UnrealIRCd Forums

Hello --- I have read all the threads about DNS.

I am trying to set up this server, which sits in a DMZ (where else?), testing by connecting to it from another internal network.

The DNS does not resolve the hostnames of clients connecting from my local routed network, but resolves the rest of the world fine. The IRCd sends messages such as:

[18:06] -chat.tikiopolis.com- *** Notice -- Client connecting on port 6667: Marco ([email protected]) [clients]

The DNS server is BIND running views. I have verified (via /quote dns i) what the IRCd is looking to for DNS (the local box). It resolves it OK from the command line.

I have read the note that SyZop sent on a previous DNS issue thread regarding this item in the FAQ:

http://www.vulnscan.org/UnrealIrcd/faq/#58

That FAQ had an interesting remark in it. It stated:

The best way to test is to let someone from a remote location (not your LAN)

Does that mean any resolution of the local DNS domain will fail? Is what I'm seeing expected behavior?

your internal DNS server should have a PTR record for each 192 IP address internaly. If that is done, then the DNS server should resolve internal just fine.

It does, I checked that already. Please see below:

C:\>nslookup
Default Server: aqua.tikiopolis.com
Address: 192.168.2.10

> 192.168.1.26
Server: aqua.tikiopolis.com
Address: 192.168.2.10

Name: dhcp-192-168-1-26.tikiopolis.com
Address: 192.168.1.26

>

I have worked on this a bit to resolve all the obvious problems. Only after eliminating the obvious, have I posted my question here.

Thanks for your input. Any other ideas?

Just so you don't waste your time:

DNS will not work with LAN connections unless:

1. You run a DNS server on the LAN
2. You have added records for all the computers in the LAN
3. You have the DNS server IP overriding any DNS settings of your OS
4. The DNS server is properly configured and running

Line items 1, 2, and 4 are definitely true.

However, number 3 I cannot say. Was that a reference to the set :: dNS block in the unrealircd.conf? If so, according to the FAQ:

Currently the 3.2* series ignore the set::dns block and read the nameserver info directly from /etc/resolv.conf (*NIX) or the registry (windows).

I have verified this by issuing a /quote dns i which indicates the DNS server as specified by Windows, not UnReal. So from the same box, I logged into the DNS server at that same address, and attempted to do a reverse-lookup, and it worked OK.

That lead me to wonder how UnRealIRCd actually does its DNS resolution. I read elsewhere it has its own resolver, and uses its own random UDP port to do this, which should work OJ. I wonder if there is a way to ask the IRCd server to do a lookup for me using its resolver, to test to see if it's working properly?

It does, I checked that already. Please see below:
[..nslookup output..]

And reverse?
nslookup dhcp-192-168-1-26.tikiopolis.com

Actually, no. I don't have any A records for the DHCP zone. I wouldn't have foreseen those were necessary. I have added them nonethless, what do I know? I'll test later today (I'm currently at work, obviously working very hard). I'll let you know what happens. Thanks for your help.

Whoa, that worked!

Now can some one please explain to me, why?

It's as if the IRCd server takes the connecting IP, does a reverse lookup to get its hostname, then does a forward on that hostname to get its IP address again. Sounds like a security procedure to verify that the connecting IP address and hostname match its forward address. Is this what's happening?

By the way, thank so much for working this problem out.

Yes, else anyone that has control over reverse dns can point his IP to, say, billgates.microsoft.com and gets a .microsoft.com host on IRC :P.

Syzop wrote:Yes, else anyone that has control over reverse dns can point his IP to, say, billgates.microsoft.com and gets a .microsoft.com host on IRC .

Or worse, point it to a hostname matching another user, and do bad things and everyone thinks he's the innocent user when he's not and guess who gets K/G/whatever-Lined?

That is a totally evil thought!

I like it. I'll add it to my bag of dirty tricks.

Thanks for your help!

Um... considering that most sane IRC servers do DNS this way, that would never work anywhere .