chrooted - splitdns
John Hardy
johnh at PATCHLINK.COM
Fri Jun 30 00:06:40 UTC 2000
>
>
> John Hardy wrote:
>
> > I have sucessfully installed a chroot-split/dns
> system. I have my
> > external systems being listed from the Public interface and
> I have my
> > internal systems being listed from the Private interface.
> Now the problem
> > I'm having is a little complicated. Basically I don't
> think my forwarding
> > is working. Let see if I can explain it properly. One
> machine, Linux
> > 2.2.13, Version "8.2.2-P5", 2 nics, Public and Private
> interfaces have a
> > named process with db files for the external servers on
> Public and db files
> > for the internal servers on Private. The Private interface
> has a forwarder to
> > the public side.
>
> I'm not sure why that's necessary. If configured with the
> proper hints file,
> the private instance should be able to resolve Internet names
> just fine without
> relying on a forwarder.
I said successfully, not properly. :)
You may have hit the nail on the head. I did nothing to the hints file. I
purchased and read the O'Reily DNS and BIND 3rd edition and found it lacking
some of what I needed. But I don't know what needs to be changed within the
hints file. Will you tell me what I need, or where to get the information I
need use? My hints file only contains the root servers.
>
> > Both sides are serving the same domain name.
>
> The same domain *name*? Or the same *domain*? If you mean the
> latter, then
> hopefully the zone served by the external instance is a
> "shadow" *subset* of
> the internal version.
My server is the master for a domain name 'patchlink.com'. This is the
domain name I spoke of. I have internal machines in the patchlink.com
domain...and I have external servers (like www) in the patchlink.com domain
space also. The outside database files for patchlink.com are a simplistic
version of what I have on the inside (only showing for www and mail, etc).
Isn't this what I want? I'm am expecting that I want to have only 1
database with this record to my www in the outside database. I can, and I
am right now, setting up patchlink.com in both my inside and outside, and
pointing that record's IP address to the outside IP. Is this correct or
incorrect?
Inside says: www IN A 64.249.24.250
Outside says www IN A 64.249.24.250
I would prefer the inside client to send the request to the inside dns
server. It realizes that it does not have the proper information, and
forwards it to the outside server which knows it is authoritative and
answers the query. Is this possible? Or do I need to make entries in both
the inside and the outside databases for anything I am hosting on the
outside?
> > I am expecting that a private workstation on the private
> side, should be able
> > to request one of our public servers, recieving the answer
> from the service
> > listening on the Public interface. This is not happening,
> it times out.
>
> Now you're really confusing me. Why would an internal
> workstation ever need to
> talk to the external instance? Why would you want it to? As I
> implied above,
> the usual "shadow" configuration means that the data in the
> internal instance
> is a superset of the data in the external instance. So the
> internal machines
> talk to the internal instance, and this resolves anything
> they need. There's no
> need for them to talk to the external instance at all. It's
> best if the only
> thing which talks to the external instance is external
> clients, which should
> only be asking about domains delegated to you. If at all
> possible, you want to
> shut recursion off completely on your external instance, or
> at least restrict
> it to address ranges you control or otherwise trust.
>
> > When I startup named, I have 1 error that seems relevant.
> But I don't know
> > how to fix it.
> >
> > Jun 25 16:27:48 ns1 named[7834]: sysquery: sendto([public
> > IPxx.xx.xx.xx].53): Operation not permitted
>
> I don't know exactly what "Operation not permitted" signifies
> on Linux. I think
> that's an EPERM error, but on the systems I have ready access
> to here (Solaris,
> AIX), EPERM is not a possible error for the sendto() routine.
> What does the man
> page for sendto() say on your system?
>
> > Here are my named.conf file "options" for each side
> >
> > -Public-
> > options {
> > directory "/db_ext";
> > pid-file "/db_ext/pid";
> > named-xfer "/sbin/named-xfer";
> > #
> > #query-source address * port 53;
> > #
> > # specify the external IP address of this box
> > listen-on { PubicIPxx.xx.xx.xx; 127.0.0.1; };
> > #
> > };
>
> Why is the public instance listening on loopback?
I have it listening so that when I'm on that box locally, I can get
requests.
>
> > When I restart the named servers I get:
> >
> > Jun 28 23:37:18 ns named[1116]: reloading nameserver
> > Jun 28 23:37:18 ns named[1116]: Forwarding source address is
> > [0.0.0.0].1055
> > Jun 28 23:37:18 ns named[1116]: Ready to answer queries.
> > Jun 28 23:37:18 ns named[1118]: reloading nameserver
> > Jun 28 23:37:18 ns named[1118]: Forwarding source address is
> > [0.0.0.0].1056
> > Jun 28 23:37:18 ns named[1118]: Ready to answer queries.
> > Jun 28 23:37:40 ns named[1118]: ns_forw:
> > sendto([PublicIPxx.xx.xx.xx].53): Operation not permitted
> >
> > I would appreciate some help. I'm out of options,
> at least that I
> > know of. I have tried using 0.0.0.0 as a forwarder, I have
> tried taking
> > both sides individually off of listening to 127.0.0.1, and
> the allow-query.
> > I'm hoping someone has an answer. I am also running
> IPchains. However I
> > have turned it off to test this and still no luck. I have
> ipforwarding on
> > in the kernel, I can't see why this is a problem.
> >
> > Second issue - what does this mean?
> > Jun 28 23:15:14 ns named[1118]: sysquery: findns
> error (NXDOMAIN) on
> > ns1.{mydomain}.com?
>
> This means that whatever server was asked about the address of
> ns1.{mydomain}.com claimed it didn't even exist. This may be
> a consequence of
> your other
> (sendto()) problem.
> - Kevin
>
>
>
More information about the bind-users
mailing list