At 09:47 PM 12/22/2003 -0600, Michael D Schleif wrote: [...]
Currently, you are *NOT* authoritative and *CANNOT* assume authority for the kroffts.com domain:
Actually, he can ... in a limited sense. In a way that matters, DNS is just a shared delusion, and as long as he lies about it only when talking to himself, he doesn't hurt anything.
He can configure the DNS server that *LAN* and DMZ hosts use as their resolver (assuming they use an on-LAN host) as authoritative for his domain. External hosts trying to do DNS will lever see this server, and it will let him have on-LAN hosts resolve domain names differently (to private addresses, probably) than off-LAN hosts do. This limited sense could easily be adequate to take care of his problems.
That said, it's not the best approach (or at least not the one I prefer). A tidier method is to use an unofficial domain for on-LAN resolution and reserve the registered name for off-LAN use. Here, for example, comarre.com and all the usual variants resolve to external addresses, internally and externally, and internally the pseudo-domain is comarre.lan . (I am authoritative for comarre.com, though, and that simplifies setup. Even so, I do my authoritative DNS on a different host from my local-resolver DNS, to avoid some headaches from running multiple instances of BIND on a host.)
# dnsqr any kroffts.com 255 kroffts.com: 101 bytes, 1+4+0+0 records, response, noerror query: 255 kroffts.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com
# dnsqr mx kroffts.com 15 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 15 kroffts.com answer: kroffts.com 120 MX 5 kroffts.com
# dnsqr a kroffts.com 1 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 1 kroffts.com answer: kroffts.com 109 A 24.210.193.152
# dnsqr soa kroffts.com
6 kroffts.com:
91 bytes, 1+1+0+0 records, response, noerror
query: 6 kroffts.com
answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 2000060701 1200 1200 604800 1200
# dnsqr any mail.kroffts.com 255 mail.kroffts.com: 48 bytes, 1+1+0+0 records, response, noerror query: 255 mail.kroffts.com answer: mail.kroffts.com 120 CNAME kroffts.com
You cannot assert that 192.168.10.1 is mail.kroffts.com with authority, unless you either:
[a] Change DNS configuration at ns{1,2}.dnsexit.com; or
[b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS server for kroffts.com.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
