# Unable to resolve LAN, can resolve internet



## v0idE (Apr 27, 2010)

Hi,

I have a FreeBSD router/firewall/DNS/DHCP server that has suddenly stopped resolving local machine IPs (192.168.3.84), but I can still resolve external IPs/hostnames. I can't give any insight into what might have changed with the machine because nothing has changed on it for quite a while - it's out of reach in the bottom of a closet.

I've spent a few hours last night and this morning trying different tests and slight changes to the BIND configuration but nothing has worked yet and I'm out of ideas/things to Google.

The FreeBSD machine is running FBSD 8.0-RELEASE-p1 and has BIND, ISC-DHCP, PF and PPP installed and running fine. I am positive it's not PF as it hasn't changed, but to be sure I have disabled it with [CMD="pfctl -d"][/CMD]

I am using these two computers to try to fix this:
blackhole - 192.168.3.101 (FBSD server)
hackedpackard - 192.168.3.84 (Arch Linux)


Below are the contents of the various files:

/etc/namedb/named.conf
http://pastebin.org/183802

/etc/namedb/master/gtfo-forward.db
http://pastebin.org/183796

/etc/namedb/master/3.168.192.db
http://pastebin.org/183800

/etc/namedb/master/localhost-forward.db (Standard from installation)
http://pastebin.org/183808

/etc/namedb/master/localhost-reverse.db (Standard from installation)
http://pastebin.org/183807

/var/log/messages

```
Apr 27 15:20:36 blackhole named[1402]: starting BIND 9.7.0rc1 -t /var/named -u bind
Apr 27 15:20:36 blackhole named[1402]: built with '--localstatedir=/var' '--disable-linux-caps'
'--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-libxml2=/usr/local'
'--without-idn' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info/' '--build=i386-portbld-freebsd8.0' 'build_alias=i386-portbld-freebsd8.0'
'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++'
'CXXFLAGS=-O2 -pipe -fno-strict-aliasing'
Apr 27 15:20:36 blackhole named[1402]: command channel listening on 127.0.0.1#953
Apr 27 15:20:36 blackhole named[1402]: the working directory is not writable
```

I can ping external IPs and hostnames without a problem:

```
blackhole# ping google.com
PING google.com (66.102.11.104): 56 data bytes
64 bytes from 66.102.11.104: icmp_seq=0 ttl=58 time=65.855 ms
```


```
blackhole# ping 66.102.11.104
PING 66.102.11.104 (66.102.11.104): 56 data bytes
64 bytes from 66.102.11.104: icmp_seq=0 ttl=58 time=16.766 ms
```

And I can dig external hostnames and IPs:

```
blackhole# dig google.com

; <<>> DiG 9.7.0rc1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27263
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             116     IN      A       66.102.11.104

;; AUTHORITY SECTION:
google.com.             86021   IN      NS      ns4.google.com.
google.com.             86021   IN      NS      ns3.google.com.
google.com.             86021   IN      NS      ns2.google.com.
google.com.             86021   IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         84784   IN      A       216.239.32.10
ns2.google.com.         84800   IN      A       216.239.34.10
ns3.google.com.         84801   IN      A       216.239.36.10
ns4.google.com.         84801   IN      A       216.239.38.10

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:35:01 2010
;; MSG SIZE  rcvd: 180
```


```
blackhole# dig -x 66.102.11.104

; <<>> DiG 9.7.0rc1 <<>> -x 66.102.11.104
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6099
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;104.11.102.66.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
104.11.102.66.in-addr.arpa. 84725 IN    PTR     syd01s01-in-f104.1e100.net.

;; AUTHORITY SECTION:
11.102.66.in-addr.arpa. 84725   IN      NS      ns2.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns3.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns1.google.com.
11.102.66.in-addr.arpa. 84725   IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         84701   IN      A       216.239.32.10
ns2.google.com.         84717   IN      A       216.239.34.10
ns3.google.com.         84718   IN      A       216.239.36.10
ns4.google.com.         84718   IN      A       216.239.38.10

;; Query time: 56 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:36:24 2010
;; MSG SIZE  rcvd: 230
```


But for internal IPs and hostnames, I can only ping IPs:

```
blackhole# ping 192.168.3.84
PING 192.168.3.84 (192.168.3.84): 56 data bytes
64 bytes from 192.168.3.84: icmp_seq=0 ttl=64 time=0.444 ms
```


```
blackhole# ping hackedpackard
ping: cannot resolve hackedpackard: Host name lookup failure
```


```
blackhole# ping hackedpackard.gtfo.local
ping: cannot resolve hackedpackard.gtfo.local: Host name lookup failure
```

And I can't dig local hostnames but I can dig IPs:

```
blackhole# dig hackedpackard

; <<>> DiG 9.7.0rc1 <<>> hackedpackard
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7569
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.                 IN      A

;; AUTHORITY SECTION:
.                       1147    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2010042601 1800 900 604800 86400

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:37:06 2010
;; MSG SIZE  rcvd: 106
```


```
blackhole# dig hackedpackard.gtfo.local

; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.gtfo.local.      IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:38:30 2010
;; MSG SIZE  rcvd: 42
```


```
blackhole# dig -x 192.168.3.84

; <<>> DiG 9.7.0rc1 <<>> -x 192.168.3.84
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33161
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;84.3.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
84.3.168.192.in-addr.arpa. 3600 IN      PTR     hackedpackard.gtfo.local.

;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600    IN      NS      blackhole.gtfo.local.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 27 15:37:48 2010
;; MSG SIZE  rcvd: 105
```


hackedpackard:

```
[thom@hackedpackard ~]$ cat /etc/resolv.conf
domain gtfo.local
nameserver 192.168.3.101
```


```
[thom@hackedpackard ~]$ cat /etc/hosts
127.0.0.1               hackedpackard.gtfo.local hackedpackard localhost
192.168.3.84            hackedpackard.gtfo.local hackedpackard
```

blackhole:

```
blackhole# cat /etc/resolv.conf
domain gtfo.local
nameserver 127.0.0.1
nameserver 192.168.3.101
```


```
blackhole# cat /etc/hosts
::1                     localhost localhost.gtfo.local
127.0.0.1               localhost localhost.gtfo.local
192.168.3.101           blackhole.gtfo.local blackhole
```


I'm out of other ideas at the moment, so if you guys have anything please let me know.

Cheers.


----------



## SirDice (Apr 27, 2010)

Try [cmd=]dig hackedpackard.gtfo.local @192.168.3.101[/cmd]


----------



## DutchDaemon (Apr 27, 2010)

Currently, your nameserver does not see itself as the authoritative nameserver for the gtfo.local domain (the aa flag is missing in the dig output). Use something like [cmd=]dig @192.168.3.101 $somehost +aaonly +norecurse[/cmd]

Also see other nice troubleshooting flags like +trace in dig(1). Use tcpdump on the DNS server's Internet interface to see whether 'local' queries are inadvertently forwarded to external nameservers.


----------



## v0idE (Apr 28, 2010)

Thanks for the replies.



			
				SirDice said:
			
		

> Try [cmd=]dig hackedpackard.gtfo.local @192.168.3.101[/cmd]


Here is the output:

```
blackhole# dig hackedpackard.gtfo.local @192.168.3.101

; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local @192.168.3.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hackedpackard.gtfo.local.      IN      A

;; Query time: 3 msec
;; SERVER: 192.168.3.101#53(192.168.3.101)
;; WHEN: Thu Apr 29 01:06:52 2010
;; MSG SIZE  rcvd: 42
```



			
				DutchDaemon said:
			
		

> Currently, your nameserver does not see itself as the authoritative nameserver for the gtfo.local domain (the aa flag is missing in the dig output). Use something like [cmd=]dig @192.168.3.101 $somehost +aaonly +norecurse[/cmd]
> 
> Also see other nice troubleshooting flags like +trace in dig(1). Use tcpdump on the DNS server's Internet interface to see whether 'local' queries are inadvertently forwarded to external nameservers.


Would it not see itself as the authoritative nameserver because I am forwarding to my ISPs nameservers in named.conf?
I will try your suggestion of tcpdump and post back with the results.


----------



## DutchDaemon (Apr 28, 2010)

> Would it not see itself as the authoritative nameserver because I am forwarding to my ISPs nameservers in named.conf?



It _should_. We want to know if it _does_  These queries should not leave your server, and they should be answered authoritatively (aa).


----------



## DutchDaemon (Apr 28, 2010)

> ```
> blackhole# dig hackedpackard.gtfo.local @192.168.3.101
> 
> ; <<>> DiG 9.7.0rc1 <<>> hackedpackard.gtfo.local @192.168.3.101
> ...



Not good. You should see 
	
	



```
flags: qr aa rd;
```
 on that query. If 192.168.3.101 is the authoritative namserver for gtfo.local, it must reply with 'aa'.


----------



## DutchDaemon (Apr 28, 2010)

Note: I appear to be missing any active 'allow-query' statement in your named.conf. Try for example:

```
zone "gtfo.local" {
        type master;
        file "master/gtfo-forward.db";
        allow-query { any; };
};
```


----------

