Re: [leaf-user] Qmail questions

[Michael D Schleif]

Kory Krofft <[EMAIL PROTECTED]> [2003:12:27:19:01:19-0500] scribed:
> Michael, Ray, Lynn,
> 
> What you are all saying makes sense. I have tried reversing the
> interfaces that dnscache and tinydns bind to with no improvement. I
> believe Michael is correct that I need 2 instances of tinydns but I
> have no idea how to accomplish this in a lrp environment. i would
> guess that I add another /etc/rc2.d entry but how do I get it to point
> to a different set of configs? Or would I just use the same confing
> files?
<snip />

> I am surprised at the difficulty in this part of the setup. I was
> under the impression that a lot of people were running dmz's behind
> LEAF systems. Are they all running full distros on the dmz? How does
> that help. Would running the second version of tinydns on the dmz be a
> good solution?
<snip />

I do not know how dnscache/tinydns are packaged for Bering.  Jacques
packaged them for Dachstein in such a way that a split-horizon setup was
only a matter of setting up tinydns-private *and* tinydns-public.  That
is the way I run dnscache and two (2) instances of tinydns on a dozen
firewall/routers.

This is one such setup:

   # netstat -anp | grep -i dns
   (Not all processes could be identified, non-owned process info
    will not be shown, you would have to be root to see it all.)
   tcp        0      0 0.0.0.0:53              0.0.0.0:* LISTEN      2639/dnscache     
  
   udp        0      0 0.0.0.0:53              0.0.0.0:* 2639/dnscache       
   udp        0      0 64.4.197.65:53          0.0.0.0:* 1989/tinydns        
   udp        0      0 127.0.0.1:53            0.0.0.0:* 1987/tinydns        

   # for mds in `find / | grep /IP$`; do echo $mds; cat $mds; echo; done
   /etc/dnscache/env/IP
   0.0.0.0

   /etc/tinydns-private/env/IP
   127.0.0.1

   /etc/tinydns-public/env/IP
   64.4.197.65

In other words, I am running one (1) instance of dnscache and two (2)
distinct instances of tinydns on each router.  This is the result that
you seek.

For the sake of clarity six months from now, when you are attempting to
debug some misbehavior, I do *not* recommend using the labels
`tinydns-private' and `tinydns-public'; rather, alter the labels in your
setup to reflect their actual use.

IMHO, dnscache/tinydns is far simpler, more robust and standards
compliant than any other package.

YMMV

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

pgp00000.pgp
Description: PGP signature