On or before Wed, 09 Oct 2002 11:06:30 EST mds and Charles S wrote:
mds> I cannot get dmz hosts to resolve addresses for remote internet
mds> sites solely via tinydns-public and dnscache ;< tinydns tries to
mds> resolve the name and gives up, without so much as asking dnscache.
[other details snipped and summarized below]
If I understand correctly, your intended setup is:
dmz --> 64.4.197.65:53 --> 0.0.0.0:53 -- if nec --> root dns
host tinydns-public dnscache servers
|-- DMZ --|-------------- DCD ----------------|---- Internet ------|
127.0.0.0:53
tinydns-private
Although the wildcard bind on dnscache (0.0.0.0:53) confuses me.
Please correct my diagram if I was off in la-la land when I drew
it.
I think Charles hit the nail on the head when he said:
cs> You have to point the DMZ systems at the IP of dnscache, *NOT* tinydns,
cs> as tinydns does not do recursive queries. I think that's the root of
cs> your problem. Switch the IP in your non-working DMZ resolv.conf to the
cs> IP used by hosts on your internal network, and the DMZ systems should be
cs> able to resolve names.
I have two working proxy-arp setups where proxy-arped DMZ hosts
query dnscache on a Bering box. Via approriate
/etc/dnscache/root/servers entries, dnscache queries
tinydns-private on 127.0.0.1:53 for domains I have selected. Eg:
# cat /etc/dnscache/root/servers/host.mydomain
127.0.0.1
so that a query from the DMZ for host.mydomain is routed
like so:
dmz host --> dnscache on Bering --> tinydns-private on Bering
(if not already cached)
I don't fully understand what you want to accomplish or the full
configuration of the networks your DCD routes for, but if you
need independent caches for your DMZ and another network, you
should be able to accomplish that. Something like:
dnscache-dmz on 64.4.197.65:53
tinydns-public on 127.0.0.2:53
# cat /etc/dnscache-dmz/root/servers/host.yourdomain
127.0.0.2
dnscache[-private] on (for instance) 192.168.1.254:53
tinydns-private on 127.0.0.1:53
# cat /etc/dnscache[-private]/root/servers/host.yourdomain
127.0.0.1
should work. Obviously I have left out some details. You would
need to add the /etc/dnscache-dmz directory tree, create
appropriate /etc/dnscache*/root/servers/ files, set all the IP
and IPQUERY values properly, adjust the startup scripts, etc.
The only reason I can think of for a setup like the one I just
described is if you wanted to have host.yourdomain resolve
differently from a LAN than from the DMZ *and* the way you
wanted it to resolve for both networks is different than the
public authoritative name servers would resolve it (if it's
a public domain at all).
--Brad
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
