I finally got around to replacing TinyDNS with MaraDNS. The clients are able
to resolve names but the router itself isn't able to resolve two names- or
at least it does but then isn't able to ping these two addresses
successfully.
Network schematic:
Internet <---> DCD router <---> internal network
Here's what I did:
took out references to dnscache and tinydns and replaced these with maradns-
pointing to the .lrp package on the floppy.
updated the mararc file with what I believe to be appropriate changes.
Content of mararc file as follows:
# Example mararc file (unabridged version)
hide_disclaimer = "yes"
# The various zones we support
# We must initialize the csv1 hash, or MaraDNS will be unable to
# load any zone files
csv1 = {}
# This is just to show the format of the file
# csv1["example.com."] = "db.example.com"
csv1["dawnsign.com."] = "db.dawnsign.com"
# The address this DNS server runs on. If you want to bind
# to all addresses a given machine has, use "0.0.0.0".
#bind_address = "192.168.1.254"
bind_address = "0.0.0.0"
# The directory with all of the zone files
chroot_dir = "/etc/maradns"
# The numeric UID MaraDNS will run as
# Bering: use dnscache uid
maradns_uid = 1001
# The (optional) numeric GID MaraDNS will run as
maradns_gid = 100
# The maximum number of threads (or processes, with the zone server)
# MaraDNS is allowed to run
maxprocs = 96
# It is possible to specify a different maximum number of processes that
# the zone server can run. If this is not set, the maximum number of
# processes that the zone server can have defaults to the 'maxprocs' value
# above
# max_tcp_procs = 64
# Normally, MaraDNS has some MaraDNS-specific features, such as DDIP
# synthesizing, a special DNS query ("erre-con-erre-cigarro.maradns.org."
# with a TXT query returns the version of MaraDNS that a server is
# running), unique handling of multiple QDCOUNTs, etc. Some people
# might not like these features, so I have added a switch that lets
# a sys admin disable all these features. Just give "no_fingerprint"
# a value of one here, and MaraDNS should be more or less
# indistinguishable from a tinydns server.
no_fingerprint = 0
# Normally, MaraDNS only returns A and MX records when given a
# QTYPE=* (all RR types) query. Changing the value of default_rrany_set
# to 15 causes MaraDNS to also return the NS and SOA records, which
# some registars require. The default value of this is 3
default_rrany_set = 3
# These constants limit the number of records we will display, in order
# to help keep packets 512 bytes or smaller. This, combined with
round_robin
# record rotation, help to use DNS as a crude load-balancer.
# The maximum number of records to display in a chain of records (list
# of records) for a given host name
max_chain = 8
# The maximum number of records to display in a list of records in the
# additional section of a query. If this is any value besides one,
# round robin rotation is disabled (due to limitations in the current
# data structure MaraDNS uses)
max_ar_chain = 1
# The maximum number of records to show total for a given question
max_total = 20
# The number of messages we log to stdout
# 0: No messages except for fatal parsing errors and the legal disclaimer
# 1: Only startup messages logged (default)
# 2: Error queries logged
# 3: All queries logged (but not very verbosely right now)
verbose_level = 2
# Initialize the IP aliases, which are used by the list of root name
servers,
# the ACL for zone transfers, and the ACL of who gets to perform recursive
# queries
ipv4_alias = {}
# Various sets of root name servers
# Note: Netmasks can exist, but are ignored when specifying root name server
# ICANN: the most common and most controversial root name server
# http://www.icann.org
ipv4_alias["icann"] =
"198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.23 <omitted>
# OSRC: http://www.open-rsc.org/
ipv4_alias["osrc"] =
"199.166.24.1,205.189.73.102,199.166.24.3,207.126.103.16,19 <omitted>
# AlterNIC: http://www.alternic.org/
ipv4_alias["alternic"] =
"160.79.129.192,24.6.78.12,160.79.133.70,65.15.8.202,21 <omitted>
# OpenNIC: http://www.opennic.unrated.net/
ipv4_alias["opennic"] =
"131.161.247.226,209.151.84.102,64.247.218.140,64.247.21 <omitted>
# Pacific Root: http://www.pacificroot.com/
# Disabled because Pacific Root no longer runs traditional style root
# servers
#ipv4_alias["pacificroot"] =
"204.107.129.2,208.179.42.162,12.28.140.20,204.107. <omitted>
# IRSC: http://www.irsc.ah.net/
# This group was terminated January 2002
#ipv4_alias["irsc"] =
"203.21.205.2,203.21.205.3,212.234.36.20,212.234.36.19,207 <omitted>
# TINC: http://www.tinc-org.com/
# On 2002/11/15, the tinc domain was owned by a domain squatter
# The only working server on this list is 145.89.234.7
#ipv4_alias["tinc"] =
"64.6.65.10,208.128.113.35,212.172.21.254,207.112.147.14,1 <omitted>
# Super Root: http://www.superroot.org/
# They no longer use a traditional list of root servers
#ipv4_alias["superroot"] =
"199.5.157.128,199.166.24.12,199.166.28.10,5.189.73.1 <omitted>
# End of list of root name server lists
# Here is a ACL which restricts who is allowed to perform zone transfer from
# the zoneserver program
# VERY IMPORTANT: Do not put spaces in the zone_transfer_acl list
# Good: zone_transfer_acl = "office,home"
# Bad: zone_transfer_acl = "office, home"
# Simplest form: 10.1.1.1/24 (IP: 10.1.1.1, 24 left bits in IP need to
match)
# and 10.100.100.100/255.255.255.224 (IP: 10.100.100.100, netmask
# 255.255.255.224) are allowed to connect to the zone server
# NOTE: The "maradns" program does not serve zones. Zones are served
# by the "zoneserver" program.
# zone_transfer_acl = "10.1.1.1/24,10.100.100.100/255.255.255.224"
zone_transfer_acl = "192.168.1.1/24,192.168.2.1/24"
# More complex: We create two aliases: One called "office" and another
# called "home". We allow anyone in the office or at home to perform zone
# transfers
# ipv4_alias["office"] = "10.1.1.1/24"
# ipv4_alias["home"] = "10.100.100.100/255.255.255.224"
# zone_transfer_acl = "office,home"
# More complex then the last example. We have three employees,
# Susan, Becca, and Mia, whose computers we give zone transfer rights to.
# Susan and Becca are system administrators, and Mia is a developer.
# They are all part of the company. We give the entire company zone
# transfer access
# ipv4_alias["susan"] = "10.6.7.8/32" # Single IP allowed
# ipv4_alias["becca"] = "10.7.8.9" # also a single IP
# ipv4_alias["mia"] = "10.8.9.10/255.255.255.255" # Also a single IP
# ipv4_alias["sysadmins"] = "susan,becca"
# ipv4_alias["devel"] = "mia"
# ipv4_alias["company"] = "sysadmins,devel"
# This is equivalent to the above line
# ipv4_alias["company"] = "susan,becca,mia"
# zone_transfer_acl = "company"
# If you want to enable recursion on the loopback interface, uncomment
# the relevent lines in the following section
# Recursive ACL: Who is allowd to perform recursive queries. The format
# is identical to that of "zone_transfer_acl", including ipv4_alias support
ipv4_alias["localhost"] = "127.0.0.0/8,192.168.1.0/24"
recursive_acl = "localhost"
# Random seed file: The file from which we read 16 bytes from to get the
# 128-bit random Rijndael key. This is ideally a file which is a good
source
# of random numbers, but can also be a fixed file if your OS does not have
# a decent random number generator (make sure the contents of that file is
# random and with 600 perms, owned by root, since we read the file *before*
# dropping root privledges)
random_seed_file = "/dev/urandom"
# The maximum number of elements we can have in the cache. If we have more
# elements in the cache than this amount, the "custodian" kicks in to
effect,
# removing elements not recently accessed from the cache (8 elements removed
# per query) until we are at the 99% level or so again.
# maximum_cache_elements = 1024
# It is possible to change the minimul "time to live" for entries in the
# cache; this is the minimum time that an entry will stay in the cache.
# Value is in seconds; default is 300 (5 minutes)
# min_ttl = 300
# CNAME records generally take more effort to resolve in MaraDNS than
# non-CNAME records; it is a good idea to make this higher then min_ttl
# default value is to be the same as min_ttl
# min_ttl_cname = 900
# The root servers which we use when making recursive queries.
# The following line must be uncommented to enable recursive queries
root_servers = {}
# You can choose which set of root servers to use. Current values (set
above)
# are: icann, osrc, alternic, opennic, pacificroot, irsc, tinc, and
# superroot. This line must also be uncommented to enable recursive
# queries.
root_servers["."] = "osrc,icann,alternic,opennic"
# You can tell MaraDNS to *not* query certain DNS servers when in recursive
# mode. This is mainly used to not allow spam-friendly domains to resolve,
# since spammers are starting to get in the habit of using spam-friendly
# DNS servers to resolve their domains, allowing them to hop from ISP to
# ISP. The format of this is the same as for zone_transfer_acl and
# recursive_acl
# For example, at the time of this document (August 12, 2001), azmalink.net
# is a known spam-friendly DNS provider (see
doc/detailed/spammers/azmalink.net
# for details.) Note that this is based on IPs, and azmalink.net constantly
# changes IPs (as they constantly have to change ISPs)
# 2002/10/12: Azmalink changed ISP again, this reflect their current ISP
#ipv4_alias["azmalink"] = "12.164.194.0/24"
# As of September 20, 2001, hiddenonline.net is a known spam-friendly
# DNS provider (see doc/detailed/spammers/hiddenonline for details).
#ipv4_alias["hiddenonline"] = "65.107.225.0/24"
#spammers = "azmalink,hiddenonline"
# It is also possible to change the maximum number of times MaraDNS will
# follow a CNAME record or a NS record with a glue A record. The default
# value for this is ten.
# max_glueless_level = 10
# In addition, one can change the maximum number of total queries that
# MaraDNS will perform to look up a host name. The default value is 32.
# max_queries_total = 32
# In addition, one can change the amount of time that MaraDNS will wait
# for a DNS server to respond before giving up and trying the next DNS
# server on a list. Note that, the larger this value is, the slower
# MaraDNS will process recursive queries when a DNS server is not
# responding to DNS queries. The default value is two seconds.
# timeout_seconds = 2
# And that does it for the caching at this point
####### end of mararc file #######
I created a new file titled db.dawnsign.com as follows:
# Zone file for dawnsign.com (authoritative zone file)
# last changed by DSS - 6/17/03
# The SOA record must be first, followed by all authoritative NS
# records for this zone.
Sdawnsign.com.|86400|dawnsign.com.|[EMAIL PROTECTED]|19771107|7200|3600|60
4800
Ndawnsign.com.|86400|ns1.dawnsign.com.
Ndawnsign.com.|86400|ns2.dawnsign.com.
# Some 'IN A' records
Adawnsign.com.|86400|207.158.59.34
Amercury.dawnsign.com.|86400|192.168.1.4
Ans1.dawnsign.com.|86400|192.168.1.254
Ans2.dawnsign.com.|86400|192.168.1.1
Amyrouter.%|86400|192.168.1.254
Aaltair.%|86400|192.168.1.1
Acorona.%|86400|192.168.1.5
Agemini.%|86400|192.168.1.6
Asalive.%|86400|192.168.1.15
Amail.%|86400|192.168.1.4
Asquid.%|86400|192.168.1.35
Akonica.%|86400|192.168.1.160
Awebmail.%|86400|192.168.1.2
Amailscanner.%|86400|192.168.2.3
# An 'IN MX' record
@dawnsign.com.|86400|10|mercury.dawnsign.com.
# An 'IN CNAME' record
Cwww.dawnsign.com.|86400|dawnsign.com.
# An 'IN TXT' record
Tdawnsign.com.|86400|dawnsign.com: Buy products online at
http://www.dawnsign.co
# An 'A' record showing the use of percent as a shortcut for the name
# of this zone (in this case, 'dawnsign.com.')
#Aftp.%|3600|10.7.8.9
# A 'TXT' record showing the use of the backslash which allows any
# octal code in the record
#Tpercent.%|7200|Get 50\045 off all \%items\% at dawnsign.com!
# A 'PTR' record which, while marked as unauthoritative, allows this
# program to work with nslookup when bound on IP 127.0.0.3
# NOTE: This record is not part of the dawnsign.com domain, and,
# therefore, can not be transferred with the getzone client
P3.0.0.127.in-addr.arpa.|1234|nslookup.bug.workaround.
P1.0.0.127.in-addr.arpa.|1234|ns1.dawnsign.com.
####### end of db.dawnsign.com file #######
Now, when I ping www.dawnsign.com I see that my request resolves to an IP
address of 207.158.59.34 but then it drops dead announcing it is unable to
reach the host. The same thing occurs if I try to ping www.dawnsignpress.com
which is under our control as well. We use easyDNS to manage our external
domain names and hosts records. When I attempt to ping internal hosts from
the DCD router, it does not resolve- instead it announces the internal host
as an unknown host. However, when I ping internal hosts from an client
inside the internal network, it resolves correctly.
I had hoped that the router would use its own zone file but I might not be
thinking correctly. At least MaraDNS appears to behave differently from
tinyDNS which had it's internal and external zone files.
If anyone could enlighten me on this subject, I would be grateful.
Especially if there is a method where the router could resolve its own
queries for internal hosts. I also apologize for this lengthy post.
~Doug
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
