Brad Fritz wrote:
>
> On or before Wed, 09 Oct 2002 11:06:30 EST mds and Charles S wrote:
>
> mds> I cannot get dmz hosts to resolve addresses for remote internet
> mds> sites solely via tinydns-public and dnscache ;< tinydns tries to
> mds> resolve the name and gives up, without so much as asking dnscache.
>
> [other details snipped and summarized below]
>
> If I understand correctly, your intended setup is:
>
> dmz --> 64.4.197.65:53 --> 0.0.0.0:53 -- if nec --> root dns
> host tinydns-public dnscache servers
> |-- DMZ --|-------------- DCD ----------------|---- Internet ------|
> 127.0.0.0:53
> tinydns-private
Not necessarily the intent -- although, it looks like what I've got ;>
Actually, what I want is:
[a] one (1) authoritative tinydns for my.public.domain
(PlatinumAire.net);
[b] one (1) authoritative tinydns for my.private.domain
(private.network); and
[c] one (1) dnscache to handle all recursive queries for *both* of these
domains.
Is that clear? It sounds alot like what you have . . .
> Although the wildcard bind on dnscache (0.0.0.0:53) confuses me.
> Please correct my diagram if I was off in la-la land when I drew
> it.
>
> I think Charles hit the nail on the head when he said:
>
> cs> You have to point the DMZ systems at the IP of dnscache, *NOT* tinydns,
> cs> as tinydns does not do recursive queries. I think that's the root of
> cs> your problem. Switch the IP in your non-working DMZ resolv.conf to the
> cs> IP used by hosts on your internal network, and the DMZ systems should be
> cs> able to resolve names.
I agree with this; but, *HOW* can I point to that ip while on a
proxy-arp dmz?
For that matter, what is that ip?
> I have two working proxy-arp setups where proxy-arped DMZ hosts
> query dnscache on a Bering box. Via approriate
> /etc/dnscache/root/servers entries, dnscache queries
> tinydns-private on 127.0.0.1:53 for domains I have selected. Eg:
>
> # cat /etc/dnscache/root/servers/host.mydomain
> 127.0.0.1
Do you run two (2) instances of dnscache? One for internal, private
network and another for dmz?
# ls -l /etc/dnscache/root/servers/
-rw-r--r-- 1 root root 10 Sep 14 15:56
1.168.192.in-addr.arpa
-rw-r--r-- 1 root root 164 Oct 9 19:10 @
-rw-r--r-- 1 root root 10 Sep 14 15:56 private.network
# cat /etc/dnscache/root/servers/private.network
127.0.0.1
> so that a query from the DMZ for host.mydomain is routed
> like so:
> dmz host --> dnscache on Bering --> tinydns-private on Bering
> (if not already cached)
I do not understand how jnilo's instructions get you to this design:
<http://leaf.sourceforge.net/devel/jnilo/dnscache3.html>
_Why_ would anything on the dmz want anything in tinydns-private? By
definition, the dmz cannot know anything about the internal, private
network?
At anyrate, _how_ do you point the dmz at dnscache? What is the address
you use in /etc/resolv.conf? _How_ have you configured your
dnscache/tinydns'es?
My problem is that I can see the dmz queries processed and returned by
dnscache; but, they do *not* make it back to the dmz. I've been trying
to say this for two (2) days; but, nobody picks up on this. I watch
this:
tail -f /var/log/dnscache/* | tai64nlocal
I see the query come in and process and go back out; but, the dmz host
does *not* receive any answer and eventually times out.
<snip />
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
