# host lookup failure; dns / resolver problem



## sidney6 (May 17, 2009)

I can ping my designated nameserver, but if I try to ping a domain name I don't get anything back from the nameserver.  dig returns a timeout or failure to connect error (I forget the exact error).

Finally have networking setup. 
firewall/router can ping all nics and nameservers
lan member box can also ping all nics and nameservers

resolv.conf

```
domain domain.actdsltmp
search domain.actdsltmp
nameserver 205.171.3.25
nameserver 205.171.2.25
```

I am using ipf, ipfw and nat.  I am getting no logging of an error.  My dsl modem is a router and does nat: qwest m1000.


----------



## SirDice (May 17, 2009)

Is there a firewall running on either the client or the dns server?

The 205.171.2.25 appear to be external, if you set search to a non-existent domain it will append that to the first query.

You could run a tcpdump on your machine to see what's actually happening. Something like this should do the trick:

```
# tcpdump -nvvX port 53 or icmp
```

The icmp is there in case udp port 53 is actually closed. A closed udp port will (or better; should) return an ICMP port unreachable.


----------



## sidney6 (May 18, 2009)

Thanks SirDice.

using tcpdump to listen on port 53 of the private and (alternatively) public NICs of my firewall when pinging http://www.google.com (from my private lan box) shows that nothing is going out the public NIC of the firewall.  Here's what is coming in the private nic:

```
10:55:55.224414 IP (tos 0x0, ttl  64, id 560, offset 0, flags [none], proto: UDP (17), length: 60) 10.0.0.87.60676 > 205.171.3.25.53: [u
dp sum
 ok]  60157+ A? www.google.com. (32)
        0x0000:  4500 003c 0230 0000 4011 9d66 0a00 0057  E..<.0..@..f...W
        0x0010:  cdab 0319 ed04 0035 0028 bda3 eafd 0100  .......5.(......
        0x0020:  0001 0000 0000 0000 0377 7777 0667 6f6f  .........www.goo
        0x0030:  676c 6503 636f 6d00 0001 0001            gle.com.....
10:56:00.224848 IP (tos 0x0, ttl  64, id 561, offset 0, flags [none], proto: UDP (17), length: 60) 10.0.0.87.56471 > 205.171.2.25.53: [udp sum
 ok]  60157+ A? www.google.com. (32)
        0x0000:  4500 003c 0231 0000 4011 9e65 0a00 0057  E..<.1..@..e...W
        0x0010:  cdab 0219 dc97 0035 0028 cf10 eafd 0100  .......5.(......
        0x0020:  0001 0000 0000 0000 0377 7777 0667 6f6f  .........www.goo
        0x0030:  676c 6503 636f 6d00 0001 0001            gle.com.....
10:56:02.225800 IP (tos 0x0, ttl  64, id 562, offset 0, flags [none], proto: UDP (17), length: 60) 10.0.0.87.60676 > 205.171.3.25.53: [udp sum
 ok]  60157+ A? www.google.com. (32)
        0x0000:  4500 003c 0232 0000 4011 9d64 0a00 0057  E..<.2..@..d...W
        0x0010:  cdab 0319 ed04 0035 0028 bda3 eafd 0100  .......5.(......
        0x0020:  0001 0000 0000 0000 0377 7777 0667 6f6f  .........www.goo
        0x0030:  676c 6503 636f 6d00 0001 0001            gle.com.....
10:56:12.226816 IP (tos 0x0, ttl  64, id 563, offset 0, flags [none], proto: UDP (17), length: 60) 10.0.0.87.56471 > 205.171.2.25.53: [udp sum
 ok]  60157+ A? www.google.com. (32)
        0x0000:  4500 003c 0233 0000 4011 9e63 0a00 0057  E..<.3..@..c...W
        0x0010:  cdab 0219 dc97 0035 0028 cf10 eafd 0100  .......5.(......
        0x0020:  0001 0000 0000 0000 0377 7777 0667 6f6f  .........www.goo
        0x0030:  676c 6503 636f 6d00 0001 0001            gle.com.....
```

Here is another clue as to the problem.  Typing in googles IPv4 address in firefox creates this log in messages (done from private lan box):

```
May 17 09:06:18 porter ipmon[685]: 09:06:17.422491 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AP OUT OOW
May 17 09:06:20 porter ipmon[685]: 09:06:19.479382 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 52 -A OUT OOW
May 17 09:06:21 porter ipmon[685]: 09:06:20.886521 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AP OUT OOW
May 17 09:06:26 porter ipmon[685]: 09:06:25.982529 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AP OUT OOW
May 17 09:06:36 porter ipmon[685]: 09:06:35.974574 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AP OUT OOW
May 17 09:06:56 porter ipmon[685]: 09:06:55.758619 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AP OUT OOW
May 17 09:07:03 porter ipmon[685]: 09:07:03.140069 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 52 -AF OUT OOW
May 17 09:07:35 porter ipmon[685]: 09:07:35.126559 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AFP OUT OOW
May 17 09:08:39 porter ipmon[685]: 09:08:39.126509 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AFP OUT OOW
May 17 09:09:43 porter ipmon[685]: 09:09:43.126562 dc1 @0:15 b 192.168.0.2,61915 -> 74.125.19.147,80 PR tcp len 20 451 -AFP OUT OOW
```

So the above indicates that ipf is blocking the packets going out port 80.  Here is the port 80 line from ipf.rules:

```
pass out quick on dc1 proto tcp from any to any port = 80 flags S keep state
```

The ipf and ipfw rules regarding the passage of these packits are pretty darn simple.  I don't get it.  All I know is that I can ping the internet (ex google: 74.125.19.147) but I cannot get address resolution.  I am at wits end.  I enjoy learning about freebsd, and I'm certain it's the tool I need,  but after 3 weeks of trying to connect to the internet I am getting frustrated.  Pleeeeeeeeeeeeeeeaaaaase help me. 

sid


----------



## SirDice (May 18, 2009)

So the box has 2 network interfaces? One on the inside (LAN) and one on the internet (WAN)?

Did you add *gateway_enable="YES"* to rc.conf?



> The ipf and ipfw rules regarding the passage of these packits are pretty darn simple.


Use either pf or ipfw, not both. I suggest sticking to pf.


----------



## sidney6 (May 18, 2009)

Yes gateway_enable="YES" is in there, and I chose ipfw because the handbook author intimated that it was easier.  I will switch to the better tool later.  Let's just make it work for now.

internet --- firewall/router box --- switch --- user box

rc.conf

```
# added the lines below from c30 handbook
# -----------------------------------------
# -- ipf & nat setup ----------------------
ipfilter_enable="YES"           # start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules
ipmon_enable="YES"              # starts ip monitoring log
ipmon_flags="-Ds"               # D = start as daemon
#                               # s = log to syslog
#                               # v = log tcp window, ack, seq
#                               # n = map IP & port to names
gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
# -----------------------------------------
# -- ipfw & nat setup ---------------------
firewall_enable="YES"           # ipfw
firewall_script="/etc/ipfw.rules"
# firewall_type="OPEN"          # line above is better
# type: OPEN, CLIENT, SIMPLE, UNKNOWN, <flname>; from rc.firewall
firewall_logging="YES"
natd_enable="YES"
natd_interface="dc1"
# natd_flags="-dynamic -m"      #
natd_flags=""
# -----------------------------------------
# -- route & dev setup --------------------
ifconfig_dc1="DHCP"
defaultrouter="192.168.0.1"
ifconfig_dc0="inet 10.0.0.167  netmask 255.255.255.0"
hostname="porter.domain.actdsltmp"
# -----------------------------------------
# -- security setup -----------------------
kern_securelevel_enable="YES"
kern_securelevel="1"
# -- sysinstall generated deltas -- # Wed May 13 22:00:34 2009
kern_securelevel_enable="NO"
```

netstat -nr

```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0       78    dc1
10/24              link#1             UC          0        0    dc0
10.0.0.87          macADDR            UHLW        1        7    dc0    687
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.0          link#2             UC          0        0    dc1
192.168.0.1        macADDR            UHLW        2        4    dc1    885
```

I disabled IPv6 in the kernel.  Was that wrong?  Also, in the netstat output, the mac addr of the dsl modem and privateNIC show up, but the publicNIC shows up as link#2 without it's mac addr or full IPv4 addr.  The bottom line is shown to be device dc1 (my publicNIC but the url is that of the modem not the NIC and the mac addr is the modem addr not the NICs.  Is this nat at work or is it foobar handshaking between the NIC and modem?

My ipf and ipfw rules are the rules from the handbook, with the unnecesary stuff (nntp, time, ftp, telnet, ssh, et al) commented out to disallow.  I used the nat version of the ipfw rules.  I think the dsl modem is not handshaking propperly with my router or that nat in not functioning.  I try both of the lines below to make nat work.

ipnat.rultes

```
map 10.0.0.0/24 -> 0/32
or
map 10.0.0.0/24 -> publicNIC/32
```

which is the proper line, or are they both wrong?  
sid


----------



## SirDice (May 18, 2009)

sidney6 said:
			
		

> ```
> # added the lines below from c30 handbook
> # -----------------------------------------
> # -- ipf & nat setup ----------------------
> ...



You're mixing IPFILTER and IPFW, this will only complicate things. 

Here's a config that will work for you:
/etc/rc.conf

```
hostname="porter.domain.actdsltmp"
ifconfig_dc0="inet 10.0.0.167  netmask 255.255.255.0"
ifconfig_dc1="DHCP"
gateway_enable="YES"
# Probably not needed as dc1 will set it using DHCP
#defaultrouter="192.168.0.1"

# You may want to enable ssh:
#sshd_enable="YES"

# Firewall:
pf_enable="YES"
pflog_enable="YES"
```

/etc/pf.conf:

```
ext_if="dc1"
int_if="dc0"

internal_net="{10.0.0.0/24}"

scrub in on $ext_if all fragment reassemble
nat on $ext_if from $internal_net to any -> ($ext_if)

#Standard deny everything
block all 

# Allow traffic to/from localhost
pass in quick on lo0 all
pass out quick on lo0 all

# We allow everything to go out.
pass out on $ext_if from any to any keep state
```


----------



## sidney6 (May 19, 2009)

Thank you SirDice.  That was it, the two firewalls were interfering with each other some how.  This is a big step forwards.  Thanks.

sid


----------

