[leaf-user] dnscache vs. dmz ???

does anybody have a proxy-arp dmz and also running tinydns & dnscache? thought that I'd resolved this sometime ago; but, tonight, for life of me, I cannot get dmz hosts to resolve addresses for remote internet sites solely via tinydns-public and dnscache ;< tinydns tries to resolve the name and

Re: [leaf-user] dnscache vs. dmz ???

Michael At 07:57 09.10.2002, you wrote: >does anybody have a proxy-arp dmz and also running tinydns & dnscache? > >thought that I'd resolved this sometime ago; but, tonight, for life of >me, I cannot get dmz hosts to resolve addresses for remote internet >sites solely via tinydns-public and dnsc

Re: [leaf-user] dnscache vs. dmz ???

Erich Titl wrote: > > At 07:57 09.10.2002, you wrote: > > >does anybody have a proxy-arp dmz and also running tinydns & dnscache? > > > >thought that I'd resolved this sometime ago; but, tonight, for life of > >me, I cannot get dmz hosts to resolve addresses for remote internet > >sites solely

Re: [leaf-user] dnscache vs. dmz ???

> > >does anybody have a proxy-arp dmz and also running tinydns & dnscache? > > > > > >thought that I'd resolved this sometime ago; but, tonight, for life of > > >me, I cannot get dmz hosts to resolve addresses for remote internet > > >sites solely via tinydns-public and dnscache ;< tinydns tries

Re: [leaf-user] dnscache vs. dmz ???

Charles Steinkuehler wrote: > > > > >does anybody have a proxy-arp dmz and also running tinydns & > dnscache? > > > > > > > >thought that I'd resolved this sometime ago; but, tonight, for life > of > > > >me, I cannot get dmz hosts to resolve addresses for remote internet > > > >sites solely via

Re: [leaf-user] dnscache vs. dmz ???

"Michael D. Schleif" wrote: > > does anybody have a proxy-arp dmz and also running tinydns & dnscache? Anybody have such setup that works? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to

Re: [leaf-user] dnscache vs. dmz ???

On Wed, 2002-10-09 at 15:07, Michael D. Schleif wrote: > > "Michael D. Schleif" wrote: > > > > does anybody have a proxy-arp dmz and also running tinydns & dnscache? > > Anybody have such setup that works? Yes, on Dachstein 1.0.2CD, BUT tinydns and dnscache only serve the private network. I ha

Re: [leaf-user] dnscache vs. dmz ???

Michael D. Schleif wrote: > "Michael D. Schleif" wrote: > >>does anybody have a proxy-arp dmz and also running tinydns & dnscache? > > > Anybody have such setup that works? > I have three nics in Bering rc3 eth1 10.10.10.0/24 + tinydns private + dnscach

Re: [leaf-user] dnscache vs. dmz ???

thank you, for your continued interest . . . Matthew Schalit wrote: > > Michael D. Schleif wrote: > > "Michael D. Schleif" wrote: > > > >>does anybody have a proxy-arp dmz and also running tinydns & dnscache? > > > > Anybody have such setup that works? > > I have three nics in Bering rc3 > >

Re: [leaf-user] dnscache vs. dmz ???

Michael D. Schleif wrote: > thank you, for your continued interest . . . > > Matthew Schalit wrote: > >>Michael D. Schleif wrote: >> >>>"Michael D. Schleif" wrote: >>> >>> does anybody have a proxy-arp dmz and also running tinydns & dnscache? >>> >>>Anybody have such setup that works? >> >>I

Re: [leaf-user] dnscache vs. dmz ???

Matthew Schalit wrote: > > Michael D. Schleif wrote: > > thank you, for your continued interest . . . > > > > Matthew Schalit wrote: > > > >>Michael D. Schleif wrote: > >> > >>>"Michael D. Schleif" wrote: > >>> > >>> > does anybody have a proxy-arp dmz and also running tinydns & dnscache? >

Re: [leaf-user] dnscache vs. dmz ???

"Michael D. Schleif" wrote: > > Matthew Schalit wrote: > > Do you forward and masq from the dmz to internal or just forward? > > Have you posted all the rules you're using for that? > > this could be it: > > this page will update

Re: [leaf-user] dnscache vs. dmz ???

Matthew Schalit wrote: > Please tell me you've added ipchains -l logging to every packet > 1) inbound on dmz nic > 2) outbound from dmz nic > 3) inbound on internal nic > 4) outbound on internal nic > 5) forwarded by any forward rule > > and r

Re: [leaf-user] dnscache vs. dmz ???

"Michael D. Schleif" wrote: > > Matthew Schalit wrote: > > > > > Please tell me you've added ipchains -l logging to every packet > > 1) inbound on dmz nic > > 2) outbound from dmz nic > > 3) inbound on internal nic > > 4) outbound on internal nic > >

Re: [leaf-user] dnscache vs. dmz ???

On or before Wed, 09 Oct 2002 11:06:30 EST mds and Charles S wrote: mds> I cannot get dmz hosts to resolve addresses for remote internet mds> sites solely via tinydns-public and dnscache ;< tinydns tries to mds> resolve the name and gives up, without so much as asking dnscache. [other details

Re: [leaf-user] dnscache vs. dmz ???

Brad Fritz wrote: > > On or before Wed, 09 Oct 2002 11:06:30 EST mds and Charles S wrote: > > mds> I cannot get dmz hosts to resolve addresses for remote internet > mds> sites solely via tinydns-public and dnscache ;< tinydns tries to > mds> resolve the name and gives up, without so much as as

Re: [leaf-user] dnscache vs. dmz ???

Charles Steinkuehler wrote: > > > > I think Charles hit the nail on the head when he said: > > > > > > cs> You have to point the DMZ systems at the IP of dnscache, *NOT* > tinydns, > > > cs> as tinydns does not do recursive queries. I think that's the > root of > > > cs> your problem. Switch t

Re: [leaf-user] dnscache vs. dmz ???

> root@bluetrout:/root > # ip addr > 7: eth0: mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0 > 8: eth1: mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:a0:c9:9e:64:83 brd ff:ff:

Re: [leaf-user] dnscache vs. dmz ???

On Fri, 11 Oct 2002 09:26:54 EST mds wrote: > I'm beginning to believe that this maybe the problem. Remember, I > witness the queries in dnscache and witness the answers sent; but, > nothing gets back to dmz. Are you sure? Snippets from the ipchains logs you posted [c] 59:52 output - eth1 P

Re: [leaf-user] dnscache vs. dmz ???

Brad Fritz wrote: > On Fri, 11 Oct 2002 09:26:54 EST mds wrote: > I still think using two instances of dnscache in front of two > instances of tinydns would be a cleaner solution if you need > separate DMZ and LAN namespaces. Otherwise you might end up > in routing kludge hell getting this to w

Re: [leaf-user] dnscache vs. dmz ???

> > I think Charles hit the nail on the head when he said: > > > > cs> You have to point the DMZ systems at the IP of dnscache, *NOT* tinydns, > > cs> as tinydns does not do recursive queries. I think that's the root of > > cs> your problem. Switch the IP in your non-working DMZ resolv.conf to th

Re: [leaf-user] dnscache vs. dmz ???

Michael D. Schleif wrote: How about you tell me what ip tinydns-public is bound to? ==>cat /etc/tinydns-public/env/IP How about what ip is dnscache bound to? ==>cat /etc/dnscache/env/IP # cat /etc/tinydns-public/env/IP 64.4.197.65 # cat /etc/dnscache/env/IP 0.0.0.0 I've not

Re: [leaf-user] dnscache vs. dmz ???

Michael D. Schleif wrote: Matthew Schalit wrote: Please tell me you've added ipchains -l logging to every packet 1) inbound on dmz nic 2) outbound from dmz nic 3) inbound on internal nic 4) outbound on internal nic 5) forwarded by any forward rule

Re: [leaf-user] dnscache vs. dmz ???

Thank you, Charles, et al. for your continued participation . . . Charles Steinkuehler wrote: > > > root@bluetrout:/root > > # ip addr > > . . . > > 7: eth0: mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff > > inet 192.168.1.254/24 brd 192.168.1

Re: [leaf-user] dnscache vs. dmz ???

OK, it gets more interesting ;> [1] As you know, here is a summary of the dcd: root@bluetrout:/etc # ip addr . . . 7: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global

Re: [leaf-user] dnscache vs. dmz ???

Sorry to jump into this late. You say: [4] I need help understanding what is going on in lines like this: 64.4.197.69 > 64.4.197.65: icmp: 64.4.197.69 udp port 32868 unreachable [tos 0xc0] I am confused with both icmp and udp specified on same line ??? I believe what this reports

Re: [leaf-user] dnscache vs. dmz ???

Thank you, for your participation . . . Ray Olszewski wrote: > > Sorry to jump into this late. > > You say: > > >[4] I need help understanding what is going on in lines like this: > > > >64.4.197.69 > 64.4.197.65: icmp: 64.4.197.69 udp port 32868 > > unreachable [tos 0xc0] > > > >

Re: [leaf-user] dnscache vs. dmz ???

Comments inline. > Yes, I, too, have been confused by some of this. We have several > successful proxy-arp dmz's; so, when we built this one, we started by > cloning those other config's and changing addresses, &c. and it appeared > to be working as expected. > > # ip route > 64.4.222.158 dev ips

Re: [leaf-user] dnscache vs. dmz ???

Charles Steinkuehler wrote: > > Comments inline. > > > Yes, I, too, have been confused by some of this. We have several > > successful proxy-arp dmz's; so, when we built this one, we started by > > cloning those other config's and changing addresses, &c. and it > appeared > > to be working as e

Re: [leaf-user] dnscache vs. dmz ???

> OK, it gets more interesting ;> Indeed! Lots of in-line comments, or just skip to the "executive summary" at the end :-) > [3] As it turns out, some name resolution stuff works (e.g., nslookup); > but, other stuff does *NOT* work (e.g., host, dig, ping). tcpdump > output is here: >

Re: [leaf-user] dnscache vs. dmz ???

> > > # ping -c 3 64.4.197.127 > > > PING 64.4.197.127 (64.4.197.127): 56 data bytes > > > 64 bytes from 64.4.197.65: icmp_seq=0 ttl=255 time=0.3 ms > > > 64 bytes from 64.4.197.69: icmp_seq=0 ttl=255 time=0.7 ms (DUP!) > > > 64 bytes from 64.4.197.68: icmp_seq=0 ttl=128 time=0.9 ms (DUP!) > > > 64

Re: [leaf-user] dnscache vs. dmz ???

> > > 17: wan1: mtu 1500 qdisc pfifo_fast qlen 100 > > > link/ppp > > > inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1 > > > inet 64.4.197.99/32 scope global wan1 > > > inet 64.4.197.100/32 scope global wan1 > > > inet 64.4.197.101/32 scope global wan1 > > > > Please

Re: [leaf-user] dnscache vs. dmz ???

Charles Steinkuehler wrote: > So...it looks like either dnscache is mis-configured (bad send-from IP), > or more likely, that your masquerade rule connecting the internal > network with the DMZ is mangling (masquerading) the return traffic. Why am I thinking about correcting the error and dnsc

Re: [leaf-user] dnscache vs. dmz ???

Charles Steinkuehler wrote: > > > > > 17: wan1: mtu 1500 qdisc pfifo_fast qlen > 100 > > > > link/ppp > > > > inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1 > > > > inet 64.4.197.99/32 scope global wan1 > > > > inet 64.4.197.100/32 scope global wan1 > > > > inet 64.

Re: [leaf-user] dnscache vs. dmz ???

> > I'd suggest configuring dnscache to listen on the 64.4.197.65 IP for > > your DMZ hosts. You can setup a second dnscache to listen on > > 192.168.1.254 for your internal network. The two tinydns instances can > > be run on loopback interfaces (there's more than just 127.0.0.1 > > available, r