dns localhost problem

Joseph S D Yao jsdy at cospo.osis.gov
Tue Sep 26 15:33:49 UTC 2000 

On Mon, Sep 25, 2000 at 07:40:21PM -0400, Scott Howell wrote:
...
> I removed the "." from localhost in my zone file so it now reads
> 
> localhost   IN   A   127.0.0.1
> 
> I was getting out of zone errors, but now if I do a nslookup on localhost,
> I get a non-existant domain.
> 
> I have in my local file the following
> 
> ; local file for lrxms.net
> ;
> @ SOA localhost.  hostmaster.localhost. (
> 2000092401 ; serial,today's date + today's serial
> ;
>  IN NS   ns.lrxms.net. ; init address of name server
> 1  IN   PTR   localhost
> 
> I can do nslookup 127.0.0.1 and get localhost.
> 
> I assume this needs to be fixed although I am getting no erros.

This is pretty confusing.  It very much matters where all these code
fragments are located.

Is the above fragment from the zone file for 0.0.127.in-addr.arpa?  Or
the zone file for lrxms.net?  In the former case, the zone file is
mostly correct, but irrelevant, and the comment is wrong.  In the
latter case, the comment is right, but the PTR is out of place.  In
either case, the SOA record should not contain references to
"localhost", but to the actual host name and e-mail address.  OTOH, in
the 0.0.127.in-addr.arpa file, these are innocuous errors.

Where is the "A" record?  Is it in your lrxms.net zone file?  Does your
resolv.conf do something to allow localhost.lrxms.net to be resolved?
Try the latter address explicitly [if you're using 'nslookup', append a
dot].  Report back all findings.  Thanks.

> Ok, here is another question.
> 
> Is it completely mad for me to want to run both my own nameservers? Yeah,
> I know its being kinda cheap of me not to pay my ISP $35 one-time setup
> charge to handle secondary, but they will do reverse for free and no of
> course they won't delegate.<G>
> 
> Ok, I know there's Granite Canyon and so what does folks think of them.
> 
> I imagine running secondary nameserver isn't more than just setting up a
> slave.

Well, it's not mad.  But it is more than just having another host.  The
whole point of having multiple peer servers is to reduce the chance of
a single blow taking out both.  So, optimally, you should have two
servers that are not on the same network, on the same power line, on
the same power grid, in the same building, on the same campus, in the
same city, etc.  You may be able to arrange this; but perhaps not.

As for GC - all I know of them is the many, many people who have
appealed here for help when using them.  If there are any satisfied
customers, there is of course no reason for them to appear here.  But
the managers have showed up here several times to note that they are
trying.

> Ok, lastly is there anything else I need to take into consideration before
> finally uploading the info to registerfree folks? I really don't want to
> be putting junk into the works you know.
> I'd like to think that I am pretty concious in not making a mess of
> things.

Just tell them to read your domain from your server.  There, put in
what you would want the world to know [and conversely keep out what you
don't want the world to know].  After a problem when WHOIS was messed
up, I put in an RP [responsible person], MINFO [mail info] and TXT
record to try to give correct information.  [Now I've got to try to get
THEM fixed!]

> Oh, finally last item that really is important. I see that named is
> listening on both my internal and external interfaces.
> 
> I have heard its better to run a named server for internal machines
> separate from the external server. That seems unnecessary, but perhaps
> not. Would I set it up so that lrxms is its domain then?

It is best to do so.  If you can duplicate the domain, then OK.  If you
have fairly extensive holdings both inside and out, I would make one a
subdomain.

Best to run the internal name server on a macine that is NOT a
"firewall".  Have it forward all external queries to the firewall
machine.  Best to have external DNS on a machine not your firewall,
too.

> Is it fairly safe to run dns behind a firewall and just open that port for
> udp queries?

Some think so.  I don't.  BIND itself is a good proxy for DNS.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list