Same Question ...

[Kevin Darcy]

Desmond Coughlan wrote:

> Le 25.05.01, Kevin Darcy a écrit :
>
> {snip}
>
> >So, next question: how is dnsx (the problem child) configured? Looks like it
> >has no knowledge of the 168.192.in-addr.arpa namespace and has recursion
> >turned off. Note that you have a duty to prevent bogus 168.192.in-addr.arpa
> >queries from leaking out onto the Internet. So please give dnsx knowledge of
> >the 168.192.in-addr.arpa namespace *before* enabling recursion on the box.
>
> If I were to create a file in /etc/namedb called 168.192.rev and
> edit that file to resemble 127.0.0 (with the obvious differences, such
> as '168.192.in-addr.arpa.   SOA' etc.), would that be enough ?

Should be. Populate the file with your 192.168.*.* PTR entries. If the file gets
too big, then you always have the option of splitting it up into /24 subzones,
e.g. 0.168.192.in-addr.arpa, 1.168.192.in-addr.arpa and so forth.

> >Of course, I'm assuming here that dnsx is supposed to have some form of
> >connectivity to the Internet DNS, either directly or by forwarding through
> >another server. If that's not true, then that's an even more fundamental
> >configuration problem: it shouldn't be configured with the Internet root
> >hints file at all in that case.
>
> The machine has no access to the 'real' Internet; it can only 'leave' this
> domain, via a leased line, to company.us.com in the United States.

So, does company.us.com have access to a root zone? Every BIND nameserver needs
access to a root zone, either directly or indirectly. You'll need to either set
up your own internal root zone or forward to the company.us.com box so that it
can satisfy your root-zone queries.

> >And please use "dig", as you've been told before. *Always*. nslookup sucks
> >and is complicating your troubleshooting here.
>
> How can I use dig to check for lookups from my Ultra-5, when it isn't
> installed on it ?

Did you build BIND on this box? dig is part of the BIND distribution.


- Kevin