External DNS server cannot resolve external domain name when using public IP inside internal network

domain-name-system

I use nslookup to query from a computer inside internal network. it can successfully resolve the external domain name if I use private IP of my DNS server.

> www.ust.hk
Server: 192.168.28.58
Address: 192.168.28.58#53

Non-authoritative answer:
Name: www.ust.hk
Address: 143.89.14.1

However, if I use the public IP of my DNS server inside internal network, I can't resolve external domain name.

$ nslookup
server w.x.y.z
Default server: w.x.y.z
Address w.x.y.z#53
> www.ust.hk
Server: w.x.y.z
Address: w.x.y.z#53
server can't find www.ust.hk: REFUSED

If I examine the dns.log, it states that the external domain name is denied.

(www.ust.hk): query (cache) 'www.ust.hk/A/IN' denied

It is unreasonable because recursion is allowed for internal network.
It is only normal that it cannot resolve external domain if the computer is located outside the internal network.

I have the named config file as below:

acl "trusted" {
               192.168.0.0/16;
               localhosts;
               localnets;
};

options{
listen-on port {any;};
listen-on-v6 port 53 { none; };
allow-query { any; };
allow-recursion {trusted;};
allow-query-cache {trusted;};
....
};

I wonder what caused this problem. Is the problem caused by a misconfiguration of the firewall? As the dns.log states that it is denied, it does not seems to be firewall problem.
I have included the loopback NAT rule but it still does not help. Please be reminded that the DNS server is located in DMZ zone.

Other edit

Edit 1

For the point – "change NAT setting to not cover this specific traffic so the source will stay still local".
It looks most feasible but I wonder how to do this.

The PDNS1(public) IP is at WAN zone while PDNS1(private) IP is at the DMZ zone.

Our Firewall brand is sonicwall. The current NAT is:
source-original: Any
source-translated: Pdns(Public)
Destination-original: Pdns(Public)
Destination-translated: Pdns(Private)
service-original: DNS(Name Services)
service-translated: Original

The other two NAT rules are ordinary one-to-one reflexive NATs.

I don't know how to not cover the specific traffic so that the source will stay still local. Please kindly advise and elaborate with more details. Thank you very much.

Edit 2

For the point – "add your public IP (to what it is sNATed to list of local networks)"
I have tried the below setting. It is true that the DNS query using public IP inside internal network can successfully resolve external domain name.

Unfortunately, the DNS query using public IP outside internal network can also resolve external domain name. It is undesirable because it becomes an open DNS server which would be vulnerable to DNS amplification attack.

acl "trusted" {
219.189.213.25;
192.168.0.0/16;
localhosts;
localnets;
};

For the point – "enable response for the domain from any IP (may be not willing)"

I think it means the below setting of named.conf :
recursion yes;
or,
allow-recursion { any; };
allow-query-cache { any; };

Likewise, it would make the DNS server becomes open DNS which is very undesirable.

Edit 3

  1. The below is DNS query with private IP inside internal network:
    [root@pdns1 ~]# nslookup
    server 192.168.28.58
    Default server: 192.168.28.58
    Address: 192.168.28.58#53
    www.hku.edu.hk
    Server: 192.168.28.58
    Address: 192.168.28.58#53
    Non-authoritative answer:
    Name: www.hku.edu.hk
    Address: 147.8.2.58

  2. The below is DNS query with public IP inside internal network:
    server 219.189.213.25
    Default server: 219.189.213.25
    Address: 219.189.213.25#53
    www.mingpao.com
    Server: 219.189.213.25
    Address: 219.189.213.25#53
    ** server can't find www.mingpao.com: REFUSED

The below is dns.log:
16-Jan-2020 20:40:12.460 security: info: client @0x7f963c508310 219.189.213.25#43529. (www.mingpao.com): query (cache) 'www.mingpao.com/A/IN' denied

The below is queries.log:
16-Jan-2020 20:39:42.109 queries: info: client @0x7f963c0a3ce0 192.168.28.58#60338 (www.hku.edu.hk): query: www.hku.edu.hk IN A + (192.168.28.58)

16-Jan-2020 20:39:42.401 queries: info: client @0x7f963c58e9c0 192.168.28.58#58101 (www.hku.edu.hk): query: www.hku.edu.hk IN AAAA + (192.168.28.58)

16-Jan-2020 20:40:12.460 queries: info: client @0x7f963c508310 219.189.213.25#43529 (www.mingpao.com): query: www.mingpao.com IN A + (192.168.28.58)

Is it true that the request came from WAN?

Best Answer

The question / hint would be how are you reaching your DNS server once you try to reach it using public IP...

Once you are reaching the server using public IP in DMZ your traffic is the most probably already sNATed. From the point of view of the server your communication is not local. Check the log record once more - there is visible the IP from where the request came...

To have it working you can:

  • enable response for the domain from any IP (may be not willing)

  • change NAT setting to not cover this specific traffic so the source will stay still local

  • add your public IP (to what it is sNATed to list of local networks)

Related Topic