named problem: am I even CLOSE to being on the right track??

Howdy all,

www.nerrenvirons.org is registered as 12.170.16.134 but is actually on 192.168.0.134 inside my LAN.
My gateway (12.170.16.130) allows traffic back and forth, from 12.170.16.134 <-> 192.168.0.134. I can
view 12.170.16.134 fine from inside and outside our network, but can ONLY view www.nerrenvirons.org
from 192.168.0.134. That makes me think it's a nameserver issue on 192.168.0.134, somehow not letting
people outside 192.168.0.134 see www.nerrenvirons.org. I changed the default "localhost" setting for
'control' in /etc/named.conf to "any", but that didn't work. After mucking with it all day I'm out of ideas.

SETUP:
nerrenvirons.org is inside our LAN. Our gateway sends all traffic for 12.170.16.134 to
192.168.0.134, thereby letting the world see 192.168.0.134. It does this with the following
firewall rules:

# the next block was added when making the CDMO non-proxied
$IPTABLES -t nat -A PREROUTING -i $INTIF -d 12.170.16.134 -j DNAT --to-destination 192.168.0.134
$IPTABLES -t nat -A PREROUTING -i $EXTIF -d 12.170.16.134 -j DNAT --to-destination 192.168.0.134

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#now spoof our intranet IP to our internet IP
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.134 -j SNAT --to-source 12.170.16.134



DIAGNOSTICS:

When I dig on the local machine (192.168.0.134) I get this:

[root@CDMO-blowfish root]# dig www.nerrenvirons.org

; <<>> DiG 9.2.1 <<>> www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57762
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nerrenvirons.org. IN A

;; ANSWER SECTION:
www.nerrenvirons.org. 10800 IN CNAME ns3.nerrenvirons.org.
ns3.nerrenvirons.org. 10800 IN A 192.168.0.134

;; AUTHORITY SECTION:
nerrenvirons.org. 10800 IN NS ns3.nerrenvirons.org.

;; Query time: 2 msec
;; SERVER: 192.168.0.134#53(192.168.0.134)
;; WHEN: Fri Sep 19 16:16:59 2003
;; MSG SIZE rcvd: 86




When I dig from our gateway (192.168.0.1 or 12.170.16.130) I get this:

; <<>> DiG 9.2.1 <<>> www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64187
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nerrenvirons.org. IN A

;; Query time: 60 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 19 16:08:05 2003
;; MSG SIZE rcvd: 38


I don't know why the SERVFAIL is being flagged. So then I check:


[root@grampus rc.d]# dig nerrenvirons.org ns @www.nerrenvirons.org

; <<>> DiG 9.2.1 <<>> nerrenvirons.org ns @www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13472
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;nerrenvirons.org. IN NS

;; ANSWER SECTION:
nerrenvirons.org. 10800 IN NS ns3.nerrenvirons.org.

;; ADDITIONAL SECTION:
ns3.nerrenvirons.org. 10800 IN A 192.168.0.134

;; Query time: 19 msec
;; SERVER: 192.168.0.134#53(www.nerrenvirons.org)
;; WHEN: Fri Sep 19 16:20:36 2003
;; MSG SIZE rcvd: 68



So then I thought it was a bad 'control' in my 192.168.0.134's /etc/named.conf so I commented
out the control to allow everything through, but still no luck (rebooted EVERYTHING).



These are 192.168.0.134's files:

[root@CDMO-blowfish root]# cat /etc/resolv.conf
domain nerrenvirons.org
nameserver 192.168.0.134
nameserver 192.168.0.1


[root@CDMO-blowfish root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
12.170.16.130 grampus.marisys.net grampus
192.168.0.134 CDMO-blowfish
127.0.0.1 cdmo localhost.localdomain localhost


[root@CDMO-blowfish root]# cat /etc/named.conf




## named.conf - configuration for bind
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
#controls {
# inet 127.0.0.1 allow { any; } keys { rndckey; };
#};

include "/etc/named.custom";
#include "/etc/rndc.key";

logging {
channel bindlog {
file "/var/log/bindlog" versions 5 size 1m;
print-time yes;
print-category yes;
print-severity yes;
};
category xfer-out { bindlog; };
category xfer-in { bindlog; };
category security { bindlog; };
};


zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};


zone "localhost" {
type master;
file "localhost.zone";
};
zone "nerrenvirons.org" {
type master;
file "db.nerrenvirons.org";
};






[root@CDMO-blowfish root]# cat /var/named/db.nerrenvirons.org
$TTL 3h
nerrenvirons.org. IN SOA ns3.nerrenvirons.org. root.nerrenvirons.org. (
2 ; Serial
3h ; Reresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
IN A 192.168.0.134
;
; Name servers
;
IN NS ns3.nerrenvirons.org.

;
; Addresses for the canonical names
;
localhost IN A 127.0.0.1
ns3 IN A 192.168.0.134

;
; Aliases
;
www IN CNAME ns3

;
; Interface specific names
;

[root@CDMO-blowfish root]#


This is how the gateway is set up:

[root@grampus rc.d]# cat /etc/resolv.conf
domain marisys.net
nameserver 127.0.0.1
nameserver 192.168.0.134
[root@grampus rc.d]#


Any ideas?? Am I even on the right track, that it's a nameserver permission problem
on 192.168.0.134, not letting the world see it??

I can ping www.nerrenvirons.org and 192.168.0.134 fine from the gateway. Does anyone
have any suggestions as to what path I need to investigate next? I'm out of ideas on what
to do.

Thanks for any help.

You're publishing a reserved-range IP address as the public IP address for www.nerrenvirons.org:

Change 192.168.0.134 to 12.170.16.134 and restart BIND.

Thanks for the help. Unfortunately even after doing that and rebooting everything I still get the same results: my internal 192.168.0.134 is still being published.

This is the what I've changed:


On my gateway:
[root@grampus root]# cat /etc/resolv.conf
domain marisys.net
nameserver 127.0.0.1
nameserver 12.170.16.134


On my internal system:
[root@CDMO-blowfish root]# cat /var/named/db.nerrenvirons.org
$TTL 3h
nerrenvirons.org. IN SOA ns3.nerrenvirons.org. root.nerrenvirons.org. (
2 ; Serial
3h ; Reresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
IN A 12.170.16.134
;
; Name servers
;
IN NS ns3.nerrenvirons.org.

;
; Addresses for the canonical names
;
localhost IN A 127.0.0.1
ns3 IN A 12.170.16.134

;
; Aliases
;
www IN CNAME ns3

;
; Interface specific names
;


My gateway firewall SHOULD be transforming any packets claiming to come from 192.168.0.134 to 12.170.16.134, so I think the firewall on my gateway is okay.

Any other ideas about where this internal address could be coming from??

You now seem to be publishing the correct information:

You might need to wait for a while for the records to expire from your DNS resolver.

Thank you soooo much for your help, things seem to work great now!

Crap. I spoke too soon. From OUTSIDE my network I can reach www.nerrenvirons.org, but I can't from within my network. From within I get this feedback:

[root@grampus root]# dig www.nerrenvirons.org

; <<>> DiG 9.2.1 <<>> www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18425
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nerrenvirons.org. IN A

;; Query time: 113 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 08:17:38 2003
;; MSG SIZE rcvd: 38

[root@grampus root]# ping www.nerrenvirons.org
ping: unknown host www.nerrenvirons.org
[root@grampus root]# ping 12.170.16.134
PING 12.170.16.134 (12.170.16.134) from 12.170.16.134 : 56(84) bytes of data.
64 bytes from 12.170.16.134: icmp_seq=0 ttl=255 time=7.960 msec
64 bytes from 12.170.16.134: icmp_seq=1 ttl=255 time=493 usec

--- 12.170.16.134 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.493/4.226/7.960/3.734 ms
[root@grampus root]# ping 192.168.0.134
PING 192.168.0.134 (192.168.0.134) from 192.168.0.1 : 56(84) bytes of data.
64 bytes from 192.168.0.134: icmp_seq=0 ttl=64 time=823 usec
64 bytes from 192.168.0.134: icmp_seq=1 ttl=64 time=653 usec
64 bytes from 192.168.0.134: icmp_seq=2 ttl=64 time=617 usec

--- 192.168.0.134 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.617/0.697/0.823/0.094 ms
[root@grampus root]#

I'm assuming this is a bug in my gateway's firewall rules, which somehow work for outside traffic, but is broken for inside traffic.


When I do a dig +trace I get:

[root@grampus log]# dig +trace www.nerrenvirons.org

; <<>> DiG 9.2.1 <<>> +trace www.nerrenvirons.org
;; global options: printcmd
. 444726 IN NS B.ROOT-SERVERS.NET.
. 444726 IN NS C.ROOT-SERVERS.NET.
. 444726 IN NS D.ROOT-SERVERS.NET.
. 444726 IN NS E.ROOT-SERVERS.NET.
. 444726 IN NS F.ROOT-SERVERS.NET.
. 444726 IN NS G.ROOT-SERVERS.NET.
. 444726 IN NS H.ROOT-SERVERS.NET.
. 444726 IN NS I.ROOT-SERVERS.NET.
. 444726 IN NS J.ROOT-SERVERS.NET.
. 444726 IN NS K.ROOT-SERVERS.NET.
. 444726 IN NS L.ROOT-SERVERS.NET.
. 444726 IN NS M.ROOT-SERVERS.NET.
. 444726 IN NS A.ROOT-SERVERS.NET.
;; Received 244 bytes from 127.0.0.1#53(127.0.0.1) in 34 ms

org. 172800 IN NS TLD1.ULTRADNS.NET.
org. 172800 IN NS TLD2.ULTRADNS.NET.
;; Received 120 bytes from 128.9.0.107#53(B.ROOT-SERVERS.NET) in 106 ms

nerrenvirons.org. 86400 IN NS ns3.nerrenvirons.org.
nerrenvirons.org. 86400 IN NS ns2.marisys.net.
;; Received 101 bytes from 204.74.112.1#53(TLD1.ULTRADNS.NET) in 56 ms

dig: Couldn't find server 'ns3.nerrenvirons.org': Name or service not known


Why couldn't it find ns3.nerrenvirons.org? That should be the host served by 192.168.0.134.

My gateway's resolv.conf shows it should use 12.170.16.134 as a nameserver, so ns3.nerrenvirons.org should be found:

[root@grampus log]# more /etc/resolv.conf
domain marisys.net
nameserver 127.0.0.1
nameserver 12.170.16.134


Maybe it's a recursion problem?
[root@grampus log]# dig +norecursive www.nerrenvirons.org

; <<>> DiG 9.2.1 <<>> +norecursive www.nerrenvirons.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54810
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;www.nerrenvirons.org. IN A

;; AUTHORITY SECTION:
nerrenvirons.org. 85012 IN NS ns2.marisys.net.
nerrenvirons.org. 85012 IN NS ns3.nerrenvirons.org.

;; ADDITIONAL SECTION:
ns2.marisys.net. 10800 IN A 12.170.16.131

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 08:39:37 2003
;; MSG SIZE rcvd: 101


So this says it knows ns3.nerrenvirons.org is an authority, but then in ADDITIONAL SECTION is only shows ns2.marisys.net and no ns3.nerrenvirons.org -- what does that mean??

This spanks of an internal routing issue. You need to re-route all outbound traffic destined for 12.170.16.134 to 192.168.0.134 at your gateway.

Yes, but it's a subdomain of nerrenvirons.org, whose authority is ns3.nerrenvirons.org, which resolves to 12.170.16.134 (see above )

You're confusing authorative name servers with resolving name servers. /etc/resolv.conf nameserver entries list nameservers that your host will use to resolve DNS queries. This is a different kind of server from one that publishes authorative DNS information. BIND doesn't help here: it's a monolithic server that doesn't make clear distinction between these two roles. See http://homepages.tesco.net/~J.deBoy...rver-roles.html for further clarification.

Executive summary: see my first point. You need to route all outbound traffic destined for 12.170.16.134 to 192.168.0.134 at your gateway. This should sort all this out.

Thanks for the help Alex! I'm pretty sure my firewall routes all packets for 12.170.16.134 to 192.168.0.134. For example, I can goto 12.170.16.134 and ns3.nerrenvirons.org and they both route correctly to 192.168.0.134, it's only www.nerrenvirons.org that says "server not found". This is my firewall as it currently stands:

#echo " Routing internet address to intranet address for nerrenvirons.org"
# the next block was added when making the CDMO non-proxied
$IPTABLES -t nat -A PREROUTING -d 12.170.16.134 -j DNAT --to-destination 192.168.0.134

$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -d 192.168.0.134 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

echo " Spoofing intranet address to internet address..."
#now spoof our intranet IP to our internet IP if we're leaving our intranet
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.134 -j SNAT --to-source 12.170.16.134

echo " Enabling NPAT (MASQUERADE) functionality"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE


Now, when I go to www.nerrenvirons.org from inside my network I get a "lame server" entry in my gateway's /var/log/messages. There seem to be many messages for a single attempt (I don't know if http tries X times before giving up, which would explain the multiple error msgs):

Sep 24 09:21:10 grampus named[2745]: starting BIND 9.2.1 -u named
Sep 24 09:21:10 grampus named[2745]: using 1 CPU
Sep 24 09:21:10 grampus named[2748]: loading configuration from '/etc/named.conf'
Sep 24 09:21:10 grampus named: named startup succeeded
Sep 24 09:21:10 grampus named[2748]: no IPv6 interfaces found
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth0, 192.168.0.1#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1, 12.170.16.130#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:0, 12.170.16.131#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:1, 12.170.16.132#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:10, 12.170.16.142#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:2, 12.170.16.134#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:3, 12.170.16.135#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:4, 12.170.16.136#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:5, 12.170.16.137#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:6, 12.170.16.138#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:7, 12.170.16.139#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:8, 12.170.16.140#53
Sep 24 09:21:10 grampus named[2748]: listening on IPv4 interface eth1:9, 12.170.16.141#53
Sep 24 09:21:11 grampus named[2748]: command channel listening on 127.0.0.1#953
Sep 24 09:21:11 grampus named[2748]: zone 16.170.12.in-addr.arpa/IN: loaded serial 5
Sep 24 09:21:11 grampus named[2748]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2
Sep 24 09:21:11 grampus named[2748]: zone marisys.com/IN: loaded serial 5
Sep 24 09:21:11 grampus named[2748]: zone marisys.net/IN: loaded serial 5
Sep 24 09:21:11 grampus named[2748]: running
Sep 24 09:21:11 grampus named[2748]: zone marisys.net/IN: sending notifies (serial 5)
Sep 24 09:21:11 grampus named[2748]: zone marisys.com/IN: sending notifies (serial 5)
Sep 24 09:21:11 grampus named[2748]: zone 16.170.12.in-addr.arpa/IN: sending notifies (serial 5)
Sep 24 09:21:11 grampus named[2748]: zone 0.0.127.in-addr.arpa/IN: sending notifies (serial 2)
Sep 24 09:21:20 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:20 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:20 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:20 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.131#53
Sep 24 09:21:21 grampus named[2748]: lame server resolving 'www.nerrenvirons.org' (in 'nerrenvirons.org'?): 12.170.16.134#53

What I thought that meant is 192.168.0.134 doesn't know it's supposed to host the nerrenvirons.org domain. However 192.168.0.134's /etc/resolv.conf shows it should:
[root@cdmo root]# cat /etc/resolv.conf
domain nerrenvirons.org
nameserver 127.0.0.1
nameserver 192.168.0.1

and its named is configured to read the db.nerrenvirons.org zone:

[root@cdmo root]# cat /etc/named.conf
// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};


zone "nerrenvirons.org" in {
type master;
file "db.nerrenvirons.org";
};

zone "16.170.12.in-addr.arpa" in {
type master;
file "db.12.170.16";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};


I read somewhere using CNAME can cause problems, so I changed "www" from an alias to an A record:

[root@cdmo root]# cat /var/named/db.nerrenvirons.org
$TTL 3h
nerrenvirons.org. IN SOA ns3.nerrenvirons.org. root.nerrenvirons.org. (
8 ; Serial
3h ; Reresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
IN A 12.170.16.134
;
; Name servers
;
nerrenvirons.org. IN NS ns3.nerrenvirons.org.

;
; Addresses for the canonical names
;
localhost IN A 127.0.0.1
ns3 IN A 12.170.16.134

;
; Aliases
;
www.nerrenvirons.org. IN A 12.170.16.134

;
; Interface specific names
;



What I don't understand (among many things obviously), is grampus (my gateway) doesn't know anything about the nerrenvirons.org domain, the only reference it has is in its firewall (route anything for 12.170.16.134 to 192.168.0.134), and in its resolver (use nameserver 192.168.0.1 (itself) and then try 192.168.0.134 (nerrenvirons.org)).

So that means when I ask for ns3.nerrenvirons.org, that's being resolved properly, since I can see the real webpage on 192.168.0.134. So why won't www.nerrenvirons.org resolve to the same domain? I thought anyone told to go to 12.170.16.134 will get firewall-routed to 192.168.0.134 (which seems to be the case) and anyone inside my LAN, when trying to go to www.nerrenvirons.org will try the nameservers in /etc/resolv.conf of my gateway, which seems to be the case for ns3.nerrenvirons.org, but not for www.nerrenvirons.org. I don't need to serve nerrenvirons.org on my gateway's 'named', do I?

(p.s., I can ping www.nerrenvirons.org from my gateway fine, if that means anything (I don't think it does))

"Lame server" translates as "server designated as authorative [for a domain] not proving authorative DNS data". This is beginning to look more like a DNS resolution issue...

Post the output (from the machine inside your network that you tried to access www.nerrenvirons.org from) of the following:


The /etc/resolv.conf file "domain" entries allow you to use short names which the resolver will attempt to expand to the full name by appending ".nerrenvirons.org" to the end. It doesn't designate DNS authority. You need to tell your nameserver that it's authorative for the domain, which you've successfully done (hence it works fine from outside). The problem (I strongly suspect) lies with the way you're resolving DNS in your internal network.


Part of the problem (I suspect) lies in the fact that you're using your content DNS server as a DNS resolver (as indicated by the bold section above - see http://homepages.tesco.net/~J.deBoy...rver-roles.html for further explanation of this). "DNS clients are never configured to talk directly to content servers. The IP address of a content server should not be listed in the /etc/resolv.conf file on Unix or Linux systems, for example." (quote from above URL).

Is 192.168.0.1 (itself) running a recursive DNS resolver? If not, then it won't be able to resolve any queries, so all DNS queries will go to 192.168.0.134 for recursive resolution. This machine is also the content (or authorative) server for nerrenvirons.org...

Summary: Post the output of the dig commands above. Then try using your ISP's DNS servers to resolve DNS queries (replace them with the @ in the dig commands above to see if they produce the desired results).