Newbie - config questions

Joseph S D Yao jsdy at cospo.osis.gov
Fri Mar 31 22:49:20 UTC 2000 

On Tue, Feb 29, 2000 at 01:44:56PM +1100, Bryan Tonnet wrote:
...
> A dual homed masquerading firewall with an outward facing 'real' ip
> address
> Two other machines in a perimeter net with 'real' ip addresses.
> 
> One of the internal machines runs bind 4.9.2 and is a primary for
> 192.168.x, and has a forwarder of the firewall machine.
> 
> The firewall machine runs bind 4.9.7, and is a secondary for 192.168.x,
> and has forwarders to two of our ISP's NS machines.
> 
> Our ISP is the primary for our 'real' IP addresses.
> 
> There is only one domain for the company both internal and external.
...

Most of the internal/external problems have been addressed.

> * I think the firewall machine gets occasionally confused as to where to
> forward requests for our domain.  It should go looking at it's own
> (secondary) tables first, but seems to occasionally reach outside to the
> ISP's primary tables which, of course, have none of the internal
> machines listed.

Have the firewall machine resolve DNS, not from itself, but from the
internal name server.  The firewall machine is, effectively, your
EXTERNAL name server, with only the addresses that you want the
Internet to see.  But you want the firewall machine itself to resolve
from your INTERNAL name server.

> * Finally, and out of left field, our Win95 clients don't seem to follow
> down the list of DNS servers properly.  When the primary is down, these
> clients fail with no DNS resolution even though the secondary is up and
> resolving.  Is this another MS thing, or more likely related to our
> current configuration?

MSW'95 follows properly for us.  Do you have all SPs?  Have you tried
doing a simple 'nslookup' on the same data from each name server, and
making sure that it responds?

Of course, you should NOT be using your "external name server" to
resolve internal names, so this is a configuration problem anyway.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list