Wierd DNS issue....

[Joseph Mack NA3T]

On Wed, 5 Jul 2006, John Gray wrote:

> The boxes have to go through the LVS box to talk to outside world.  It
> works fine for local names.  Its when they need to talk to outside name
> servers that issue happens.

The design of the LVS expects that the realservers do not 
talk to the outside world. This is so that the clients (or 
outside world) see only a single server and cannot tell that 
multiple boxes are involved. This is a matter of clean 
design as well as not exposing your realservers to attacks 
from the outside - you only have to guard the NIC on the 
outside of the director.

Can you get the realservers to query the director(s) and 
have the directors query the outside world.

> If I had hazard a  guess, I'd say the fact that bind is set to force the
> source port set to 53 is part of the problem.

you aren't going to get replies through to the realservers 
unless you NAT the tcp and udp calls to 0/53.

> And the problem definitely coincides with the new kernel.   I'm making
> some assumptions here, but I *think* the replies to external queries
> aren't making back to real server that made request (perhaps its going
> to another real server).

a reasonable explanation.

> The problem is coming and going.  Its not happening right now, so I
> can't get any captures.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml 
Homepage http://www.austintek.com/ It's GNU/Linux!