thank you, for your continued interest . . .
Matthew Schalit wrote:
>
> Michael D. Schleif wrote:
> > "Michael D. Schleif" wrote:
> >
> >>does anybody have a proxy-arp dmz and also running tinydns & dnscache?
> >
> > Anybody have such setup that works?
>
> I have three nics in Bering rc3
>
> ________ eth1 10.10.10.0/24 + tinydns private + dnscache
> public static eth0 | leaf |
> (Internet) |________| eth2 10.20.20.0/24 (dmz)
>
> and that works great with both subnets talking to dnscache,
> which only needed an extra line in /etc/dnscache/env/IPQUERY
> like this
>
> /etc/dnscache/env/IPQUERY
> ====================================
> |10.10.10
> |10.20.20
> |127.0.0.1
> |
> |
> |
yes, i do this all the time. we have at least three (3) customers with
networks with at least two (2) internal networks; and, dnscache/tinydns
work flawlessly in these environments.
however, this is a proxy-arp dmz -- a totally different animal -- on
that i do not fathom inside and out . . .
> and the rule in /etc/shorewall/rules:
> ==========================================
> |
> | ACCEPT dmz fw tcp 53
> | ACCEPT dmz fw udp 53
>
> But what's not working, because I guess you tried this?
> Is it routing or dnscache or fw rules?
ok, with the default setup, according to:
<http://leaf.sourceforge.net/devel/jnilo/dnscache3.html>
if a dmz name query cannot be answered by tinydns-public, then it just
times out -- *never* getting to dnscache.
with some sleight-of-hand, adding the real external_ip (wan1, _not_
tinydns-public ip) and add an ipchains forward rule from dmz to masq'ed
internal dcd interface, then I see the request _get_to_ dnscache and I
see dnscache resolve the name and _send_the_answer_ -- however, nothing
makes it back to the dmz.
imho, we are missing some crucial ipchains link from dcd out eth1 to the
dmz -- but, what can it be?
remember:
root@bluetrout:/root
# netstat -anp | grep dns
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 28373/dnscache
udp 0 0 0.0.0.0:53 0.0.0.0:* 28373/dnscache
udp 0 0 64.4.197.65:53 0.0.0.0:* 28326/tinydns
udp 0 0 127.0.0.1:53 0.0.0.0:* 28324/tinydns
ideas?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
