The behavior we are seeing is lookups from our DNS server going out on the host IP. We want all of the traffic to be routed though the logical IP, which is our DNS server. We have 'listen-on' set to the logical IP but recursive lookups to the outside world are going through the host IP.
________________________________________________________ Nicholas Miller, ITS, University of Colorado at Boulder > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Kevin Darcy > Sent: Wednesday, July 23, 2008 6:45 PM > To: [email protected] > Subject: Re: Bind server with logical host > > Nicholas F Miller wrote: > > We have upgraded our DNS servers recently to Bind 9.5. In the upgrade > we > > also went to logical host names. There is now the host name and then > the > > DNS server is plumbed as a logical host. Since we have done this we > are > > seeing DNS answers happening on the host IP. We would like to > restrict > > the DNS traffic to the logical host. > > > > Will the 'listen on' switch let us restrict the DNS traffic to our > > logical host IP? > > > > > Listen-on won't *redirect* queries, if that's what you're asking. If > clients are sending queries to the wrong IP, nothing you can do on the > server side will stop that. listen-on can restrict whether you accept > those packets or not, but if you don't accept them, the queries will > simply time out and fail. Is that acceptable? > > If the clients have both the Host IP and the "logical" IP in their > resolver configs, in that order, then if you no longer listen on the > Host IP, they may "transparently" fail over to the "logical" IP, but it > won't be completely "transparent", in truth, since it will introduce a > delay to every name lookup. Enough that some (impatient) apps may > actually experience lookup failures. So do this at your own risk. > > As for responses, named sends those back from the address on which the > original query was received. So, if you can fix the clients to send > their queries to the correct address in the first place, the responses > will follow suit. > > - Kevin > >
