Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 3:55 PM, Howard Lowndes [EMAIL PROTECTED] wrote:
Amos Shapira wrote:
On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED]
wrote:
I did this and it was successful, both for internal and external
domains
(tks Amos for that suggestion), and here are the lines from
/etc/named.conf:
And how does it work when the VPN is NOT connected? Is it smart enough
to figure out not to try 10.2.2.{1,41} when the VPN is down and go
directly to the external DNS?
Basically, yes. It obviously won't resolve internal fqdns because they are
not reachable anyway, neither are the internal dns servers, but the resolver
still tries the localhost dns server first (as it is the first nameserver in
the /etc/resolv.conf file) to resolve an external address and the forward
first clause causes the localhost dns server to try the (now inaccessible)
forwarders just the once and then give up, and the resolver then goes on to
try the other dhcp supplied name servers. Thus there is a small delay in dns
resolution but I don't see it as a major problem. I guess if you used the
forward only clause then it might knicker up.
I was hoping for something more along the lines of when the VPN link
goes down - reconfigure:
1. Remove the search soho.lannet.com.au line from resolv.conf
2. Reconfigure local DNS server to forget about the zone
soho.lannaet.com.au part.
I'm sure it's doable. Will try to get to it over the weekend (need to
be outside the office to test this).
Maybe it's less relevant to you because you still want to use the same
name but get the external view when the VPN is disconnected, right?
Cheers,
--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 04:17:48PM +1000, Amos Shapira wrote:
On Fri, Apr 18, 2008 at 3:55 PM, Howard Lowndes [EMAIL PROTECTED] wrote:
Amos Shapira wrote:
On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED]
wrote:
I did this and it was successful, both for internal and external
domains
(tks Amos for that suggestion), and here are the lines from
/etc/named.conf:
And how does it work when the VPN is NOT connected? Is it smart enough
to figure out not to try 10.2.2.{1,41} when the VPN is down and go
directly to the external DNS?
Basically, yes. It obviously won't resolve internal fqdns because they are
not reachable anyway, neither are the internal dns servers, but the resolver
still tries the localhost dns server first (as it is the first nameserver in
the /etc/resolv.conf file) to resolve an external address and the forward
first clause causes the localhost dns server to try the (now inaccessible)
forwarders just the once and then give up, and the resolver then goes on to
try the other dhcp supplied name servers. Thus there is a small delay in dns
resolution but I don't see it as a major problem. I guess if you used the
forward only clause then it might knicker up.
I was hoping for something more along the lines of when the VPN link
goes down - reconfigure:
1. Remove the search soho.lannet.com.au line from resolv.conf
2. Reconfigure local DNS server to forget about the zone
soho.lannaet.com.au part.
why not have 2 resolv.conf something like resolv.conf.{a,b}, then
symlink to resolv.conf.
attach a script on vpn up to symlink .a and when the vpn is down to
symlink .b
Alex
I'm sure it's doable. Will try to get to it over the weekend (need to
be outside the office to test this).
Maybe it's less relevant to you because you still want to use the same
name but get the external view when the VPN is disconnected, right?
Cheers,
--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
It's unacceptable to think that there's any kind of comparison between the
behavior of the United States of America and the action of Islamic extremists
who kill innocent women and children to achieve an objective.
- George W. Bush
09/15/2006
Washington, DC
White House Press Conference
signature.asc
Description: Digital signature
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. If you want other hosts on the LAN to see the internal zone, have a second bind config file (with /etc/bind9/named.conf.local as a symlink to the one you're actually using) with the appropriate config to use the remote servers, then switch the symlink and reload bind when the vpn comes up. This requires that you either run the vpn client on the same host as the local name server, or you have some way to signal to the name server that the vpn is up/down. Cheers, John -- Object-[dis]oriented INTERCAL. I have seen the compiler, and it runs. Why do I now feel like the hero in one of those H. P. Lovecraft stories who has seen something no mortal man was ever meant to see, and who is marginally less sane thereafter? -- Charlie Stross -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 4:56 PM, John Clarke [EMAIL PROTECTED] wrote: On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. I was wondering about exactly that problem with my use of our company's vpn from my Ubuntu 7.10 laptop. I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. For Howards's original question, maybe he can just setup a forward zone for soho.lannet.com which forwards to the internal DNS server, and forwards the rest of the zones to the default upstream. (ref: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#zone_statement_grammar) If someone comes up with the exact incantation to do that I'd appreciate to see a copy of such a config. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Fri, 2008-04-18 at 09:23 +1000, Amos Shapira wrote: I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
quote who=Sonia Hamilton Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? Avoid using local, because otherwise most mDNS systems will basically bail out of helping you with local lookups. I generally use 'home' for, uh, home. :-) - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ It's not sufficient to 'use simple words to explain things'. Things must actually *be* simple, which is much harder. - Martin Pool -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; I then went and looked at the man page for dhclient and saw that there can be such a thing as a dhclient.conf file. I don't have one in /etc/ so I created /etc/dhclient.conf with the following lines: SNIP which seems to accord with the man page, but it appears (judging by a strace) that neither dhclient nor dhclient-script looks at that file. the man page should have provided some guidance but see if you have a directory /etc/dhcp/ or /etc/dhcp3/ that dhclient might be looking in. cheers marty -- Skirwan - And if pigs can fly, and I can ride one, and they fly me to hell, and it just froze over, and we all have ice cream... [1] talonyx - I really need to stop reading Slashdot while on codeine. [2] [1] - http://slashdot.org/comments.pl?sid=28984cid=3113144 [2] - http://slashdot.org/comments.pl?sid=28984cid=3113355 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; Nuffink, just /etc/dhcpd.conf (which I only use when I have interface eth1 running), and /etc/dhclient.conf which I have just created. I might try creating a /etc/dhcp/ directory and the symlinking into it. I tried that but it didn't do the trick. which distribution? what dhclient version? cheers marty -- I simply tell them If _I_ don't have a ticket number then _you_ don't have a problem. Call the helpdesk. Repeat as many times as necessary. - Jay Mottern alt.sysadmin.recovery - [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED] wrote:
I did this and it was successful, both for internal and external domains
(tks Amos for that suggestion), and here are the lines from /etc/named.conf:
And how does it work when the VPN is NOT connected? Is it smart enough
to figure out not to try 10.2.2.{1,41} when the VPN is down and go
directly to the external DNS?
What I'm worried about is that the VPN-relevant setup will slow
everything down when the VPN is not connected, timing out on the
internal DNS servers.
Thanks for the update, it's a great help.
--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
