# bind and routing problems



## apolinsky (Mar 24, 2009)

I am trying to convert my Slackware server to Freebsd7.1 and am having two rather perturbing problems. My server has two network cards, one with an address of 192.168.2.1 and 192.168.1.3. I have dhcpd running with the following dhcpd.conf file, but the name server will not update named hosts and named.rev with the dynameic address even though the conf file says:
options {
	directory "/var/named";
	allow-query {192.168.0.0/24;localhost;};
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	// query-source address * port 53;
};

// 
// a caching only nameserver config
// 
zone "." in {
	type hint;
	file "named.ca";
};

zone "localhost" in {
	type master;
	file "localhost.zone";
	allow-update { none; };
};

   zone "0.0.127.in-addr.arpa" in {
	type master;
	file "named.local";
	allow-update { none; };
};

zone "polinsky.home" in {
	type master;
	file "named.hosts";
	allow-update { 192.168.2.1; };
};

zone "0.168.192.in-addr.arpa" in {
	type master;
	file "named.rev";
	allow-update { 192.168.2.1; };
};
. 
The response I get on the server is: "if xxx IN A rrset doesn't exist add xxx 43200 IN A 192.168.2.200: timed out. I changed the owner and the group of named.hosts and named.rev to bind:wheel, 644 from root:wheel 644. The changed did not help.

The second problem is that workstations on the network cannot see the internet even though the server can and the /etc/rc.conf enables natd and routed. Though I will ultimately use the 'simple' firewall, I am currently setting it to 'open' so that I can better see wht is going on. Perhaps someone can suggest where I have made a mistake.

# -- sysinstall generated deltas -- # Wed Mar 11 14:37:08 2009
# Created: Wed Mar 11 14:37:08 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
ppp_nat="YES"
gateway_enable="YES"
router_enable="YES"
natd_enable="YES"
natd_interface="xl0"		# Public interface or IPaddress to use.
#ipnat_enable="YES"		# Set to YES to enable ipnat functionality
named_enable="YES"
hostname="freebsdserver.polinsky.home"
ifconfig_sis0="inet 192.168.2.1  netmask 255.255.255.0"
ifconfig_xl0="inet 192.168.1.3  netmask 255.255.255.0"
inetd_enable="YES"
linux_enable="YES"
moused_enable="YES"
moused_type="auto"
dhcpd_enable="YES"
nfs_client_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="OPEN"
#firewall_type="SIMPLE"
firewall_simple_iif="sis0"
firewall_simple_oif="xl0"
firewall_simple_inet="192.168.2.1"
firewall_simple_onet="192.168.1.3"
#nfs_server_enable="YES"
#rpcbind_enable="YES"
sshd_enable="YES"

Thank you

Alan


----------



## bobveznat (Mar 24, 2009)

Looks like you forgot to paste in the dhcpd.conf file? The relevant pieces of mine:



> ddns-updates on;
> ddns-update-style interim;
> ddns-domainname "home.veznat.com.";
> ddns-rev-domainname "1.168.192.in-addr.arpa.";
> ...



From named.conf:



> zone "1.168.192.in-addr.arpa" {
> type master;
> file "dynamic/home-rev";
> allow-update {
> ...



Allowing updates from 192.168.1.0/24 is not required for what you're wanting to do.

Are you running double nat? This BSD box is behind another router or something? I'd recommend against this for various reasons. My network looks like:

FreeBSD -> D-link -> Everything else

I disabled DHCP on the D-link and nothing is plugged into the "Internet" port. This let's me do things like have an IPv6 tunnel.

If I had a routing problem like what you describe I'd be doing a few things:

- `netstat -rn`. Do the routes make sense?
- Enabling logging on the ipfw rules that might be in the way. This means changing their definition in to be like `ipfw add log pass ...` or `ipfw add log deny ...`. These get logged to /var/log/security.
- tcpdump on the inside interface, then on the outside interface, how far are packets getting?

I hope that's at least partially helpful. It appears that you have a pretty good clue of what you're doing, hopefully this gives you just the little extra bit you need to get it going


----------



## apolinsky (Mar 24, 2009)

Bob:
I want to thank you so much especially considering that I sent the WRONG named.conf file. The one I sent was from a Linux machine. You pointed me in the right direction on each point. I certainly should have investigated the routes with netstat. Evidently packets are being routed to the 127 address. I doubt whether they go far! Your modifications to named.conf should work.

Alan


----------

