DNS Blocking

[njdouglas]

Hi,

I generally install UT in bridge mode with two NIC's behind an ADSL firewall router and in front of a switch that contains all my clients and an SBS server (with one NIC).

I normally have the DNS on each client pointing to the SBS as is required and then the DNS Forwarder on the SBS server pointing to either the router's LAN IP or Open DNS (208.67.222.222). Without UT in harms way this works fine.

When I put UT in the way with a default Open Source install, all internet browsing fails unless I change the DNS forwarder on the SBS to the IP address of the UT. When this happens I can still ping the internet by IP. DNS is turned off at all times on UT as is DHCP. Surely in bridge mode UT should let outgoing DNS through and I should not have to resort to putting the UT as the DNS forward just to get web access? No other firewall or non rack policies are set other than the default.

Any ideas?

Neil

[WebFooL]

Hi,
Can you verify that the cabels are connected right?
(external interface to the FW and internal to the inside)

Can you form a internal client access the dns with Telnet?

start -> run -> cmd
telnet iptodns 53

[njdouglas]

I always check the cables are connected the correct way after once doing it wrong so thats not the issue. I'm doing on in the morning so will check the telnet command out. What response should I get? Having just done this on another network that works fine it time out.

[WebFooL]

sry my bad telnet to a dns server will not work :/
Try a simple nslookup and see what error you get.

Check so the protocol control dosent block dns.

And try creating a bypass for dns traffic.

by the way.. is the dns server on the inside or outside of the bridge?

[MiniPilote]

So I recently had this exact problem develop with my UT v7.0 (not 7.01). The problem only developed when the client changed DSL providers. DNS would work fine with the old provider but wouldn't allow it on the new one. I can ping IPs just fine but could not get ANY name resolution. I tried multiple different, available, DNS server entries on the forwarders but nothing worked. I finally pulled the UT out and was going to rebuild it with a fresh 7.01 install.

Has anyone else encountered this type of problem with DNS? Any ideas where to look if I decide NOT to rebuild?

Thanks

[sky-knight]

There have been random reports of Untangle blocking DNS in the past. It's only in cases where you have disabled the DNS server internally, and you're using external servers inside an Untangle protected network.

For some reason, in these cases you sometimes have to bypass traffic bound to UDP 53 and the DNS IP's in question... I've not had any of my installs do this to me... so I have no clue why this would be, and the bypass while it fixes it, seems to me to be a bandaide.

Also, if you have the UT's DNS server enabled, external resolution won't work.

[MiniPilote]

Very interesting. I do have the situation you explain. I have the DNS servers outside the UT network. I actually have the SBS forwarders pointed to external DNS. I finally yanked UT until I had more time to figure out what is going on. I was convinced that the new DSL providers modem didn't like the UT DNS requests. One other thing to note is that the DSL modem IS doing NAT.

So my next question would be if I'm using SBS and all it's glory what is the ideal configuration for my UT between the network and the DSL modem? Does putting UT in route mode solve the problem? Do I need to use UT as the DNS?

I think my head hurts.....any help would be appreciated.

[mrunkel]

It could be that the untangle attack blocker module is firing?

Sky-knight gave you the correct solution. Just add outbound port 53 UDP traffic to the bypass list. No reason to filter it actually.

[MiniPilote]

I checked the attack blocker log and didn't find anything. I've added a bypass rule. If it works then I'll add another one for two DNS entries.

Thanks for the help.

[muaddib32]

Hi all,
I am having the same problems. With UT in bridge mode, name resolution fails. So a couple of questions:
1) how do i "add outbound port 53 UDP traffic to the bypass list'?
2) is it possible that I have just misconfigured the network connections (as I couldn't find any instructions on what to do other than 'follow the wizard')? I have the external NIC with a static IP in the same subnet as the rest of the network, and the internal NIC set as bridged to the external (I seem to remember when I set it up that this was the only way that I could get it to work at all)