[SOLVED] DHCP, named - nslookup fine, ping not from Windows clients only

[strfr]

Dear all,

Having hard time to get things work:

I have setup DHCP and bind on my server. Linux box is having no problem nslookup short names of my virtual servers, ping them etc. Windows clients can do nslookup of short names, but they can not ping them or show web pages running on my virtual servers.

192.168.66.10 - bind, dhcp, openvpn etc.
192.168.66.11 - application server

here are my configs:
[code]
[root@zoidberg etc]# cat named.conf
# named.custom - custom configuration for bind
#
# Any changes not currently supported by system-config-bind should be put
# in this file.

#acl "adserver" {
# 192.168.66.3;
#};

acl "dhcpserver" {
192.168.66.10;
};

acl "dhcpclient" {
192.168.66/24;
};

options {
query-source port 53;
query-source-v6 port 53;
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
listen-on { 192.168.66.10; 127.0.0.1; };
forwarders { 213.46.172.36; 213.46.172.37; };
allow-query { 127.0.0.1; 192.168.66.0/24; };
};

include "/etc/rndc.key";

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
include "/etc/named.root.hints";
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/etc/named.rfc1912.zones";

zone "66.168.192.in-addr.arpa" {
type master;
file "slaves/db.192.168.66";
allow-update { dhcpserver; };
check-names ignore;
};

zone "int.motion.cz" {
type master;
file "slaves/db.int.motion.cz";
allow-update { dhcpserver; };
check-names ignore;
};


};


view "internal"
{
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";

// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

zone "66.168.192.in-addr.arpa" {
type master;
file "slaves/db.192.168.66";
allow-update { dhcpserver; };
check-names ignore;
};

zone "int.motion.cz" {
type master;
file "slaves/db.int.motion.cz";
allow-update { dhcpserver; };
check-names ignore;
};

#zone "_msdcs.int.motion.cz" {
# type master;
# file "slaves/db._msdcs.int.motion.cz";
# allow-update { adserver; };
# check-names ignore;
#};

#zone "_sites.int.motion.cz" {
# type master;
# file "slaves/db._sites.int.motion.cz";
# allow-update { adserver; };
# check-names ignore;
#};

#zone "_tcp.int.motion.cz" {
# type master;
# file "slaves/db._tcp.int.motion.cz";
# allow-update { adserver; };
# check-names ignore;
#};

#zone "_udp.int.motion.cz" {
# type master;
# file "slaves/db._udp.int.motion.cz";
# allow-update { adserver; };
# check-names ignore;
#};

#zone "my.slave.internal.zone" {
# type slave;
# file "slaves/my.slave.internal.zone.db";
# masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
# // put slave zones in the slaves/ directory so named can update them
#};

#zone "my.ddns.internal.zone" {
# type master;
# allow-update { key ddns_key; };
# file "slaves/my.ddns.internal.zone.db";
# // put dynamically updateable zones in the slaves/ directory so named can update them
#};
}; [/code]

[code]
[root@zoidberg slaves]# cat db.192.168.66
$ORIGIN .
$TTL 86400 ; 1 day
66.168.192.in-addr.arpa IN SOA zoidberg.int.motion.cz. root.motion.cz. (
2011102066 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS zoidberg.int.motion.cz.
$ORIGIN 66.168.192.in-addr.arpa.
1 PTR gw.int.motion.cz.
10 PTR zoidberg.int.motion.cz.
11 PTR bender.int.motion.cz.
12 PTR vMA.int.motion.cz.
2 PTR switch.int.motion.cz.
3 PTR t610.int.motion.cz.
4 PTR ups.int.motion.cz.
$TTL 10800 ; 3 hours
53 PTR lt-komarek.int.motion.cz.
54 PTR test-desktop.int.motion.cz.
[root@zoidberg slaves]# [/code]

[code]
[root@zoidberg slaves]# cat db.int.motion.cz
$ORIGIN .
$TTL 86400 ; 1 day
int.motion.cz IN SOA zoidberg.int.motion.cz. root.motion.cz. (
2011102073 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS zoidberg.int.motion.cz.
$ORIGIN int.motion.cz.
bender A 192.168.66.11
dev CNAME bender
$ORIGIN dev.int.motion.cz.
* CNAME dev.int.motion.cz.
$ORIGIN int.motion.cz.
gw A 192.168.66.1
$TTL 10800 ; 3 hours
lt-komarek A 192.168.66.53
TXT "3104a734adc422b84f563c39ce6a7f6828"
$TTL 86400 ; 1 day
stage CNAME bender
$ORIGIN stage.int.motion.cz.
* CNAME stage.int.motion.cz.
$ORIGIN int.motion.cz.
svn CNAME bender
$TTL 10800 ; 3 hours
test-desktop A 192.168.66.54
TXT "006921d2c0445ec8e5b679c8018ef4ceaf"
$TTL 86400 ; 1 day
zoidberg A 192.168.66.10
[root@zoidberg slaves]#
[/code]

[code]
[root@zoidberg dhcp]# cat dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#


ddns-update-style interim;
ignore client-updates;
authoritative;

subnet 192.168.66.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.66.1;
option subnet-mask 255.255.255.0;
option nis-domain "int.motion.cz";
option domain-name "int.motion.cz";
option domain-name-servers 192.168.66.10;
option time-offset 3600; # GMT+1
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

range dynamic-bootp 192.168.66.50 192.168.66.254;
default-lease-time 21600;
max-lease-time 43200;

# we want the nameserver to appear at a fixed address
# host ns {
# next-server marvin.redhat.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }
}[root@zoidberg dhcp]#
[/code]

[code]
[root@zoidberg etc]# cat hosts
127.0.0.1 zoidberg zoidberg.int.motion.cz localhost localhost.localdomain
192.168.66.10 zoidberg.int.motion.cz
[root@zoidberg etc]#
[/code]

Any help appreciated, thank you for your time

[TrevorH]

Since ping and web connections are not working but DNS resolution is, are you sure that you are not being denied by iptables rules?

[strfr]

thank you for your reply TrevorH.
yes, I am sure, I have iptables service configured properly and ping is not working even when iptables disabled..

[code][root@zoidberg dhcp]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:44010
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@zoidberg dhcp]#[/code]

[strfr]

well, to be more precise: I can ping my application server name (bender), but I can not ping my virtual servers on it by their short name (siky.dev for example). I can ping them by their full name (dev.int.motion.cz)...

[code]c:\Users\Administrator.LT-KOMAREK\Desktop>nslookup siky.dev
Server: zoidberg.int.motion.cz
Address: 192.168.66.10

Nazev: bender.int.motion.cz
Address: 192.168.66.11
Aliases: siky.dev.int.motion.cz
dev.int.motion.cz


c:\Users\Administrator.LT-KOMAREK\Desktop>[/code]

[code]c:\Users\Administrator.LT-KOMAREK\Desktop>ping siky.dev.int.motion.cz

Příkaz PING na bender.int.motion.cz [192.168.66.11] - 32 bajtů dat:
Odpověď od 192.168.66.11: bajty=32 čas < 1ms TTL=64
Odpověď od 192.168.66.11: bajty=32 čas < 1ms TTL=64
Odpověď od 192.168.66.11: bajty=32 čas < 1ms TTL=64

Statistika ping pro 192.168.66.11:
Pakety: Odeslané = 3, Přijaté = 3, Ztracené = 0 (ztráta 0%),
Přibližná doba do přijetí odezvy v milisekundách:
Minimum = 0ms, Maximum = 0ms, Průměr = 0ms
Control-C
^C
c:\Users\Administrator.LT-KOMAREK\Desktop>ping siky.dev
Hostitele siky.dev se pomocí příkazu Ping nepodařilo najít. (can not find the host, sorry, having czech international setting on the testing machine..)
Zkontrolujte název hostitele a akci opakujte.

c:\Users\Administrator.LT-KOMAREK\Desktop>[/code]

[TrevorH]

That looks more like your Windows is set up without the equivalent of "search int.motion.cz" in /etc/resolv.conf but I don't have a Windows system to look at to see how you might configure it. Off the top of my head,it's done from the GUI in control panel -> networking -> $LAN-adapter -> Properties -> TCP/IP -> Properties -> Advanced (they like to make it easy to find!)

[strfr]

OK, will try that and repor back.. thanks again!

[strfr]

OK, on Windows 7 I can get it work by enabling "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries" in gpedit.msc Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client

Vista and XP does not have it, so I guess I have to add the suffix to the TCP/IP protocol/advenced...

Thanks for hint TrevorH! I just could not believed it can not be managed centrally from linux server..

Regards

[pschaff]

Thanks for reporting back. Sounds like a Windows issue, but glad you got the correct suggestion from Trevor to figure it out. Marking this thread [SOLVED] for posterity.