DNS Problem

I have the following situation

internet internet
| |
| |
mail server ----------- firewall
(10.21.23.20) (10.21.23.21)
|
|
intranet

(192.168.x.x)

The firewall is also a caching DNS, to speed up
lookups and overcome DNS server downtime. My
problem is that when I lookup the mail server
the address I receive from 10.21.23.21 is the
external address, as seen from outside.
I would like the address to be solved for
internal machines as the shortcut 10.21.23.20.
The routes are correct according to traceroute.

I thought that if I modified the firewall's
/etc/hosts including the address of the mail
server as 10.21.23.20 and setting nsswitch.conf
to hosts: files dns
would make it work, but they cached address seems
to have priority.

I also restarted named, but the situation remains.

What should be the correct configuration?

Thank you,
Gerardo


Searching for the best free email? Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: DNS Problem

At 21:52 26-01-06, gerardo juarez-mondragon wrote:
>I have the following situation
>
> internet internet
> | |
> | |
> mail server ----------- firewall
> (10.21.23.20) (10.21.23.21)
> |
> |
> intranet
>
> (192.168.x.x)
>
>The firewall is also a caching DNS, to speed up
>lookups and overcome DNS server downtime. My
>problem is that when I lookup the mail server
>the address I receive from 10.21.23.21 is the
>external address, as seen from outside.
>I would like the address to be solved for
>internal machines as the shortcut 10.21.23.20.
>The routes are correct according to traceroute.
>
>I thought that if I modified the firewall's
>/etc/hosts including the address of the mail
>server as 10.21.23.20 and setting nsswitch.conf
>to hosts: files dns
>would make it work, but they cached address seems
>to have priority.
>
>I also restarted named, but the situation remains.
>
>What should be the correct configuration?

From your description I'm assuming that your
mail server DNS points to 10.21.23.20 and that you forward port 25 from there to 10.21.23.21? If
so, and since your intranet anyway travels through your firewall to reach your mail server, why
not just let them use the 10.21.23.20 address?

If you must do it for some reason, what about having internal hosts configured to use for example smtp-internal.domain.com which points to 10.21.23.21 while the internet and your MXs use smtp.domain.com, which would be the .20 address.



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: DNS Problem

gerardo juarez-mondragon wrote:

> I have the following situation
>
> internet internet
> | |
> | |
> mail server ----------- firewall
> (10.21.23.20) (10.21.23.21)
> |
> |
> intranet
>
> (192.168.x.x)
>
> The firewall is also a caching DNS, to speed up
> lookups and overcome DNS server downtime. My
> problem is that when I lookup the mail server
> the address I receive from 10.21.23.21 is the
> external address, as seen from outside.
> I would like the address to be solved for
> internal machines as the shortcut 10.21.23.20.
> The routes are correct according to traceroute.
>
> I thought that if I modified the firewall's
> /etc/hosts including the address of the mail
> server as 10.21.23.20 and setting nsswitch.conf
> to hosts: files dns
> would make it work, but they cached address seems
> to have priority.

A DNS server is exactly that: a DNS server. Local name-service
mechanisms (/etc/hosts, /etc/host.conf, /etc/nsswitch.conf etc) only
affect the results of gethostbyname() and similar functions, and won't
have any effect upon the behaviour of named or other DNS daemons, or
any programs which perform DNS queries directly (e.g. most MTAs).

If the DNS server is running BIND 9.x, you can use the "view"
statement to provide different information for a domain depending upon
who is asking. The view statement is described in sections 6.2.19 and
6.2.20 of the BIND Administrator Reference Manual.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: DNS Problem

Or you could just set an entry like

10.21.23.20 mail.yourdomain.org

on every client machine (/etc/hosts or
%windir%\system32\drivers\etc\hosts (could be different for win2k)).

You could set that up using a logon script (active directory or
samba, doesn't matter), or by tricking users with candy to run the
script manually :)

--Adrian.

At 10:45 PM 1/27/2006, Glynn Clements wrote:

>gerardo juarez-mondragon wrote:
>
> > I have the following situation
> >
> > internet internet
> > | |
> > | |
> > mail server ----------- firewall
> > (10.21.23.20) (10.21.23.21)
> > |
> > |
> > intranet
> >
> > (192.168.x.x)
> >
> > The firewall is also a caching DNS, to speed up
> > lookups and overcome DNS server downtime. My
> > problem is that when I lookup the mail server
> > the address I receive from 10.21.23.21 is the
> > external address, as seen from outside.
> > I would like the address to be solved for
> > internal machines as the shortcut 10.21.23.20.
> > The routes are correct according to traceroute.
> >
> > I thought that if I modified the firewall's
> > /etc/hosts including the address of the mail
> > server as 10.21.23.20 and setting nsswitch.conf
> > to hosts: files dns
> > would make it work, but they cached address seems
> > to have priority.
>
>A DNS server is exactly that: a DNS server. Local name-service
>mechanisms (/etc/hosts, /etc/host.conf, /etc/nsswitch.conf etc) only
>affect the results of gethostbyname() and similar functions, and won't
>have any effect upon the behaviour of named or other DNS daemons, or
>any programs which perform DNS queries directly (e.g. most MTAs).
>
>If the DNS server is running BIND 9.x, you can use the "view"
>statement to provide different information for a domain depending upon
>who is asking. The view statement is described in sections 6.2.19 and
>6.2.20 of the BIND Administrator Reference Manual.
>
>--
>Glynn Clements
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: DNS Problem

If the caching nameserver doesn't provide any DNS services for
external machines, then you can simply add a 'domain' entry for
the mail server...

in named.conf :
zone "mail.server.mydomain.com" { type master; file "db.fakemail"; };

in db.fakemail:
; $TTL 9000
@ IN SOA firewall.mydomain.com.
myname.myhost.mydomain.com. (
2005090107
15000 ; Refresh slave check every 4 hours
720 ; slaves retry every 12 min
;; 1209600 ; expire: 2 weeks
864000 ; expire: 240 hours
4320 ; TTL external caches last 72 min

)

;
;Name Servers for Mail server
;
; not external, so geographically diverse rule is moot.
; if you have a redundant server on your net list it here.
IN NS firewall.mydomain.com.
; Record for the mail server... (that is the "domain" you claimed in
named.conf)
@ IN A 65.110.6.163


=======================================
That's about it. The '@' gets replaced by the domain name mentioned
in the named.conf Zone record.

This doesn't mess up your firewall's status as a 'caching nameserver'.
is a regular nameserver that doesn't happen to be authoratative
for any domains.... Nothing really special about them at all.




Adrian C. wrote:

>
> Or you could just set an entry like
>
> 10.21.23.20 mail.yourdomain.org
>
> on every client machine (/etc/hosts or
> %windir%\system32\drivers\etc\hosts (could be different for win2k)).
>
> You could set that up using a logon script (active directory or samba,
> doesn't matter), or by tricking users with candy to run the script
> manually :)
>
> --Adrian.
>
> At 10:45 PM 1/27/2006, Glynn Clements wrote:
>
>> gerardo juarez-mondragon wrote:
>>
>> > I have the following situation
>> >
>> > internet internet
>> > | |
>> > | |
>> > mail server ----------- firewall
>> > (10.21.23.20) (10.21.23.21)
>> > |
>> > |
>> > intranet
>> >
>> > (192.168.x.x)
>> >
>> > The firewall is also a caching DNS, to speed up
>> > lookups and overcome DNS server downtime. My
>> > problem is that when I lookup the mail server
>> > the address I receive from 10.21.23.21 is the
>> > external address, as seen from outside.
>> > I would like the address to be solved for
>> > internal machines as the shortcut 10.21.23.20.
>> > The routes are correct according to traceroute.
>> >
>> > I thought that if I modified the firewall's
>> > /etc/hosts including the address of the mail
>> > server as 10.21.23.20 and setting nsswitch.conf
>> > to hosts: files dns
>> > would make it work, but they cached address seems
>> > to have priority.
>>
--

Stephen Samuel +1(604)450-0066 samnospam@bcgreen.com
http://www.bcgreen.com/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: DNS Problem

Sorry for the very late follow up, and thanks to
Adrian C., Glyn Clements and urgrue for their
answers. I solved it with the 'view' option.

Gerardo




Searching for the best free email? Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html