how to let recursive nameserver through

how to let recursive nameserver through

[iptables-user]

Hi all,

I have a 3-leg router/firewall and would like to run a recursive caching
nameserver (djb's dnscache) on it, but can't figure out how to get it
past the firewall to query upstream nameservers.

eth0 : lan
eth1 : wan which connects to default gateway to internet
eth2 : dmz (10.0.0.1 for 10.0.0.0/24)

dnscache is running on ip 10.0.0.1 on eth2.  If it cannot resolve the
query from a local (inside) authority it must go outside and begin by
querying the root-servers via eth1.  This is where it fails.

If I run dnscache on a machine attached to eth2 requests are FORWARDED
from eth2 to eth1, then via the gateway and all is well; however, when
run ON eth2 outbound traffic is blocked.

Default policies are INPUT:DROP, FORWARD:DROP, OUTPUT:ACCEPT.

I can't even figure out where to try to put a rule for this, or how to
write it.  Since it's an address ON the router it wouldn't be on the
FORWARD chain, right?

I'm totally baffled.  Anybody have any ideas where to begin debugging this?

Thanks for any help.

Re: how to let recursive nameserver through

[Henrik Nordstrom]

On Thu, 20 Oct 2005 iptables-user@lists.theorb.net wrote:

> I have a 3-leg router/firewall and would like to run a recursive caching
> nameserver (djb's dnscache) on it, but can't figure out how to get it
> past the firewall to query upstream nameservers.

It needs to be allowed to universially query port 53 on UDP and TCP 
(OUTPUT), and responses also needs to be let back (INPUT -m state --state 
ESABLISHED is usually sufficient for the latter).

> I can't even figure out where to try to put a rule for this, or how to
> write it.  Since it's an address ON the router it wouldn't be on the
> FORWARD chain, right?
>
> I'm totally baffled.  Anybody have any ideas where to begin debugging this?

Make sure you always log dropped packets, with a log tag telling you which 
rule caused the packet to be dropped/rejected.

tcpdump is also your friend.

Regards
Henrik