[SOLVED] ping problems :(

[maurixio]

Quote:

Originally Posted by Bill Brock

as it applies to BIND. Most split DNS configurations require two DNS servers. One with the zone file that contains your internal data that Zimbra uses as a resolver and one that is the true Start of Authority that contains your external data that the outside world will look to to resolve your IP's.

Your internal data should not be viewable to the outside as it obviously is or the ping would not be directed to the internal IP.

Is this DNS server setup as the Start of Authority at your registrar?

yes it is , but i got your point.. lets think about this schema

i have a firewall (in linux with iptables), that has 2 nic

eth0 --> 100.100.100.100 (the public ip)
eth1--> 1.1.1.1 (the first private ip , and acts like a gateway for the whole lan).

then i have the web server and the dns together

eth0 --> 2.2.2.2 (another private ip in the same range of 1.1.1.1)

so i was thinking if i install in 2.2.2.2 the local dns , so zimbra can resolve "locally" , the another i could install where the public ip is, so that server would use that ip to "say" that all my services are in that public ip.

but how can i connect those two servers each other to do the "translation" between local and public?

and the other question would be , in the server with the 2 interfaces, what dns server should i use first in the /etc/resolv.conf? my isp public dns server? my own public dns server? or the local resolver? (thinking that eth1 is the gateway for the lan)

[Bill Brock]

2.2.2.2 is a server where Zimbra resides. and 1.1.1.1 is another server acting as your firewall/gateway.

I would use BIND on the Zimbra server to resolve the internal IP scheme which Zimbra will use and then use BIND on the firewall, which will be set as the true Start of Authority that the external world will see with your external IP data.

[Bill Brock]

You may need to setup a forwarder, that being your external DNS server, on the Zimbra DNS server for it to resolve properly to the outside. If it doesn't find the DNS info locally it will querry the forwarder you have setup. That meaning it will always find the Internal IP's because the zone file resides locally. Any other reslolution, such as other mail servers, will be resolved through the forwarder.

[maurixio]

Quote:

Originally Posted by Bill Brock

You may need to setup a forwarder, that being your external DNS server, on the Zimbra DNS server for it to resolve properly to the outside. If it doesn't find the DNS info locally it will querry the forwarder you have setup. That meaning it will always find the Internal IP's because the zone file resides locally. Any other reslolution, such as other mail servers, will be resolved through the forwarder.

ok the thing would be this way

******* BIND on the firewall / gateway ******************

$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 100.100.100.100
IN MX 10 mail
ns1 IN A 100.100.100.100
ns2 IN A 100.100.100.100
mail IN A 100.100.100.100
www IN A 100.100.100.100
ftp IN A 100.100.100.100


named.conf

zone "domain.cl" IN {
type master;
file "/etc/bind/db.domain";
allow-transfer { 111.111.111.111; };
};

zone "100.100.100.in-addr.arpa" {
type master;
file "/etc/bind/db.100";
allow-transfer { 111.111.111.111; };
};



include "/etc/bind/named.conf.local";

with 100.100.100.100 my public ip , 111.111.111.111 isp dns

/etc/resolv.conf

nameserver 100.100.100.100 (my public ip dns)
nameserver 1.1.1.1 (the zimbra dns who resolve locally)
nameserver 111.111.111.111 (my isp dns)


named.conf.options

options {
directory "/var/cache/bind";
query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
111.111.111.111; 100.100.100.100; 1.1.1.1;
};

auth-nxdomain yes;
allow-query { any; };
listen-on-v6 { any; };
};


************ BIND IN THE ZIMBRA HOST *******************

$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 1.1.1.1
IN MX 10 mail
ns1 IN A 1.1.1.1
ns2 IN A 1.1.1.1
mail IN A 1.1.1.1
www IN A 1.1.1.1
ftp IN A 1.1.1.1


named.conf

zone "domain.cl" IN {
type master;
file "/etc/bind/db.domain";
allow-transfer { 100.100.100.100; };
};

zone "1.1.1.in-addr.arpa" {
type master;
file "/etc/bind/db.1";
allow-transfer { 100.100.100.100; };
};



include "/etc/bind/named.conf.local";

with 100.100.100.100 my public ip , 111.111.111.111 isp dns , 1.1.1.1 zimbra host

/etc/resolv.conf

nameserver 1.1.1.1 (my zimbra dns)
nameserver 100.100.100.100 (my public dns)
nameserver 111.111.111.111 (my isp dns)


named.conf.options

options {
directory "/var/cache/bind";
query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
100.100.100.100; 1.1.1.1; 111.111.111.111;
};

auth-nxdomain yes;
allow-query { any; };
listen-on-v6 { any; };
};


is that correct? sorry for the long reply

[Bill Brock]

I don't think I would setup the public DNS servers as resolvers on the Zimbra machine since you are configuring them as forwarders. And I wouldn't include the private (1.1.1.1) DNS server in the list of forwarders on the Zimbra machine.

[maurixio]

Quote:

Originally Posted by Bill Brock

I don't think I would setup the public DNS servers as resolvers on the Zimbra machine since you are configuring them as forwarders. And I wouldn't include the private (1.1.1.1) DNS server in the list of forwarders on the Zimbra machine.

i keep on see it as a private address

[Bill Brock]

as the resolver on the machine you are pinging from.?

[maurixio]

yeah , probably im doing something bad, im doing all again.

[thorng]

I would go back to set up multi-view on the on the firewall / gateway. Also there are multiple places you are doing this wrong. A rule of thumb, you need to keep the public IP address complete separated from the internal servers. Internal servers never need to know anything about their public IP address.

Here is what I would have from your config:

/etc/bind/domain.cl.external:

$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 100.100.100.100
IN MX 10 mail.domain.cl.
ns1 IN A 100.100.100.100
ns2 IN A 100.100.100.100
mail IN A 100.100.100.100
www IN A 100.100.100.100
ftp IN A 100.100.100.100

/etc/bind/domain.cl.internal:

$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 1.1.1.1
IN MX 10 mail.domain.cl.
ns1 IN A 1.1.1.1
ns2 IN A 1.1.1.1
mail IN A 2.2.2.2
www IN A 1.1.1.1
ftp IN A 1.1.1.1


/etc/named.conf:

view "private" {
match-clients { x.x.x.x/24; }; // what ever that match your entire private network. I assume the 1.1.1.1 and 2.2.2.2 are hosts in the same subnet.
recursion yes;
zone "domain.cl" {
type master;
// private zone file including local hosts
file "/etc/bind/domin.cl.internal";
};
zone "1.1.1.in-addr.arpa" {
type master;
file "/etc/bind/db.1";
};
// add required zones
};
view "public" {
match-clients {"any"; }; // all others hosts
// recursion not supported
recursion no;
};
zone "domain.cl" {
type master;
// public only hosts
file "/etc/bin/domain.cl.external";
allow-transfer { 111.111.111.111; };
};

// I don't even think you need this entire section. doesn't your ISP take care of this. BEGIN
zone "100.100.100.in-addr.arpa" {
type master;
file "/etc/bind/db.100";
allow-transfer { 111.111.111.111; };
};
// I don't even think you need this entire section. doesn't your ISP take care of this. END
};

include "/etc/bind/named.conf.local";

/etc/resolv.conf

nameserver 127.0.0.1
nameserver 111.111.111.111 (my isp dns) <- This is a fail safe in case the DNS dies you will still have Internet Access, but all of your internal services depended on DNS will fail. This may do more ham then good as you should never need to make your public IP know to internal servers. A better way is set up a internal slave DNS and replace this line.

named.conf.options

options {
directory "/var/cache/bind";
query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
111.111.111.111; // do not forward back to an internal server
};

auth-nxdomain yes;
allow-query { any; };
listen-on-v6 { any; };
};


************ IN THE ZIMBRA HOST *******************

/etc/resolv.conf

nameserver 1.1.1.1 (my zimbra dns)
nameserver 111.111.111.111 (my isp dns) <- this will definitely will do more ham than good.

[thorng]

Quote:

Originally Posted by Bill Brock

as the resolver on the machine you are pinging from.?

I also agree with Bill Brock your initial post looks like a DNS resolver issue on the client side (the system you are testing from). you should debug this before assume this is a DNS issue on the server. just do a nslookup on the client to see if the DNS is returning the right IP address. Your client may be resolving the mail IP from different source (i.e. cache or local host file).