# Forward-only DNS server does not work via browser



## AngryWolf (Dec 20, 2013)

Hi all,

I've tried to configure a forward-only DNS server to operate on my LAN, for internet-sharing purposes. I tried both BIND 9.8.4-P2 (on FreeBSD 9.2 with standard kernel), and dnsmasq from ports as well. No matter which one I picked, I could not browse the web on other computers of my LAN. I tried a Windows 7 system and a FreeBSD 9.1 desktop system, but each time I got the same results:


dig, nslookup, host, ping *works*.
When I use Mozilla Firefox or Internet Explorer, I cannot load any webpages.

I do not know if this is relevant, but the FreeBSD 9.2 server system connects to the Internet via an ADSL modem that can also act as a LAN router. I have disabled its router feature, so the modem acts in bridge mode instead. This way I could configure FreeBSD for PPPoE and dial in during boot. I use the ipfw and ipdivert kernel modules for NAT and firewall.

I used to have a positive experience with named when I used FreeBSD 9.1 in the past, with an Internet connection coming from a microwave link with DHCP. Everything just worked.

Now here are my tcpdump logs from a client machine:

1. Using the host command on that client machine:


```
$ host http://www.freebsd.org
http://www.freebsd.org is an alias for wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org has address 8.8.178.110
wfe0.ysv.freebsd.org has IPv6 address 2001:1900:2254:206a::50:0
wfe0.ysv.freebsd.org mail is handled by 0 .
```


```
14:30:27.923700 IP 10.0.0.7.35136 > 10.0.0.1.domain: 19747+ A? http://www.freebsd.org. (33)
14:30:27.949778 IP 10.0.0.1.domain > 10.0.0.7.35136: 19747 2/3/0 CNAME wfe0.ysv.freebsd.org., A 8.8.178.110 (160)
14:30:27.976351 IP 10.0.0.7.41142 > 10.0.0.1.domain: 28317+ AAAA? wfe0.ysv.freebsd.org. (38)
14:30:27.977066 IP 10.0.0.1.domain > 10.0.0.7.41142: 28317 1/0/0 AAAA 2001:1900:2254:206a::50:0 (66)
14:30:27.977164 IP 10.0.0.7.22275 > 10.0.0.1.domain: 48651+ MX? wfe0.ysv.freebsd.org. (38)
14:30:28.035252 IP 10.0.0.1.domain > 10.0.0.7.22275: 48651 1/3/0 MX . 0 (141)
```

2. Using Mozilla Firefox that cannot load http://www.freebsd.org/:


```
14:32:30.706583 IP 10.0.0.7.17696 > 10.0.0.1.domain: 388+ A? http://www.freebsd.org. (33)
14:32:30.730577 IP 10.0.0.1.domain > 10.0.0.7.17696: 388 2/3/0 CNAME wfe0.ysv.freebsd.org., A 8.8.178.110 (160)
14:32:30.730625 IP 10.0.0.7.38222 > 10.0.0.1.domain: 389+ AAAA? http://www.freebsd.org. (33)
14:32:30.731286 IP 10.0.0.1.domain > 10.0.0.7.38222: 389 2/0/0 CNAME wfe0.ysv.freebsd.org., AAAA 2001:1900:2254:206a::50:0 (95)
14:32:30.957367 IP 10.0.0.7.48786 > 10.0.0.1.domain: 27980+ A? http://www.freebsd.org. (33)
14:32:30.958155 IP 10.0.0.1.domain > 10.0.0.7.48786: 27980 2/0/0 CNAME wfe0.ysv.freebsd.org., A 8.8.178.110 (83)
```

3. Additionally, I have replaced the FreeBSD 9.2 server system with a LINKSYS router, just to compare the both. Result of the host command:


```
]14:38:02.604811 IP 10.0.0.7.22012 > 10.0.0.1.domain: 24941+ A? http://www.freebsd.org. (33)
14:38:02.678038 IP 10.0.0.1.domain > 10.0.0.7.22012: 24941 2/3/0 CNAME wfe0.ysv.freebsd.org., A 8.8.178.110 (160)
14:38:02.678204 IP 10.0.0.7.23599 > 10.0.0.1.domain: 22254+ AAAA? wfe0.ysv.freebsd.org. (38)
14:38:02.712653 IP 10.0.0.1.domain > 10.0.0.7.23599: 22254 1/3/0 AAAA 2001:1900:2254:206a::50:0 (154)
14:38:02.712764 IP 10.0.0.7.10735 > 10.0.0.1.domain: 57237+ MX? wfe0.ysv.freebsd.org. (38)
14:38:02.791257 IP 10.0.0.1.domain > 10.0.0.7.10735: 57237 1/3/0 MX . 0 (141)
```

4. Result of web browsing with Firefox, using the same LINKSYS router:


```
14:40:06.060445 IP 10.0.0.7.39851 > 10.0.0.1.domain: 20076+ A? http://www.freebsd.org. (33)
14:40:06.077092 IP 10.0.0.7.19383 > 10.0.0.1.domain: 9805+ A? ssl.google-analytics.com. (42)
14:40:06.084364 IP 10.0.0.1.domain > 10.0.0.7.39851: 20076 2/3/0 CNAME wfe0.ysv.freebsd.org., A 8.8.178.110 (160)
14:40:06.084400 IP 10.0.0.7.38683 > 10.0.0.1.domain: 20077+ AAAA? http://www.freebsd.org. (33)
14:40:06.100083 IP 10.0.0.1.domain > 10.0.0.7.19383: 9805 2/0/0 CNAME ssl-google-analytics.l.google.com., A 173.194.39.126 (102)
14:40:06.100121 IP 10.0.0.7.49614 > 10.0.0.1.domain: 9806+ AAAA? ssl.google-analytics.com. (42)
14:40:06.107241 IP 10.0.0.1.domain > 10.0.0.7.38683: 20077 2/3/0 CNAME wfe0.ysv.freebsd.org., AAAA 2001:1900:2254:206a::50:0 (172)
(...)
```

*Additional info:*

My ipfw rules are currently the following (for the sake of testing):


```
# ipfw list
65535 allow ip from any to any
```

I have checked `netstat -na | grep 53`, and the port bindings were okay (both UDP and TCP).

Do you have an idea why I cannot browse the web and how to fix it?

If you need any more information just ask.

Thanks in advance.


----------



## SirDice (Dec 20, 2013)

Did you turn on routing?

Add to /etc/rc.conf:

```
gateway_enable="YES"
```


----------



## AngryWolf (Dec 20, 2013)

Hi @SirDice,

Yes that is exactly what I have in /etc/rc.conf.

Thanks for your reply though.


----------



## SirDice (Dec 20, 2013)

Well, the tool to use to debug this is tcpdump(1). Run it on your internal interface to see if your clients are actually routing their traffic to you. Then run it on your PPPoE interface and verify if your NAT is working properly.


----------



## AngryWolf (Dec 20, 2013)

Yeah you've just given me a very good idea, ie. the problem does not seem to be with DNS anymore but the traffic routing. Because if I try to open http://8.8.178.110 in my browser I should see a response but nothing comes back.

I'll go investigate with tcpdump, thanks.


----------



## SirDice (Dec 20, 2013)

You've set your DSL modem in bridging mode so my guess is that there's no DHCP server anymore. Either that or the DHCP server (LAN side) isn't supplying the correct addresses and gateway.

The way I've set it up for a couple of years now is, one FreeBSD machine where my internet comes in (on re0, LAN is connected to em0). The FreeBSD host runs BIND and DHCP for the rest of my network. I've used PF for firewalling and NAT but ipfw and ipdivert should work too.


----------



## AngryWolf (Dec 20, 2013)

*Problem solved!*

I guess now I should write some comments for people finding themselves in a similar situation. 

I did more changes in my PPP config than one so I cannot really tell which one really fixed it, but I enabled the following in /etc/ppp/ppp.conf:


```
nat enable yes
  nat same_ports yes
  nat use_sockets yes
```

Additionally, I also use the natd service, regardless of what the documentations say that you use one or the other but not both. Now I have port forwarding (redirects) working fine (set up in /etc/natd.conf), and I can browse the web too. As long as it works and the double NAT thing does not impose a security problem I don't worry about this setup too much.

You are right that there is no DHCP server anymore. Its role is achieved by the following ppp.conf settings:


```
add default HISADDR
enable dns
```

Also note that I have 3 interfaces (their names don't really matter but I'm telling anyway): ale0 which is the interface to the LAN network, ue0 which is a USB to Ethernet adapter (basically a second network card), which is connected to the ADSL modem, and where PPPoE traffic goes through. And I have a third device brought up by ppp, which is tun0, a virtual device where the actual IP traffic goes through (and has my public IP address set to it). And this latter one is what I tell natd to use as the NAT'ed interface in /etc/rc.conf:


```
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /etc/natd.conf"
```

To make use of natd I have the following ipw rule:


```
00700  588347  580003391 divert 8668 ip from any to any via tun0
```

And yes, other firewall rules work too just as well on tun0 as on physical network interfaces.

Now, I could configure a DHCP server for our LAN, but we didn't need one so far...


----------

