I just recently got a mail-server box placed on my long-empty DMZ interface. However this DMZ-located box wouldn't resolve. I mucked with dnscache, attempting to have it serve both eth1 and eth2 queries but dnscache won't accept more than 1 IP address in the /etc/dnscache/env/IP file. Placing 0.0.0.0 there permitted boxes on either interface to resolve but it seemed like dnscache wasn't performing because pings from the router to the internet would take a few seconds to resolve, every time.
I have checked the relevant FAQ (http://leaf.sourceforge.net/devel/jnilo/dnscache.html) and sought within the mail archives but no clear solution was forthcoming. What I did find within the mail archives was an 18-month old discussion with Michael D. Schleif (sub="dnscache vs. dmz ???") where it was pointed out that 1) dnscache can't serve two masters (aka two interfaces) and 2) this is not particularly desired anyway, because of the crossover of the private lan and the DMZ traffic (i.e. security risk).
Thus I concluded that the way to solve my issue (desiring dnscache to be effective on my private LAN as well as the DMZ) was to have a second instance of dnscache running, and set it up to serve only the DMZ.
So I went about creating a copy of the dnscache.lrp package, called dnscach2.lrp. I changed almost all references to "dnscache" to be "dnscach2" for the files within this new dnscach2.lrp. To reduce the size of this dnscach2.lrp package I removed the executable from the dnscach2 package and had the config files within dnscach2 refer to the original dnscache executable. And it works!
So my questions are:
- is this the proper way to get dnscache functionality on a second interface? (I ask because I saw little about how to solve this issue, and I would have thought that this problem would have been experienced by lots of people and caused them the same difficulty that I had)
- If this is a proper solution I'm surprised to not see a pre-existing dnscach2.lrp available. Would someone be interested, if I sent them my dnscach2.lrp file (nice and tiny at 2603 bytes) , to place it on the leaf site available for others to use? If so, and some adjustments should be made to the dnscache documentation, what can I do to assist with this? I don't have CVS experience or anything but I can modify the HTML files that comprise the dnscache documentation if someone else would upload them.
- as a general curiosity (that I could search on myself, but I don't know that it's germane to my situation) why would someone want dnscache as well as tinydns (as was mentioned in the sub="dnscache vs. dmz ???" thread)?
LEAF absolutely rocks and I want to say a huge thank you to the people who have made it possible.
Finally, some .LRP-package version information in case it's helpful: Name Ver Description ================================================ initrd V1.2 LEAF Bering initial filesystem root V1.2 Core LEAF Bering package [...] shorwall 1.4.2 Shoreline Firewall (Shorewall) dnscache 1.05a A fast & secure proxy DNS server dnscach2 1.05a A fast & secure proxy DNS server
Thanks for any feedback and let me tell ya, I absolutely love my wee LEAF router!
Cheers, scott; canada
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
