Rackspace Name Server Problem with Advanced Policy Firewall (apf firewall)
I’m adding this here as much for myself as anyone else. If it fixes an issue for you, please let me know.
The problem:
My Rackspace virtual server (Debian Squeeze) will not will not resolve domain names via Rackspace’s supplied name servers auto-generated in /etc/resolv.conf. My resolv.conf file looks like this:
# Automatically generated, do not edit
nameserver 173.203.4.8
nameserver 173.203.4.9
Weird symptom:
Adding another nameserver IP address fixes the issue:
# Automatically generated, do not edit
nameserver 173.203.4.8
nameserver 173.203.4.9
nameserver 208.67.222.222 #OpenDNS public nameserver
The root of the problem:
APF firewall has the following innocuous configuration option:
# Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the 'internals/reserved.networks' file for listing of address space.
BLK_RESNET="1"
It’s essentially blocking IP addresses reserved for future use. Those reserved IP addresses are listed in the ‘internals/reserved.networks’ configuration file shown below (truncated for brevity). Rackspace is using one of those reserved IP address spaces for its public nameservers. Re-read that part in bold – it’s the reason for this post.
# Unassigned/reserved address space
# refer to: http://www.iana.org/assignments/ipv4-address-space
#
1.0.0.0/8
2.0.0.0/8
5.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/8
37.0.0.0/8
39.0.0.0/8
42.0.0.0/8
46.0.0.0/8
94.0.0.0/8
95.0.0.0/8
100.0.0.0/8
101.0.0.0/8
102.0.0.0/8
103.0.0.0/8
104.0.0.0/8
105.0.0.0/8
106.0.0.0/8
107.0.0.0/8
108.0.0.0/8
109.0.0.0/8
110.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
173.0.0.0/8
174.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
178.0.0.0/8
The solution:
Set the BLK_RESNET=”1″ configuration option to false (0) or comment out the IP address that’s causing the conflict in reserved.networks. The USE_RD option mentioned in the configuration comments might be a good solution as well.
Update:
The USE_RD option looks like it’s been deprecated. The configuration option to poll the reserved address list is this one:
# The reserved networks list is addresses which ARIN has marked as reserved
# for future assignement and have no business as valid traffic on the internet.
# Such addresses are often used as spoofed (Fake) hosts during attacks, this
# will update the reserved networks list in order to prevent new ip assignments
# on the internet from getting blocked; this option is only important when
# BLK_RESNET is set to enabled.
DLIST_RESERVED="1"
DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"