On Mon, 2002-07-08 at 11:39, Ray Olszewski wrote: > I sent the prior reply you quote below. The reasons I said it "depends" is > because it does. There is no single *right* answer to the follow-up > question you ask. What is best for you depends on a detailed view of the > network that the Dachstein router is routing. Either you have to tell us a > lot about your setup (how many hosts, home or business, what OSs they use, > how well the AT&T nameservers perform, whether AT&T interferes with use of > DNS to servers other than its forwarders, and a lot more) or you have to > assess this stuff yourself and decide what to do. > > As a general matter, you have five options: > > 1. Tell each host on the LAN, including the LEAF router, to use the AT&T > nameservers. This will work as long as you have no need to do DNS lookups > at the LAN level (either you use IP addresses only or every machine has an > /etc/hosts file to resolve LAN names). > > 2. Run dnscache and tinydns on the LEAF router. Have dnscache use the AT&T > nameservers as forwarders, and have tinydns be authoritative for your LAN > addresses. In this case, every host has the LEAF router as its nameserver > (and the LEAF router had 127.0.0.1). > > 3. Run some DNS server (can dnscache do this? I forget) on the LEAF router > that bypasses the AT&T nameservers and builds up its own cache, starting at > the the DNS root servers. Everything else is the same as #2.
The preceding is the default behavior of dnscache (as shipped by djb; I'm not positive about the version provided with LEAF distros). > > 4. Run a DNS server on some LAN host, and have it both be authoritative for > the LAN and forward to the AT&T nameservers for outside queries. This is > easy to do if you have another Linux host around; I don't know what > BIND-like packages are available for Windows, so I don't know if it is a > realistic option for an all-Windows LAN. In this case, all other hosts > (including the LEAF router) use the internal host as their DNS server. The djbdns software (in paticular, the combination of dnscache and tinydns) can be used instead of BIND. The djddns software is putatively more secure than any version of BIND. BIND can be configured to act as a non-authoritative recursive resolver like dnscache, or as an non-recursive authoritative nameserver like tinydns. That means one can use dnscache with BIND or tinydns with BIND. > > 5. The same as #4, except bypass the AT&T nameservers for external resolution. I use dnscache and BIND in this configuration. DHCPD running on the same box dynamically updates BIND, which is the authoritative nameserver for my local network. www.lifewithdjbdns.com and cr.yp.to/djbdns.html are (arguably) the best sources of information on djbdns. -Richard ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Oh, it's good to be a geek. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
