Proper rules/procedures for setting up DNS/Default Gateways

[GordL]

I run a small test network behind a hardware firewall (Sonicwall SOHO3)
where I test various software and hardware (some of it very obscure) with
the intention of learning what I need to know before rolling anything out in
a mission critical production environment. I recently replaced my 'server'
hardware (due to a motherboard failure) and my Internet proxy/mail server
(Midpoint Gateway) because Midcore Software seems to have disappeared.

Here are the details of my setup. Please understand that I am not
soliciting opinions on my choices of software or hardware. These choices
were made within constraints that were both political and technical and were
highly complex.

Internet connection
Toshiba DOCSIS cable router connected to the WAN side of a Sonicwall SOHO3
NAT firewall. The SOHO3 WAN port is a DHCP client as required by my ISP
but
the TCP/IP settings haven't changed for years. The LAN facing port of the
SOHO3
is 192.168.1.2. The subnet mask is 255.255.255.252. The default gateway is
blank
and DNS addresses are static but the same as the WAN side.

Dual ported 'server' ( I have been given a lot of advice on this.
Unfortunately none of it seems to have worked.)
WinXP Pro Running Kerio WinRoute as a proxy
WAN-facing NIC is configured as IP 192.168.1.1 - SNM 255.255.255.252 -
DG 192.168.1.2 DNS same as above (ISP's semi-static DNS servers)
LAN facing NIC is configured as IP 192.168.10.1 - SNM 255.255.255.0 -
DG blank and DNS set to self (192.168.10.1)

Clients
I have been given a lot of "advice" on this as well.
IP 192.168.10.203 SNM 266.255.255.0 DG 192.168.10.1 DNS 192.168.10.1

At various times I have been told to set up the DNS server address as the
"next hop" yet others have told me to use the ISP's real world DNS servers
even on the clients and both interfaces on the dual ported server. I have
been told to
remove and then later told to reinstall default gateways on both the server
and client
machines. My head hurts. With the sheer number of variables that I am
working with
it seems improbable that I will ever stumble on the right settings. Oddly
after
various hacking attempts things seem to spontaneously start working and then
just as spontaneously stop. The setup described above actually worked last
night (I was surprised) but would not work the following morning even though
nothing that I know of had changed. (DNS cache timeouts were probably
involved.)

If someone could help me out and provide proper explanations I would be
forever grateful. It is not a quick fix that I am looking for. I what to
know the
how and why so that I can take this knowledge and apply it to different
configurations
that I encounter in the future

Thank you in advance.

Beat regards
GordL

 

[David Efflandt]

I run a small test network behind a hardware firewall (Sonicwall SOHO3)
where I test various software and hardware (some of it very obscure) with
the intention of learning what I need to know before rolling anything out in
a mission critical production environment. I recently replaced my 'server'
hardware (due to a motherboard failure) and my Internet proxy/mail server
(Midpoint Gateway) because Midcore Software seems to have disappeared.

Here are the details of my setup. Please understand that I am not
soliciting opinions on my choices of software or hardware. These choices
were made within constraints that were both political and technical and were
highly complex.

Internet connection
Toshiba DOCSIS cable router connected to the WAN side of a Sonicwall SOHO3
NAT firewall. The SOHO3 WAN port is a DHCP client as required by my ISP
but
the TCP/IP settings haven't changed for years. The LAN facing port of the
SOHO3
is 192.168.1.2. The subnet mask is 255.255.255.252. The default gateway is
blank
and DNS addresses are static but the same as the WAN side.

Dual ported 'server' ( I have been given a lot of advice on this.
Unfortunately none of it seems to have worked.)
WinXP Pro Running Kerio WinRoute as a proxy
WAN-facing NIC is configured as IP 192.168.1.1 - SNM 255.255.255.252 -
DG 192.168.1.2 DNS same as above (ISP's semi-static DNS servers)
LAN facing NIC is configured as IP 192.168.10.1 - SNM 255.255.255.0 -
DG blank and DNS set to self (192.168.10.1)

When I do DNS on myself, I use 127.0.0.1 for nameserver. But you seem to
be using both your ISP's nameservers and yourself. Are you actually
running a nameserver listening on 192.168.10.1 for yourself and the
clients below?

Clients
I have been given a lot of "advice" on this as well.
IP 192.168.10.203 SNM 266.255.255.0 DG 192.168.10.1 DNS 192.168.10.1

At various times I have been told to set up the DNS server address as the
"next hop" yet others have told me to use the ISP's real world DNS servers
even on the clients and both interfaces on the dual ported server.

You cannot just expect any router or PC to answer DNS requests on an
interface if it is not running a nameserver (PC) or proxying DNS ("some"
broadband routers).

I have been told to
remove and then later told to reinstall default gateways on both the server
and client machines.

The clients appear to have correct default gateway. Whether DNS is
correct depends whether a nameserver answers on that IP.

The server itself in this case should NOT have a default gateway on its
LAN interface, which you correctly show as blank. A default gateway
should usually lead to the internet (and not to oneself).

If you still sometimes have troubles, maybe it is from using a nameserver
IP (particularly 192.168.10.1) that has no nameserver on it.

 

[GordL]

Hi David

Thank you for your reply. I will try to interleve your questions with my
answers. I hope that this doesn't become confusing.

When I do DNS on myself, I use 127.0.0.1 for nameserver. But you seem to
be using both your ISP's nameservers and yourself. Are you actually
running a nameserver listening on 192.168.10.1 for yourself and the
clients below?

Under ordinary circumstances I too would use 127.0.0.1 to refer to 'self'
but I have been hacking at this for a while and have tried to implement
several proposed solutions. Some of my current settings may be a hangover.
On the other hand (as was once pointed out to me) which NIC on a dual ported
machine actually replies to 127.0.0.1? I am not clear on this. The use of
a "real" IP address even if it is local, removes this ambiguity and that is
why I have it set up this way.

There is no local nameserver. Everything should be forwarded to my ISP's
semi-static DNS servers. The Wan facing port of the SOHO3 |should| be able
to reply properly to DNS lookups.

It looks like you might be on to something here though. The proxy on my
dual ported server is not set up to forward DNS requests. It can, but the
feature is not enabled. (BOOM)

The question that arises though is that if a client machine request DNS
resolution from a particulat DNS server is this request overwritten by a
proxy?

I remain a bit unclear

Best regards and thanks once again David
Best regards
GordL

 

[David Efflandt]

Hi David

Thank you for your reply. I will try to interleve your questions with my
answers. I hope that this doesn't become confusing.




Under ordinary circumstances I too would use 127.0.0.1 to refer to 'self'
but I have been hacking at this for a while and have tried to implement
several proposed solutions. Some of my current settings may be a hangover.
On the other hand (as was once pointed out to me) which NIC on a dual ported
machine actually replies to 127.0.0.1? I am not clear on this. The use of
a "real" IP address even if it is local, removes this ambiguity and that is
why I have it set up this way.

127.0.0.1 always refers to yourself (localhost), no nic is involved. So
it allows you to connect to network services on yourself, without relying
on an external IP.

There is no local nameserver. Everything should be forwarded to my ISP's
semi-static DNS servers. The Wan facing port of the SOHO3 |should| be able
to reply properly to DNS lookups.

I forget which model our Sonicwall is at work, but its DHCP hands out our
ISP's nameservers. So unless there is something on your network that
actually responds to DNS requests, you should probably point everything on
your network to your ISP's nameservers.

It looks like you might be on to something here though. The proxy on my
dual ported server is not set up to forward DNS requests. It can, but the
feature is not enabled. (BOOM)

The question that arises though is that if a client machine request DNS
resolution from a particulat DNS server is this request overwritten by a
proxy?

Not unless you have a firewall that transparently redirects all port 53
requests to your proxy. Otherwise the DNS proxy would only respond if its
IP was used as a nameserver. The nslookup command can use a commandline
specified nameserver.

 

[GordL]

Hi David

Thank ou for your response. I appreciate your assistance.

When I do DNS on myself, I use 127.0.0.1 for nameserver. But you seem to
be using both your ISP's nameservers and yourself. Are you actually
running a nameserver listening on 192.168.10.1 for yourself and the
clients below?

No, I do not run a local DNS server. I wish to forward DNS quiries to my
ISP's DNS servers. As an 'aside' I have avoided using 127.0.0.1 for
everything as it is unclear to me which of my two network interfaces
(192.168.1.1 or 192.168.10.1) would be respondinng to the self-addressed
packet. If you can shed any light on this I would appreciate it.

You cannot just expect any router or PC to answer DNS requests on an
interface if it is not running a nameserver (PC) or proxying DNS ("some"
broadband routers).


The clients appear to have correct default gateway. Whether DNS is
correct depends whether a nameserver answers on that IP.

A name server will only ever answer on my ISP's DNS server(s) but I have
lots of confusing things in between regardng DNS forwarding in the proxy and
the hardware firewall.

The server itself in this case should NOT have a default gateway on its
LAN interface, which you correctly show as blank. A default gateway
should usually lead to the internet (and not to oneself).

If you still sometimes have troubles, maybe it is from using a nameserver
IP (particularly 192.168.10.1) that has no nameserver on it.

I think you are close here. If you are willing and able I can probably send
a sketch in MS Word or Visio of my network structure and would appreciate
any input.

Best regards
GordL