
         Process: 14691 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/SuSEfirewall2.service

Apr 29 19:50:22 test1 systemd[1]: Starting SuSEfirewall2 phase 2...
Apr 29 19:50:22 test1 systemd[1]: Started SuSEfirewall2 phase 2.
Apr 29 19:50:22 test1 SuSEfirewall2[14712]: using default zone 'ext' for interface eth1
Apr 29 19:50:22 test1 SuSEfirewall2[14800]: Firewall rules successfully set
Apr 30 00:07:34 test1 SuSEfirewall2[49975]: Firewall rules unloaded.
Apr 30 00:07:34 test1 systemd[1]: Stopped SuSEfirewall2 phase 2.


test1:/etc # cat /etc/resolv.conf | grep -v ^#
search home.com
nameserver 127.0.0.1



-------------------------------
TEST2 server:

test2:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:d3:ff:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.136.128/24 brd 192.168.136.255 scope global eth0
    inet6 fe80::20c:29ff:fed3:ff6e/64 scope link
       valid_lft forever preferred_lft forever

test2:~ # route -n
Kernel IP routing table
Destination            Gateway         Genmask         Flags Metric Ref    Use Iface
127.0.0.0               0.0.0.0         255.0.0.0            U     0      0        0      lo
169.254.0.0            0.0.0.0         255.255.0.0         U     0      0        0     eth0
192.168.136.0        0.0.0.0         255.255.255.0     U     0      0        0      eth0

test2:~ # cat /etc/resolv.conf | grep -v ^#
search home.com
nameserver 192.168.136.131

test2:~ # rcSuSEfirewall2 status
SuSEfirewall2.service - SuSEfirewall2 phase 2
          Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
          Active: inactive (dead) since Wed, 2014-04-30 00:12:19 CEST; 17h ago
         Process: 33440 ExecStop=/usr/sbin/SuSEfirewall2 systemd_stop (code=exited, status=0/SUCCESS)
         Process: 2437 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/SuSEfirewall2.service

Apr 29 18:09:20 test2 systemd[1]: Starting SuSEfirewall2 phase 2...
Apr 29 18:09:20 test2 systemd[1]: Started SuSEfirewall2 phase 2.
Apr 29 18:09:20 test2 SuSEfirewall2[2443]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Apr 29 18:09:23 test2 SuSEfirewall2[2545]: Firewall rules successfully set
Apr 30 00:12:19 test2 systemd[1]: Stopping SuSEfirewall2 phase 2...
Apr 30 00:12:19 test2 SuSEfirewall2[33458]: Firewall rules unloaded.
Apr 30 00:12:19 test2 systemd[1]: Stopped SuSEfirewall2 phase 2.



TEST3 je nastaveny tak isto ako aj TEST2.


PROBLEM:

Ak skusim pingnut hocico na teset2 alebo 3 vypise mi to:
test2:~ # ping www.google.com
connect: Network is unreachable

Na test1 avsak funguje vsetko ako ma:
test1:/etc # ping -c 3 www.google.com
PING www.google.com (173.194.70.99) 56(84) bytes of data.
64 bytes from fa-in-f99.1e100.net (173.194.70.99): icmp_seq=1 ttl=44 time=20.0 ms
64 bytes from fa-in-f99.1e100.net (173.194.70.99): icmp_seq=2 ttl=44 time=19.9 ms
64 bytes from fa-in-f99.1e100.net (173.194.70.99): icmp_seq=3 ttl=44 time=19.8 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 19.886/19.957/20.067/0.181 ms

Test1 ide pingnut zo servera test2:
test2:~ # ping -c 3 192.168.136.131
PING 192.168.136.131 (192.168.136.131) 56(84) bytes of data.
64 bytes from 192.168.136.131: icmp_seq=1 ttl=64 time=0.626 ms
64 bytes from 192.168.136.131: icmp_seq=2 ttl=64 time=0.335 ms
64 bytes from 192.168.136.131: icmp_seq=3 ttl=64 time=0.265 ms

--- 192.168.136.131 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.265/0.408/0.626/0.158 ms



Dakujem pekne za kazdu jednu radu

[Reklama]

[host only]

Nemůžeš si pingnout, protože máš u test2 a test3 nastavenou síťovou kartu na host only, tedy tyto servery se nedostanou na internet, respektive do jiné sítě než 192.168.136.0/24. Problém není v DNS ale v tom, že nemáš vyřešené routování pro test2 a test3.

[Timik]

Vlastne mas pravdu. Da sa to velmi jednoducho skontrolovat, no nenapadlo ma to a to nasledovne:
test2:~ # nslookup www.google.sk
Server:         192.168.136.131
Address:        192.168.136.131#53

Non-authoritative answer:
Name:   www.google.sk
Address: 88.212.9.59
Name:   www.google.sk
Address: 88.212.9.35
Name:   www.google.sk
Address: 88.212.9.49
Name:   www.google.sk
Address: 88.212.9.38
Name:   www.google.sk
Address: 88.212.9.16
Name:   www.google.sk
Address: 88.212.9.37
Name:   www.google.sk
Address: 88.212.9.46
Name:   www.google.sk
Address: 88.212.9.57
Name:   www.google.sk
Address: 88.212.9.24
Name:   www.google.sk
Address: 88.212.9.53
Name:   www.google.sk
Address: 88.212.9.42
Name:   www.google.sk
Address: 88.212.9.31
Name:   www.google.sk
Address: 88.212.9.26
Name:   www.google.sk
Address: 88.212.9.27
Name:   www.google.sk
Address: 88.212.9.20
Name:   www.google.sk
Address: 88.212.9.48

-tymto som zistil ze dotazovanie funguje, takze pravdepodobne je problem v routovani, ako si spomenul.

Je mozne nejak nastavit routovanie aby fungovalo aj pingovanie, kedze test2 a test3 nemaju pristup na internet?

[Mirek Prýmek]

Host-only net funguje úplně stejně, jako bys měl virtuál připojenej kabelem k (virtuální) síťovce na hostiteli. Takže musíš na hostiteli nastavit všechno potřebné jako u normálního routeru, který propojuje soukromou LAN s internetem - zapnout forwarding, rozjet NAT, případně upravit firewall.

Nebo můžeš virtuály test2 a test3 nastavit stejně jako test1 - přidat jim druhou síťovku typu nat nebo bridged.

[Timik]

Dakujem pekne za odpoved pane. Budem pokracovat v testovani, ale uz aj s chybajucimi vedomostami 

Pekny den.

[Reklama]