[Efw-user] Fwd: DNS Issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi everyone,

I forgot to say, along with the inability to resolve hosts on
internal.remote.lan, I am also finding that after a couple of hours/minutes,
DNSMasq stops working.
I checked this out with NSlookup and got replies of 2 second time outs.
I then set DNSmasq to log-queries, and I could see that the requests were
going out to all the servers, but the system was not receiving any
replies...
Any ideas?

Cheers,

Jx

---------- Forwarded message ----------
From: Vetch <vet...@go...>
Date: Feb 11, 2008 12:19 PM
Subject: DNS Issue
To: efw...@li...

Hi everyone,

I'm having some problems with DNSmasq.

We have two sites running separate domains, both of which have their own DNS
servers as part of Active Directory. For the sake of argument, let's call
them internal.local.lan and internal.remote.lan.

I need to use my local DNS Active Directory server as a secondary to the
master DNS server in the internal.remote.lan domain.

I also want to use the anti-spyware blackhole DNS of the efw, so I am using
our Active Directory DNS for internal.local.lan and forwarding to the Endian
Firewall Proxy. The EFW then resolves using our ISP's DNS and theoretically
the DNS of the internal.remote.lan domain.

... But requests for the internal.remote.lan are failing.

At the moment, it seems that the EFW proxy is proxying the requests to the
internal.remote.lan and cannot resolve them.

I need to either bypass the proxy for those addresses or enable the EFW to
resolve them so that the local DNS server can be a secondary.

I've set the DNS proxy bypass destinations to include the
internal.remote.lan ip address scheme, and I've tried changing the template
file to have the line

server=/internal.remote.lan/192.168.x.x (where 192.168.x.x. is the address
of the remote DNS server)
... but it's not working.

I am assuming this is could be affected by the fact that the EFW itself
cannot ping hosts on the other side of the IPSEC connection.
It does not seem to be able to connect across the IPSEC connection at all -
e.g. I can't telnet to ports on computers on internal.remote.lan from the
EFW, though all the internal.local.lan computers can.

Can anyone suggest whether this solution should work assuming the EFW can
connect across the IPSEC connection and if so, how do I resovle this issue.
If not, what is the best way to ensure that I get the benefits of the
anti-spyware blackhole routing DNS of EFW and ensure that the
internal.local.lan DNS server can act as a secondary for the
internal.remote.lan DNS server?

Many thanks,

Jx