See below. ----- Original Message ----- From: "Ray Olszewski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "ALParada" <[EMAIL PROTECTED]> Sent: Friday, November 07, 2003 1:38 PM Subject: Re: [leaf-user] dnscache
> Sorry to be coming into this one late. > > At 12:19 PM 11/7/2003 -0500, ALParada wrote: > >When I run nslookup I get : > > > >*** Can't find server name for address 192.168.63.1: No response from > >server > > > >Where 192.168.63.1 is the loc ip address of LRP. I got it to work using > >with my ISP DNS servers as forwarders but not with my internal servers. > >When I use the ISP servers I get a name like > >null-host.null.bellsouth.net, but if I use my servers I get the above > >error. > > What response *should* these internal DNS servers be giving? That is, if > you set the host you are testing from to use them directly (not through > dnscache), what answer does nslookup return? (I ask this because I've found > that a lot of LAN-authoritative nameservers are not configured correctly to > respond to reverse-lookup-requests.) If I do an nslookup with 192.168.63.11 configured as primary I get: C:\Documents and Settings\aparada>nslookup Default Server: mlsad2.mydomain.com Address: 192.168.63.11 192.168.63.11 is my primary dns server. Yes it's a W2K Server, sorry. If I change my primary dns to 192.168.63.1 which is the loc of LRP I get: C:\Documents and Settings\aparada>nslookup *** Can't find server name for address 192.168.63.1: Non-existent domain Default Server: mlsad3.med-lab.com Address: 192.168.63.13 It obviously goes to the secondary 192.168.63.13 > > And are you really saying that your ISP's nameservers resolve > "192.168.63.1" to "a name like null-host.null.bellsouth.net"? How odd. > Could you post an actual example? What I am saying is that this is what nsloookup shows with LRP as the primary and my isp as forwarders on the LRP: C:\Documents and Settings\aparada>nslookup Default Server: host1-null.null.bellsouth.net Address: 192.168.63.1 > > >I created a policy to allow the fw into the local network, but > >still no success. > > I assume you mean a rule, not a policy. You might describe what you did. > This is too vague to troubleshoot. No I meant a policy allowing: loc fw ACCEPT fw loc ACCEPT I wanted it simple for this test. > > >Do the internal servers need any kind of special > >config to allow the caching server to work? > > Probably not. Certainly not if they are reasonably standard Linux servers > running a recent BIND. But since you tell us absolutely nothing about these > internal servers, it is hard to be certain. Answered above. > > Your original report (below) says you "can't resolve any names". But the > example you chose for your test is unusual in two ways -- it is a reverse > lookup (resolving an address to an FQN), not a name lookup; and it involves > a LAN-side (private) address. I never got that far because the server never responded. I couldn't resolve any names, because my server didn't respond. I should have been more clear with the problem. The example you are refering to is not a reverse lookup but rather the response from nslookup. Inicially I think there may have been a permission issue since it couldn't find the lrp box. Now it says non-existent domain. > > What happens if you use nslookup or host to try to resolve some well-known > FQN, say yahoo.com or google.com (the test Robert actually suggested in his > reply, below)? Is the result when you point dnscache to your ISP's > nameservers different from when you point it to your internal nameservers? Yes when pointing to the ISP it can resolve google and yahoo and so on. When pointing to my servers I get: C:\Documents and Settings\aparada>nslookup *** Can't find server name for address 192.168.63.1: Non-existent domain Default Server: mlsad3.med-lab.com Address: 192.168.63.13 > Can the internal DNS servers resolve these outside names if you point to > them directly, not through dnscache? Yes they can. They also have forwarders. > > Finally ... if you have full-strength LAN-side DNS servers, why are you > using dnscache at all? Its main purpose is to reduce the frequency of > queries to offsite nameservers. You don't gain much, if anything, by > caching replies from LANside nameservers (they will themselves cache > offsite replies appropriately, if they follow the standards for DNS servers). I have a router leading to the other side of the world. I was planning on using dnscache to help resolve "those" names. There are several DNS servers there and that is the info I would like to cache. They are also the forwarders I would like to eventually use but I got an error. So I thought I try my dns as forwarders but it also failed. I am also hoping to install tinyprox as soon as I have this working. > > > >TIA > > > >----- Original Message ----- > >From: "Robert K Coffman Jr - Info From Data Corporation" > ><[EMAIL PROTECTED]> > >To: "ALParada" <[EMAIL PROTECTED]>; > ><[EMAIL PROTECTED]> > >Sent: Friday, November 07, 2003 8:28 AM > >Subject: RE: [leaf-user] dnscache > > > > > > > Nothing in your config sounds incorrect, but here is what I did: > > > > > > 1. change LRP box internal IP > > > 2. Changed querying hosts IP (actually this may be the default, but > >I'm > > > using a 192.168 address) to 192.168 > > > 3. I have logging disabled (its working so I don't need it.) > > > 4. I have forwardonly enabled > > > 5. Set my ISPs DNS servers (definitely double check this) > > > 6. I added the following to shorewall rules: > > > > > > > > > ACCEPT fw net tcp 53 > > > ACCEPT fw net udp 53 > > > > > > ACCEPT loc fw udp 53 > > > > > > Try running NSLOOKUP to see if your machine is answering: > > > > > > NSLOOKUP > > > > server yourserversIP > > > > www.amazon.com > > > > Server: myreallyrockinrouter.mydomain.com > > > > Address: 192.168.2.1 > > > > > > > Non-authoritative answer: > > > > Name: www.amazon.com > > > > Address: 207.171.181.16 > > > > > > Hope this helps. > > > > > > - Bob Coffman > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of ALParada > > > Sent: Thursday, November 06, 2003 8:36 PM > > > To: [EMAIL PROTECTED] > > > Subject: [leaf-user] dnscache > > > > > > > > > Hello, > > > > > > I am running Bering with dnscache. Either I don't understand how a > > > caching server works, or I missed something in the configuration. > > > Dnscache is running because I verified it with "ps aux". I however > >can't > > > resolve any names. I changed the internal ip address under option1. > >Set > > > option 4 to yes and option 5 with my isp DNS servers. I added an > >"accept > > > loc fw udp 53" under shorewall rules. I also allowed access to the net > > > from the fw. What am I forgetting? Does dnscache need something like > > > tinydns to work? There is also no /var/log/dnscache which I keep > >seeing > > > references to. Any help would be appreciated. > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > ---------------------------------------------------------------------- -- > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
