Ah found the culprit. The intrusion detection is playing mind games with simple folks like us. Wow, this default level of protection from IPS might be too much for new users etc. Everything works fine if you turn off the IPS. Here is a snip from the alert...
Quote:
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: DNS dns response containing rfc1918 address detected
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=13249
Time...........: 2009:06:15-15:41:23
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Potential Corporate Privacy Violation IP protocol....: 17 (UDP)
Source IP address: 192.168.0.1
Source port: 53 (domain)
Destination IP address: 192.168.0.10
|
The above rule might be useful for some people but in general seems like an over kill. You can't add astaro as a DNS host so all the windows users will be generating a bunch of alerts when using nslookup since dig is only available via 3rd parties for windows. Interesting enough dig doesn't generate the alert and hence my initial observation about nslookup being slow. Disabling the above rule in IPS doesn't speed up nslookup any ...