I've gotten ClearOS working with Content Filter + Web Proxy + with AD user auth in non-transparent Gateway mode. Everything works great.
I also went ahead and added ntop repo's and installed NTOPNG. Also, working great, mostly.
However, NTOP does not allow you to define any specific DNS servers, it just uses what the system has. If I 'nslookup 172.16.18.102' (from SSH) (which should return one of my DCs) i get:
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find 102.18.16.172.in-addr.arpa.: NXDOMAIN
Since I've been using AD Authentication in ClearOS, it's been showing my usernames in all my reports, and hasn't been an issue.
Now, however, all my SARG and NTOPNG reports are local IPs only, which isn't super helpful.
I've got my AD DNS servers set as the DNS servers for ClearOS in Network - Settings - IP settings, but it doesn't seem to pass through there.
If I perform the nslookup while specifying one of my AD DNS servers, ie: 'nslookup 172.16.18.102 172.16.18.102' I get the correct response, so I know my DNS servers are configured correctly.
Any suggestions for how to fix this?
Thanks,
Justin
I also went ahead and added ntop repo's and installed NTOPNG. Also, working great, mostly.
However, NTOP does not allow you to define any specific DNS servers, it just uses what the system has. If I 'nslookup 172.16.18.102' (from SSH) (which should return one of my DCs) i get:
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find 102.18.16.172.in-addr.arpa.: NXDOMAIN
Since I've been using AD Authentication in ClearOS, it's been showing my usernames in all my reports, and hasn't been an issue.
Now, however, all my SARG and NTOPNG reports are local IPs only, which isn't super helpful.
I've got my AD DNS servers set as the DNS servers for ClearOS in Network - Settings - IP settings, but it doesn't seem to pass through there.
If I perform the nslookup while specifying one of my AD DNS servers, ie: 'nslookup 172.16.18.102 172.16.18.102' I get the correct response, so I know my DNS servers are configured correctly.
Any suggestions for how to fix this?
Thanks,
Justin
Share this post:
Accepted Answer
I don't know if this is the right way but more of an ugly hack, but I use Unbound for my DNS, and, rather than remove dnsmasq because of the integration with the webconfig I've forced dnsmasq to refer to unbound. To do this I've edited /etc/dnsmasq. Change the cache-size to 0 - this may be unnecessary - then I've added the following lines:
You could even restrict the handover to your AD DNS server by restricting the domains dnsmasq sends to the AD server, but you'd need to remove the no-resolv line and perhaps not restrict the cache size. Do a google of "man dnsmasq.conf" for more info.
no-resolv
server=127.0.0.1#1053You could even restrict the handover to your AD DNS server by restricting the domains dnsmasq sends to the AD server, but you'd need to remove the no-resolv line and perhaps not restrict the cache size. Do a google of "man dnsmasq.conf" for more info.
Responses (3)
-
Accepted Answer
Nick Howitt wrote:
I don't know if this is the right way but more of an ugly hack, but I use Unbound for my DNS, and, rather than remove dnsmasq because of the integration with the webconfig I've forced dnsmasq to refer to unbound. To do this I've edited /etc/dnsmasq. Change the cache-size to 0 - this may be unnecessary - then I've added the following lines:
I have Unbound running on a different port on ClearOS. In your case I'd try "server=172.16.18.102" (and don't specify the port).no-resolv
server=127.0.0.1#1053
You could even restrict the handover to your AD DNS server by restricting the domains dnsmasq sends to the AD server, but you'd need to remove the no-resolv line and perhaps not restrict the cache size. Do a google of "man dnsmasq.conf" for more info.
I spent some time digging in the man pages and found that "-b, --bogus-priv
Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream." was my issue. I commented out that line, and kept the server=172.16.18.102 like you suggested. Now I'm getting proper PTR results! -
Accepted Answer
Nick Howitt wrote:
I don't know if this is the right way but more of an ugly hack, but I use Unbound for my DNS, and, rather than remove dnsmasq because of the integration with the webconfig I've forced dnsmasq to refer to unbound. To do this I've edited /etc/dnsmasq. Change the cache-size to 0 - this may be unnecessary - then I've added the following lines:
I have Unbound running on a different port on ClearOS. In your case I'd try "server=172.16.18.102" (and don't specify the port).no-resolv
server=127.0.0.1#1053
You could even restrict the handover to your AD DNS server by restricting the domains dnsmasq sends to the AD server, but you'd need to remove the no-resolv line and perhaps not restrict the cache size. Do a google of "man dnsmasq.conf" for more info.
Thanks so much, Nick. I was hoping it would be something this easy, but unfortunately it isn't. I added the values and even rebooted, still can't nslookup and my SARG/NTOP reports are still all IP based, no local resolution. The 'accessed site" portion resolves correctly, just nothing internally.
Any other suggestions as I delve into learning the world of dnsmasq? I'm hesitant to rip it out and replace it with BIND, not only does it seem like a lot of work but I'm probably going to screw something up and I've just now gotten ClearOS working so well - other than this nagging issue.
thanks again -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »