Linux Format forums

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

ServerA (192.168.0.1) has a wireless connection to the Internet.
A home-brew DNS ServerB (192.168.0.2) runs Bind for internal host names resolution, with its default gateway set to .1
My DesktopA (192.168.0.50) has 192.168.0.2 set as its name server in /etc/resolve.conf. It also knows that ServerA is the default gateway, and has that IP address (.1) configured accordingly.
A DesktopB (192.168.0.51) also exists and is similarly configured

From my desktop, I can do 'ping DesktopB' and it resolves that to the .51 address and gets a return happily. Same thing in reverse (i.e., DesktopB can ping DesktopA by name, without issue).

If either desktop says "ping www.google.com", however, we get nothing. Internal names are resolved, in other words, but nothing which points outside the building.

I am unclear how to configure the DNS server to say, "I cannot resolve this, so let me pass it on to the external (ISP) nameservers", especially when to do so would require the DNS server to know to route the request via ServerA and its wireless connection. (Which it's supposed to, because it's been told that ServerA is the default gateway and it knows from the forwarders section of named.conf what the ISP's nameservers' IP addresses are).

All machines are running Centos 6.2, 64-bit. All have .1 configured as the default gateway. The ServerB has itself configured as its DNS1 server in /netword-scripts/ifcfg-eth0, but does have "forward first;" and "forwarders { 61.9.211.1; 61.9.195.193; };" set in its named.conf (those are the IP addresses of my ISP's dns servers).

Any guidance, please, would be appreciated.

wyliecoyoteuk · Posted: Thu Jan 19, 2012 10:14 pm Post subject:

It is basically how you set authoritative servers.
if you set a server as authoritative for your domain, it should function for your internal domain and pass everything else outside
_________________
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

Yup. That's what I've done (or thought I'd done).

In named.conf, I have:

wyliecoyoteuk · Posted: Thu Jan 19, 2012 10:35 pm Post subject:

have you set a secondary server?
_________________
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

Do you mean a secondary internal DNS server?

No, if so. There's just the one.

wyliecoyoteuk · Posted: Thu Jan 19, 2012 10:44 pm Post subject:

Not a DNS expert, but I think you should set the secondary server as an external or edge one, unless your authoritative server is external or a router.
e.g. our internal DNS server is our DC, the secondary server is the smoothwall router, which functions as a DNS relay.

could be wrong
_________________
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

I don't have a secondary DNS server.

I'm not clear what you're suggesting I do. Sorry.

I have one internal DNS server that is authoritative for my internal domain. I need it to be able to forward requests via the default gateway when they relate to external domains.

The internal DNS server knows the default gateway address. It also knows to forward to my ISP's servers for non-internal requests, but doesn't appear to do so:

nelz · Posted: Thu Jan 19, 2012 10:59 pm Post subject:

Bind is way over the top for what you are trying to do, and causes the complication you are running into. dnsmasq is designed for just this job and is a complete doddle to set up compared to Bind.
_________________
Unix is user-friendly. It's just very selective about who it's friends are.

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

Not really. I have 28 different virtual machines to deal with, in addition to 6 different physical ones. And there will be more than that over time. Plus I want to know bind for when I use it at work.

Aside from that, bind is really fairly easy to configure (or, at least, was back in centos 4.8 days). It's getting what did work to work in the newer version that's the issue.

So my question about getting bind to work still remains, really... (I find changing car tyres a challenge; I don't just go buy a new car when I get a puncture, though!)

nelz · Posted: Fri Jan 20, 2012 1:39 am Post subject:

No, but you do consider the use for it before you choose the type of car. dnsmasq works extremely well with a large local network, the point being that it is designed for just this task, a local name server, and as such works pretty well straight out of the box. However, if you have a particular need to use Bind, that puts a different complexion on things.
_________________
Unix is user-friendly. It's just very selective about who it's friends are.

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

OK, different analogy then.

If I asked a question about having trouble getting Photoshop to work properly, I doubt you'd consider "far too complex a program; use MS Paint instead" to be a reasonable reply!

My question is about getting bind to work with external addresses. It doesn't matter if you think bind is the wrong program to use or that there are 57 better ways to do names resolution; even if all of that was objectively true, I would still be left with the problem of getting bind to work!

I'm not trying to be snotty about it (and apologise in advance if that's the way it comes across). I just think if someone asks 'how do I do X', it's not always very helpful to tell them that actually they ought to be doing 'A' instead. Especially when 'X' is perfectly respectable, used widely and is something generally considered to be worthwhile.

One day, especially given your recommendation, I may well take a look at dnsmasq. But right now, my problem is with bind... and I'd really appreciate some help on that!

Dutch_Master · LXF regular Joined: Tue Mar 27, 2007 2:49 am Posts: 2353

Right. The CentOS server is still working, as you've said. Bind is unlikely to have changed its config files significantly in the time between setting both servers up, so you may get a hint on what Bind config you need for server B by looking at the CentOS server. In fact, you just may as well copy it straight in Wink

Perhaps now is also a good time to take a look at the log files to see why it can't resolve... Idea

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

Been there, tried that. Copying the old config across to the new, I mean. There are some syntactical differences which make absolutely blind copying merely generate errors, but as far as I can tell, they're functionally equivalent.

Diito with /etc/sysconfig/network-scripts/ifcfg-eth0 and /etc/resolv.conf: identical on both old (working) and new (non-functional) machines.

In terms of logging on the Centos 6.2 box, I get lots of this:

dizwell · Joined: Wed Aug 03, 2005 12:05 am Posts: 61

I've sorted it.

DNSSEC is to blame (or my ISP is, depending on how you look at it).

In the default named.conf for bind 9.7 are these three lines:

Dutch_Master · LXF regular Joined: Tue Mar 27, 2007 2:49 am Posts: 2353

Glad you got it sorted Smile