Re: djb and multiple IPs
Set up external dnscache on the public IP, and set up tinydns on IP 127.0.0.1 yep, that's the obvious way to do it. it does leave a few questions, though: 1. can this kind of setup return authoritative answers? Nope. [about migrating] if i tried doing it, there'd be a week of two of complete chaos, with almost all customers getting the impression that our service was broken Assuming IP space is not the issue.. Start with moving to tinydns/nsd on different IP addresses, and start migrating anything that needs the authoritive into to those. Not sure how many domains you're responsible for, so this may be some work, but it'd at least not be disruptive. Once done, you can move to your existing IP being a non-auth caching resolver for your end users, which, IMO, are generally more difficult to cope with :-). what would be useful here is an application layer DNS proxy sitting on port 53 (both tcp and udp), with both authoritative and recursive servers on other IP addresses. that way neither customers, secondary servers, nor help desk staff would need to do anything - as far as they're concerned, nothing has changed. Yeah. Agreed. I'm curious just how *screwed up* it would be to make dnscache flag the authoritive bit on certain answers grin. zone transfers are not an issue, that's *tcp* 53, not udp. actually, that's something that could be built into nsd - if it is authoritative for a given request then answer it, otherwise proxy it to a recursive server. That's not entirely off from adding a real resolver to nsd :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
On Tue, Nov 26, 2002 at 07:37:42PM +0100, Tomasz Papszun wrote: Personally, I could get used to new format of files, hard-coded magic filenames, absolute lack of manual pages, let this ugly and ridiculous There are man pages available for more than two years. It's really difficult not to find them. Regards, Gerrit. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
On Tue, 26 Nov 2002 at 1:01:02 -0600, [EMAIL PROTECTED] wrote:
El mar, 19-11-2002 a las 17:07, jernej horvat escribió:
...
I have a question about djbdns - can i have one control file for all
IP's/interfaces that i have on one system ?
...
You can configure env/IP to 0.0.0.0 so it will listen on _all_
interfaces.
I've got related (but contrary) requirement.
If I understand djbdns' documentation correctly, it is _impossible_ to
run both DNS functions: authoritative-only NS ('tinydns') and
recursive/caching server ('dnscache') on the same IP address, right?
I know that it's better when these functions are separated and run on
different IP addresses.
But using different addresses for them is _not_ an option for me, due
to various reasons.
So, is there any way to run them on one address?
As I wrote above, as far as I know, not. But I'd like to be sure. I
really wanted to give djbdns a try, but this limitation eliminates
djbdns for me :-( .
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Tomasz Papszun writes:
If I understand djbdns' documentation correctly, it is _impossible_ to
run both DNS functions: authoritative-only NS ('tinydns') and
recursive/caching server ('dnscache') on the same IP address, right?
Right. Two different programs can't bind to port 53 on the same IP address.
I know that it's better when these functions are separated and run on
different IP addresses.
Yes.
But using different addresses for them is _not_ an option for me, due
to various reasons.
Why? Can you list the reasons? For example, do you really need an external
cache and a server running on the same machine, which can only have one public
IP address?
There are many configurations you could try, depending on your network
topology.
Regards,
--
Adriano
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
On Tue, 26 Nov 2002 at 15:27:40 -0200, Adriano Nagelschmidt Rodrigues wrote:
Tomasz Papszun writes:
If I understand djbdns' documentation correctly, it is _impossible_ to
run both DNS functions: authoritative-only NS ('tinydns') and
recursive/caching server ('dnscache') on the same IP address, right?
Right. Two different programs can't bind to port 53 on the same IP address.
Yes, I know that. I hoped (with quite small hope), that there could be
some way doing it by means of this svs-something or so...
I know that it's better when these functions are separated and run on
different IP addresses.
Yes.
But using different addresses for them is _not_ an option for me, due
to various reasons.
Why? Can you list the reasons? For example, do you really need an external
Reasons are mainly historical. It would be very difficult to suddenly
change all delegations, settings of many customers' computers and so on.
Generally speaking, things which are dependent on many other persons.
Personally, I could get used to new format of files, hard-coded magic
filenames, absolute lack of manual pages, let this ugly and ridiculous
/service in the / directory and so on, but due to things which would
involve other peoples, it's definitely not an option, at least
currently. So djbdns is out of discussion. I must say it with sadness
because I really would like to use DJB software because of it's
security.
cache and a server running on the same machine, which can only have one public
IP address?
Yes. I mean, I can assign more addresses but queries must come to the
same address (and answers must go back from the same address).
There are many configurations you could try, depending on your network
topology.
Regards,
--
Adriano
Thank you for the answer, anyway :-) .
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
ANR == Adriano Nagelschmidt Rodrigues [EMAIL PROTECTED] writes: [...] ANR Why? Can you list the reasons? For example, do you really ANR need an external cache and a server running on the same ANR machine, which can only have one public IP address? [...] Here's one: consider the domain bogus.internal served by the proxy/gateway box that also doubles as a caching DNS server for resolvers inside a firewall. This is not unusual. DJB probably covers this case in some FAQ at his site, I am just saying this is not an altogether nutty thing to want as you seem to imply. cheers, BM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Hello! cache and a server running on the same machine, which can only have one public IP address? Yes. I mean, I can assign more addresses but queries must come to the same address (and answers must go back from the same address). Set up external dnscache on the public IP, and set up tinydns on IP 127.0.0.1 Then, if you host a domain eg. test.com, you simple create a file: echo 127.0.0.1 /service/dnscachex/root/servers/test.com So when a client is asking for the domain on the public IP, dnscache will ask tinydns on local IP about the domain. This way queries can go to one IP, and come from the same. I hope it helps. Regards, Balazs Kinszler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Bulent Murtezaoglu writes: ANR == Adriano Nagelschmidt Rodrigues [EMAIL PROTECTED] writes: [...] ANR Why? Can you list the reasons? For example, do you really ANR need an external cache and a server running on the same ANR machine, which can only have one public IP address? [...] Here's one: consider the domain bogus.internal served by the proxy/gateway box that also doubles as a caching DNS server for resolvers inside a firewall. This is not unusual. Just run the server on the public IP address and the cache on the internal (private) IP address. You can easily configure the cache to ask the server for the bogus and in-addr.arpa.x domains. By only have one public IP address I meant only have _one_ IP address, sorry. I also assume that there is no shortage for private IPs (you can always add one more to a host). Regards, -- Adriano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
ANP == Adriano Nagelschmidt Rodrigues [EMAIL PROTECTED] writes: BM Here's one: consider the domain bogus.internal served by the BM proxy/gateway box that also doubles as a caching DNS server for BM resolvers inside a firewall. This is not unusual. ANP Just run the server on the public IP address and the cache on ANP the internal (private) IP address. [...] Hmm, the 127.0.0.1 way outlined by another lister is much better, no need for listening on the public IP. ANP By only have one public IP address I meant only have _one_ ANP IP address, sorry. I also assume that there is no shortage ANP for private IPs (you can always add one more to a host). Oh sure, I was just responding to the who'd need such a thing question, not to the how would one do this if one cannot run both kinds of servers on one interface one. It turns out you weren't asking the question I thought you were! cheers, BM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Bulent Murtezaoglu writes: Hmm, the 127.0.0.1 way outlined by another lister is much better, no need for listening on the public IP. Sure, if you don't want a public dns server (and don't need a cache in other hosts accessing it, as in your example) that would be the recommended setup. I use a variation of it in my dialup machine (forwarding only dnscache on 127.0.0.1, tinydns on 127.53.0.2). Oh sure, I was just responding to the who'd need such a thing question, not to the how would one do this if one cannot run both kinds of servers on one interface one. It turns out you weren't asking the question I thought you were! What I was trying to say (but expressing myself badly) is that the software can be configured in a very flexible way, and that the functionality separation in two programs (which is a good idea) shouldn't be a problem. Regards, -- Adriano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Craig Sanders writes: yep, that's the obvious way to do it. it does leave a few questions, though: 1. can this kind of setup return authoritative answers? I don't think so, you would only be talking to dnscache. If you want a public dns server, you need to run tinydns on a public IP address. 2. can it handle incoming zone-transfer requests for your secondaries? getting other ISPs to change their secondary configuration can be a pain, but getting a customer (who happens to secondary their own domain from your server - not an uncommon situation) is almost impossible. You need to setup axfrdns to handle zone-transfers. tinydns axfrdns can run on the same IP address, because they use different protocols (udp and tcp, respectively). 3. can tinydns send a zone xfer request from the real IP address even when it's configured to run only on 127.0.0.1? Nope, AFAIK. [snip potential flammable material ;-] if i tried doing it, there'd be a week of two of complete chaos, with almost all customers getting the impression that our service was broken (to their eyes, it would be)...and i'd still be dealing with customer problems months later because some customers are just incapable of following clear and simple instructions, sometimes it's difficult enough getting help desk staff to understand what needs to be done - i know all you ISPs out there will find this hard to believe, but it's true :) If you don't provide dns cache (recursive) services to your clients, there's no problem. If you do, you can install new caches at different IPs and give your clients time until you migrate your bind dns servers. what would be useful here is an application layer DNS proxy sitting on port 53 (both tcp and udp), with both authoritative and recursive servers on other IP addresses. that way neither customers, secondary servers, nor help desk staff would need to do anything - as far as they're concerned, nothing has changed. Then you'd be (almost) back to bind. Regards, -- Adriano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Hello! El mar, 19-11-2002 a las 17:07, jernej horvat escribió: ... I have a question about djbdns - can i have one control file for all IP's/interfaces that i have on one system ? ... You can configure env/IP to 0.0.0.0 so it will listen on _all_ interfaces. Best Regards, Jorge-León -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Hi, On Wed, Nov 20, 2002 at 12:07:53AM +0100, jernej horvat wrote: ave. I have a question about djbdns - can i have one control file for all IP's/interfaces that i have on one system ? I have no idea what a control file is in the context of djbdns, but if you mean you want the tinydns program to answer on multiple IP addresses, then run multiple instances of the process, eg. using multiple /service/dnsserverX (X=0,1,2) directories with separate dnsserverX/env and dnsserverX/log directories, sharing the dnsserverX/root directories through a symlink. It doesn't write to any files in the 'root' directory, so you can do that without problems. Specify the different IP address to listen on in the different dnsserverX/env/IP files. For dnscache, this technique means you'll have separate caches for the different IPs you want to answer from. This may or may not be a problem. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info msg07239/pgp0.pgp Description: PGP signature
Re: djb and multiple IPs
On Wed, Nov 20, 2002 at 10:21:04AM +0100, Emile van Bergen wrote: For dnscache, this technique means you'll have separate caches for the different IPs you want to answer from. This may or may not be a problem. You would configure one of them to be a slave to the other (FORWARDONLY). If all else fails, you can use a patch. Best, --Toni++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: djb and multiple IPs
Hi, On Wed, Nov 20, 2002 at 12:07:53AM +0100, jernej horvat wrote: ave. I have a question about djbdns - can i have one control file for all IP's/interfaces that i have on one system ? I have no idea what a control file is in the context of djbdns, but if you mean you want the tinydns program to answer on multiple IP addresses, then run multiple instances of the process, eg. using multiple /service/dnsserverX (X=0,1,2) directories with separate dnsserverX/env and dnsserverX/log directories, sharing the dnsserverX/root directories through a symlink. It doesn't write to any files in the 'root' directory, so you can do that without problems. Specify the different IP address to listen on in the different dnsserverX/env/IP files. For dnscache, this technique means you'll have separate caches for the different IPs you want to answer from. This may or may not be a problem. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info pgpQSnpi7QYJi.pgp Description: PGP signature
Re: djb and multiple IPs
On Wed, Nov 20, 2002 at 10:21:04AM +0100, Emile van Bergen wrote: For dnscache, this technique means you'll have separate caches for the different IPs you want to answer from. This may or may not be a problem. You would configure one of them to be a slave to the other (FORWARDONLY). If all else fails, you can use a patch. Best, --Toni++
djb and multiple IPs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ave. I have a question about djbdns - can i have one control file for all IP's/interfaces that i have on one system ? - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE92sRLEyTmlrVpUvwRAlUbAKCO8ZbPR9inTZNXHR/NqYSY86OT6wCghLR/ 1wdSktKtvoKkvXLCQ18X49E= =Y7E/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
djb and multiple IPs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ave. I have a question about djbdns - can i have one control file for all IP's/interfaces that i have on one system ? - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE92sRLEyTmlrVpUvwRAlUbAKCO8ZbPR9inTZNXHR/NqYSY86OT6wCghLR/ 1wdSktKtvoKkvXLCQ18X49E= =Y7E/ -END PGP SIGNATURE-
