Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 3:55 PM, Howard Lowndes [EMAIL PROTECTED] wrote: Amos Shapira wrote: On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED] wrote: I did this and it was successful, both for internal and external domains (tks Amos for that suggestion), and here are the lines from /etc/named.conf: And how does it work when the VPN is NOT connected? Is it smart enough to figure out not to try 10.2.2.{1,41} when the VPN is down and go directly to the external DNS? Basically, yes. It obviously won't resolve internal fqdns because they are not reachable anyway, neither are the internal dns servers, but the resolver still tries the localhost dns server first (as it is the first nameserver in the /etc/resolv.conf file) to resolve an external address and the forward first clause causes the localhost dns server to try the (now inaccessible) forwarders just the once and then give up, and the resolver then goes on to try the other dhcp supplied name servers. Thus there is a small delay in dns resolution but I don't see it as a major problem. I guess if you used the forward only clause then it might knicker up. I was hoping for something more along the lines of when the VPN link goes down - reconfigure: 1. Remove the search soho.lannet.com.au line from resolv.conf 2. Reconfigure local DNS server to forget about the zone soho.lannaet.com.au part. I'm sure it's doable. Will try to get to it over the weekend (need to be outside the office to test this). Maybe it's less relevant to you because you still want to use the same name but get the external view when the VPN is disconnected, right? Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 04:17:48PM +1000, Amos Shapira wrote: On Fri, Apr 18, 2008 at 3:55 PM, Howard Lowndes [EMAIL PROTECTED] wrote: Amos Shapira wrote: On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED] wrote: I did this and it was successful, both for internal and external domains (tks Amos for that suggestion), and here are the lines from /etc/named.conf: And how does it work when the VPN is NOT connected? Is it smart enough to figure out not to try 10.2.2.{1,41} when the VPN is down and go directly to the external DNS? Basically, yes. It obviously won't resolve internal fqdns because they are not reachable anyway, neither are the internal dns servers, but the resolver still tries the localhost dns server first (as it is the first nameserver in the /etc/resolv.conf file) to resolve an external address and the forward first clause causes the localhost dns server to try the (now inaccessible) forwarders just the once and then give up, and the resolver then goes on to try the other dhcp supplied name servers. Thus there is a small delay in dns resolution but I don't see it as a major problem. I guess if you used the forward only clause then it might knicker up. I was hoping for something more along the lines of when the VPN link goes down - reconfigure: 1. Remove the search soho.lannet.com.au line from resolv.conf 2. Reconfigure local DNS server to forget about the zone soho.lannaet.com.au part. why not have 2 resolv.conf something like resolv.conf.{a,b}, then symlink to resolv.conf. attach a script on vpn up to symlink .a and when the vpn is down to symlink .b Alex I'm sure it's doable. Will try to get to it over the weekend (need to be outside the office to test this). Maybe it's less relevant to you because you still want to use the same name but get the external view when the VPN is disconnected, right? Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- It's unacceptable to think that there's any kind of comparison between the behavior of the United States of America and the action of Islamic extremists who kill innocent women and children to achieve an objective. - George W. Bush 09/15/2006 Washington, DC White House Press Conference signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. If you want other hosts on the LAN to see the internal zone, have a second bind config file (with /etc/bind9/named.conf.local as a symlink to the one you're actually using) with the appropriate config to use the remote servers, then switch the symlink and reload bind when the vpn comes up. This requires that you either run the vpn client on the same host as the local name server, or you have some way to signal to the name server that the vpn is up/down. Cheers, John -- Object-[dis]oriented INTERCAL. I have seen the compiler, and it runs. Why do I now feel like the hero in one of those H. P. Lovecraft stories who has seen something no mortal man was ever meant to see, and who is marginally less sane thereafter? -- Charlie Stross -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 4:56 PM, John Clarke [EMAIL PROTECTED] wrote: On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. I was wondering about exactly that problem with my use of our company's vpn from my Ubuntu 7.10 laptop. I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. For Howards's original question, maybe he can just setup a forward zone for soho.lannet.com which forwards to the internal DNS server, and forwards the rest of the zones to the default upstream. (ref: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#zone_statement_grammar) If someone comes up with the exact incantation to do that I'd appreciate to see a copy of such a config. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Fri, 2008-04-18 at 09:23 +1000, Amos Shapira wrote: I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
quote who=Sonia Hamilton Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? Avoid using local, because otherwise most mDNS systems will basically bail out of helping you with local lookups. I generally use 'home' for, uh, home. :-) - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ It's not sufficient to 'use simple words to explain things'. Things must actually *be* simple, which is much harder. - Martin Pool -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; I then went and looked at the man page for dhclient and saw that there can be such a thing as a dhclient.conf file. I don't have one in /etc/ so I created /etc/dhclient.conf with the following lines: SNIP which seems to accord with the man page, but it appears (judging by a strace) that neither dhclient nor dhclient-script looks at that file. the man page should have provided some guidance but see if you have a directory /etc/dhcp/ or /etc/dhcp3/ that dhclient might be looking in. cheers marty -- Skirwan - And if pigs can fly, and I can ride one, and they fly me to hell, and it just froze over, and we all have ice cream... [1] talonyx - I really need to stop reading Slashdot while on codeine. [2] [1] - http://slashdot.org/comments.pl?sid=28984cid=3113144 [2] - http://slashdot.org/comments.pl?sid=28984cid=3113355 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; Nuffink, just /etc/dhcpd.conf (which I only use when I have interface eth1 running), and /etc/dhclient.conf which I have just created. I might try creating a /etc/dhcp/ directory and the symlinking into it. I tried that but it didn't do the trick. which distribution? what dhclient version? cheers marty -- I simply tell them If _I_ don't have a ticket number then _you_ don't have a problem. Call the helpdesk. Repeat as many times as necessary. - Jay Mottern alt.sysadmin.recovery - [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED] wrote: I did this and it was successful, both for internal and external domains (tks Amos for that suggestion), and here are the lines from /etc/named.conf: And how does it work when the VPN is NOT connected? Is it smart enough to figure out not to try 10.2.2.{1,41} when the VPN is down and go directly to the external DNS? What I'm worried about is that the VPN-relevant setup will slow everything down when the VPN is not connected, timing out on the internal DNS servers. Thanks for the update, it's a great help. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html