Sunday, August 13, 2006

OpenBSD, bind, NAT & aliased IPs

Yay for routing and NAT. Not.

I'm using RollerNet for my secondary DNS. Works quite nicely most of the time, but hey it's free. The DNS logs at rollernet showed

zone goodcoffee.net/IN: refused notify from non-master: 216.27.180.188#14688


Hmmm, yeah, ns.goodcoffee.net is on 216.27.180.215, which is an alias on my outside interface. I'm not serving requests on .188. ok, so bind just hands the notify to the OS, which does its thing and sends out the notify via the default route. Only, that happens to not be the master in the bind config at RollerNet.

I like my setup, so let's just reverse the assignment of IP and alias. Long story short, PF doesn't allow NAT on an aliased IP. I couldn't get it to rewrite outbound traffic for the RollerNet name servers to come from .215. Nor could I convince bind to use .215.

After some fussing with configs and options, I eventually changed the bind config to listen on .188, and changed RollerNet to take .188 as the master. Since that looks ugly in the config, I'm migrating the DNS entry for ns.goodcoffee.net from .215 to .188. Along the way I fixed bind and PF configs to use the new ns2.rollernet.us IP.

Hah, ns1.rollernet.us apparently didn't notice the change in the configuration yet. It's still refusing notifies from .188, while ns2.rollernet.us already happily serves the updated zone. I'll wait some time before I stop serving DNS on .215.

Update:
ns1.rollernet.us came around to update as well 15 minutes later. All is good now.