[opensuse] Host name lookup on firewall
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
I have a firewall running OpenSUSE 11.3 and dnsmasq. I use an external DNS that provides host name lookup to my external IPv4 address. However, if I ping that host name from behind the firewall, it somehow pings the local address of the firewall, not the external address. I see the DNS request from the computer to the firewall, but not from the firewall to the external DNS server. How does the firewall know to map the external name to the local interface? That name is not listed with an IPv4 address in /etc/hosts on either the computer or firewall. The external IPv6 address for the firewall is listed in /etc/hosts on the firewall, but that shouldn't be a factor with an IPv4 ping. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/99278ec30f150a060043aaeca0ee5806.jpg?s=120&d=mm&r=g)
On 01/25/2011 02:39 PM, James Knott wrote:
I have a firewall running OpenSUSE 11.3 and dnsmasq. I use an external DNS that provides host name lookup to my external IPv4 address. However, if I ping that host name from behind the firewall, it somehow pings the local address of the firewall, not the external address. I see the DNS request from the computer to the firewall, but not from the firewall to the external DNS server. How does the firewall know to map the external name to the local interface? That name is not listed with an IPv4 address in /etc/hosts on either the computer or firewall. The external IPv6 address for the firewall is listed in /etc/hosts on the firewall, but that shouldn't be a factor with an IPv4 ping.
You actually gave the answer yourself. "I have a firewall running OpenSUSE 11.3 and dnsmasq." It is the dnsmasq that is providing the info. ^^^^^^^ HTH Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
Togan Muftuoglu wrote:
You actually gave the answer yourself.
"I have a firewall running OpenSUSE 11.3 and dnsmasq." It is the dnsmasq that is providing the info.
Yes, I know that a caching DNS server. My question is how does it know to give the local IP address for an external host name, when it's not configured anywhere in the box? Also, assuming it obtained it's external address from an earlier DNS request and matched it to the local address, I tried again this morning and it still knows. The cache shouldn't last anywhere near that long. The firewall has a different local network host name configured in Yast and also listed in /etc/hosts, which points to the local IPv4 address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
James Knott wrote:
Togan Muftuoglu wrote:
You actually gave the answer yourself.
"I have a firewall running OpenSUSE 11.3 and dnsmasq." It is the dnsmasq that is providing the info. Yes, I know that a caching DNS server. My question is how does it know to give the local IP address for an external host name, when it's not configured anywhere in the box? Also, assuming it obtained it's external address from an earlier DNS request and matched it to the local address, I tried again this morning and it still knows. The cache shouldn't last anywhere near that long. The firewall has a different local network host name configured in Yast and also listed in /etc/hosts, which points to the local IPv4 address.
Further on this. I just rebooted the firewall for a kernel update and it now no longer returns anything for that external host name. I suppose I should see if I can tell dnsmasq to go to the external DNS for hosts on this domain that are not included in /etc/hosts. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
James Knott wrote:
I suppose I should see if I can tell dnsmasq to go to the external DNS for hosts on this domain that are not included in /etc/hosts.
Found it. In /etc/dnsmasq.conf # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. local=/localnet/<domain name>/ All I had to do was comment out the "local=/localnet/<domain name>/" line. "<domain name>" replaces my actual domain name. Now, after restarting dnsmasq, pinging the external name returns the external address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/b4047644c59f2d63b88e9464c02743fd.jpg?s=120&d=mm&r=g)
On 1/25/2011 8:57 AM, James Knott wrote:
James Knott wrote:
I suppose I should see if I can tell dnsmasq to go to the external DNS for hosts on this domain that are not included in /etc/hosts.
Found it. In /etc/dnsmasq.conf
# Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. local=/localnet/<domain name>/
All I had to do was comment out the "local=/localnet/<domain name>/" line.
"<domain name>" replaces my actual domain name.
Now, after restarting dnsmasq, pinging the external name returns the external address.
Local ping of the external name is not always the best thing to do. There are some things it breaks, do to an "out and in again" situation, also called hairpinning nat and trombone nat. About the only thing its good for is re-directing some traffic to a DMZ via your iptables. But this can break some things. A split horizon DNS server is a better solution in most cases/ -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
John Andersen wrote:
Local ping of the external name is not always the best thing to do. There are some things it breaks, do to an "out and in again" situation, also called hairpinning nat and trombone nat.
The only thing I was trying to do was verify I was getting the correct address. I use Google apps under my own domain name and was having issues accessing them because dnsmasq was not checking the external DNS for them. Now it works fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
James Knott
-
John Andersen
-
Togan Muftuoglu