Re: [leaf-user] dnscache vs. dmz ???

Fri, 11 Oct 2002 07:03:15 -0700 


Charles Steinkuehler wrote:
> 
> > > I think Charles hit the nail on the head when he said:
> > >
> > > cs> You have to point the DMZ systems at the IP of dnscache, *NOT*
> tinydns,
> > > cs> as tinydns does not do recursive queries.  I think that's the
> root of
> > > cs> your problem.  Switch the IP in your non-working DMZ resolv.conf
> to the
> > > cs> IP used by hosts on your internal network, and the DMZ systems
> should be
> > > cs> able to resolve names.
> >
> > I agree with this; but, *HOW* can I point to that ip while on a
> > proxy-arp dmz?
> >
> > For that matter, what is that ip?
> 
> That IP is 0.0.0.0, which is *ANY* valid IP on your firewall.  From a
> previous mail:
> 
> > root@bluetrout:/root
> > # netstat -anp | grep dns
> > (Not all processes could be identified, non-owned process info
> >  will not be shown, you would have to be root to see it all.)
> > tcp  0  0 0.0.0.0:53      0.0.0.0:*  LISTEN  28373/dnscache
> > udp  0  0 0.0.0.0:53      0.0.0.0:*          28373/dnscache
> > udp  0  0 64.4.197.65:53  0.0.0.0:*          28326/tinydns
> > udp  0  0 127.0.0.1:53    0.0.0.0:*          28324/tinydns
> 
> Looks like you have tinydns listening on 64.4.197.65 (your WAN
> interface, IIRC), and 127.0.0.1 (loopback).  These specific IP's will go
> to tinydns...queries to all other IP's will go to dnscache.  I can't
> tell you exactly which IP's to use, since I haven't seen your full IP
> configuration data (at least I couldn't find it in a quick scan of
> previous messages in this thread).

root@bluetrout:/root
# ip addr
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ipip
    inet 64.4.222.157 peer 64.4.222.158/32 scope global ipsec0
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether fe:fd:03:00:a2:75 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:c9:9e:64:83 brd ff:ff:ff:ff:ff:ff
    inet 64.4.197.65/26 brd 64.4.197.127 scope global eth1
11: wan1: <POINTOPOINT,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ppp
    inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1
    inet 64.4.197.99/32 scope global wan1
    inet 64.4.197.100/32 scope global wan1
    inet 64.4.197.101/32 scope global wan1

> You should have at least two other IP's assigned on this system...the
> IP's assigned to the internal network NIC and the DMZ nic.  You can use
> either one of these (or both) as the DNS server IP for your internal and
> DMZ systems.  Note, however, that with both internal and DMZ systems
> pointed to the same dnscache process, you can't split off the internal
> (private.network) name-space.  If you really need this feature, I think
> you'll need to run multiple dnscache instances, attached to seperate
> IP's, or take the leap to bind 9.x, which supports multiple views.

<snip />

I'm beginning to believe that this maybe the problem.  Remember, I
witness the queries in dnscache and witness the answers sent; but,
nothing gets back to dmz.

This is the real problem.  If the query reaches dnscache, it processes
and answers it, why can't the answer get back to dmz?

root@bluetrout:/root
# ls -l /etc/dnscache/root/ip/
-rw-r--r--    1 root     root            0 Oct  9 19:10 127.0.0.1
-rw-r--r--    1 root     root            0 Oct  9 19:10 192.168.1
-rw-r--r--    1 root     root            0 Oct  9 19:10 64.4.197
-rw-r--r--    1 root     root            0 Oct  9 19:10 64.4.222.157

root@bluetrout:/root
# ls -l /etc/dnscache/root/servers/
-rw-r--r--    1 root     root           10 Sep 14 15:56
1.168.192.in-addr.arpa
-rw-r--r--    1 root     root          164 Oct  9 19:10 @
-rw-r--r--    1 root     root           10 Sep 14 15:56 private.network

root@bluetrout:/root
# cat /etc/tinydns-private/env/DOMAINS
private.network
1.168.192.in-addr.arpa

root@bluetrout:/root
# cat /etc/tinydns-private/env/IP
127.0.0.1

root@bluetrout:/root
# cat /etc/tinydns-public/env/IP
64.4.197.65

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to