Re: [Lilux-help] DNS question

On Fri, Jan 30, 2004 at 05:18:51PM +0100, Eric Dondelinger wrote: Probably because the external ones (your ISP's, I guess) often already have the answer in their cache, while yours must do full resolution. Err... I'm using such a setup, and I have never encountered any problem. How did you "see" that all requests go to the external DNS servers? I checked with tcpdump, a query for an internal name doesn't generate any DNS traffic to the outside. Here is my named.conf: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. // query-source address * port 53; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 194.109.104.104; 194.109.6.66; }; forward first; auth-nxdomain no; # conform to RFC1035 allow-query { local; }; allow-transfer { }; listen-on { 127.0.0.1; 10.0.0.0/24; public_ip4; }; # Can you believe this? It won't bind to one specific address!! listen-on-v6 { any; }; }; acl local { 127.0.0.1; 10.0.0.0/24; 2001:888:19f0::/64; ::1; }; acl slaves { 212.204.230.141; }; acl public_ip4 { 213.84.238.144; }; acl public_ip6 { 2001:888:19f0::1; }; acl public_ips { public_ip4; public_ip6; }; view private { match-clients { local; } ; recursion yes; allow-query { local; }; # The common rigmarole // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; # My domains zone "mamane.lu" { type master; file "/etc/bind/db.mamane.lu"; }; zone "0.f.9.1.8.8.8.0.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.2001:888:19f0"; }; # Semi-deprecated. For compatibility use only! # This means it contains everything that deals with # private IPv4 addresses. Services will migrate # to .mamane.lu as they go to IPv6. # When not using IPv4 any more, this zone will disappear. zone "home.mamane.lu" { type master; file "/etc/bind/db.home"; }; # Now, things that are specific to my internal IPv4 network zone "0.0.10.in-addr.arpa" { type master; file "/etc/bind/db.10.0.0"; }; zone "1.0.10.in-addr.arpa" { type master; file "/etc/bind/db.10.0.1"; }; }; # I'm the only IPv6-reachable DNS, # so serve them. Don't be publicly reachable # any more when topaz gets IPv6 view public_ipv6 { match-destinations { public_ip6; }; # Only IPv6 clients! # No IPv4 addresses, no IPv4-mapped addresses, and no local clients. match-clients { ! 0.0.0.0/0; ! ::ffff:0.0.0.0/80; !local; any;}; allow-query { any; }; allow-transfer { none; }; recursion no; zone "mamane.lu" { type master; file "/etc/bind/db.mamane.lu"; }; zone "0.f.9.1.8.8.8.0.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.2001:888:19f0"; }; }; # Public IPv4 access is only for slaves! view slaves { match-destinations { public_ip4; } ; match-clients { slaves; } ; recursion no; allow-query { slaves; }; allow-transfer { slaves; }; zone "mamane.lu" { type master; file "/etc/bind/db.mamane.lu"; }; zone "0.f.9.1.8.8.8.0.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.2001:888:19f0"; }; }; -- Lionel