Re: DNS Question
Chuck Swiger wrote: On Oct 23, 2009, at 10:31 AM, Matthew Seaman wrote: You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? Consider the case of redirects involving cnames; you end up with a lot of extra DNS traffic. The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. It's generally fine, sure, but almost never ideal. You don't save traffic by using CNAMEs instead of A records PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Shucks, how can you pull in Jeopardy references and then deny giving out prizes? Well, my guess would be ie, although people who speak Finnish and call their home Suomi might find fi odd, also Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... Regards, Just so everyone knows, having a domain with a CNAME at the top will hose your mail traffic. We tried it, and some servers delivered fine, others did not. Checking with dig +trace, and dns stuff, showed the problem. Just trying to get a MX record for mainstreetfin.com would fail. The record we had was, mainstreetfin.com CNAME website.elliemae.com And the problem is shown below. --- DNS Lookup: mainstreetfin.com MX record Searching for mainstreetfin.com MX record at a.root-servers.net [198.41.0.4]: Got referral to M.GTLD-SERVERS.NET. (zone: com.) [took 39 ms] Searching for mainstreetfin.com MX record at M.GTLD-SERVERS.NET. [192.55.83.30]: Got referral to ns2auth.tls.net. (zone: mainstreetfin.com.) [took 11 ms] Searching for mainstreetfin.com MX record at ns2auth.tls.net. [65.123.104.30]: Got CNAME of website.elliemae.com. and referral to k.root-servers.net [took 36 ms] Searching for website.elliemae.com MX record at g.root-servers.net [192.112.36.4]: Got referral to I.GTLD-SERVERS.NET. (zone: com.) [took 143 ms] Searching for website.elliemae.com MX record at I.GTLD-SERVERS.NET. [192.43.172.30]: Got referral to ns2.elliemae.net. (zone: elliemae.com.) [took 63 ms] Searching for website.elliemae.com MX record at ns2.elliemae.net. [63.241.88.21]: Timed out. Trying again. Searching for website.elliemae.com MX record at ns2.elliemae.net. [63.241.88.21]: Timed out. Trying again. Searching for website.elliemae.com MX record at ns1.elliemae.net. [216.35.165.21]: Reports that no MX records exist. [took 46 ms] Response: No MX records exist for website.elliemae.com. [Neg TTL=300 seconds] Details: ns1.elliemae.net. (an authoritative nameserver for elliemae.com.) says that there are no MX records for website.elliemae.com. The E-mail address in charge of the elliemae.com. zone is: hostmas...@elliemae.com. NOTE: One or more CNAMEs were encountered. mainstreetfin.com is really website.elliemae.com. So some mail servers never asked our authoritative servers what the MX record was. Interesting. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: DNS Question
2009/10/23 Len Conrad lcon...@go2france.com -- Original Message -- From: krad kra...@googlemail.com Date: Fri, 23 Oct 2009 15:56:40 +0100 2009/10/23 Sean Cavanaugh millenia2...@hotmail.com Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.comA 192.168.0.1 www.vhost1.com CNAME www.bobshosting.com. www.vhost2.com CNAME www.bobshosting.com. www.vhost3.com CNAME www.bobshosting.com. www.vhost4.com CNAME www.bobshosting.com. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I try to use CNAMES as much as possible, for one very good reason. If say I have web server with 1000 vhost on it. I have one A record for the server and all the cnames point at that A record. Now i need to change the ip of the server. I update the A record and add a reverse record and im done. IF I had done it your way with all A records I would now have to go and edit another 1000 records. Even worse if some of these domains are not under my control I have to go and liaise with customers, or other third parties, and it becomes a complete mess. The chances of me convincing them all and coordinated it correctly are minimal 8( domains sharing records is better handled by $INCLUDE $INCLUDE /path/db.ttl, which contains $TTL 6h $INCLUDE /path/db.ns, which contains @ ns ns1.domain.tld. @ ns ns2.domain.tld. $INCLUDE /path/db.www, which contains @ a ip.ad.re.ss www a ip.ad.re.ss etc. Changing an include file changes all the zone files that include it, giving enormous leverage, while removing the extra query required to resolve a CNAME to canonical. Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org a few massive assumptions here I feel. 1. all the domains are controlled by said person 2. Are on the same server 3. Fits with the relevent provisioning system, 4. Is probably are using bind ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: DNS Question
krad wrote: a few massive assumptions here I feel. 1. all the domains are controlled by said person 2. Are on the same server 3. Fits with the relevent provisioning system, 4. Is probably are using bind You betcha, though all good information. 1. Nope, the CNAME is not controlled by me. 2. Nope, the CNAMEd sites are on another provider. 3. Yes, it is possible by our support system. 4. Nope, no bind here. I have been reading the info everyone posted, and I configured a domain as I was asked. Since the reconfigured domain did no harm to my servers, I am inclined to let them do it. If it is the right thing to do, or the proper thing to do, seems to matter little those in the big offices. If they can find nowhere on the internet where it says THOU SHALL NOT DO this, they believe this is industry standard. So WTH, I'll do it, so long as it doesn't cause my pager to go beep in the night. I am too tired of arguing to keep it up anymore. Thanks, DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: DNS Question
Sean Cavanaugh wrote: The other interesting side would be reverse DNS lookups. Only one record would be returned, and most likely would be the original A record. A nice example of this is doing a basic ping -a ww.yahoo.com which you get back that it is resolving www-real.wa1.b.yahoo.com. As a comment on reverse DNS lookups, although the example Sean gave should have a single PTR entry as the result of a reverse lookup, in general reverse DNS lookups can return *multiple* values. If multiple A records pointing at the same numeric address exist, the reverse lookup on that address must (if correct) return the corresponding multiple names. RFC 2181 (Clarifications to the DNS Specification), section 10.2: 10.2. PTR records Confusion about canonical names has lead to a belief that a PTR record should have exactly one RR in its RRSet. This is incorrect, the relevant section of RFC1034 (section 3.6.2) indicates that the value of a PTR record should be a canonical name. That is, it should not be an alias. There is no implication in that section that only one PTR record is permitted for a name. No such restriction should be inferred. Note that while the value of a PTR record must not be an alias, there is no requirement that the process of resolving a PTR record not encounter any aliases. The label that is being looked up for a PTR value might have a CNAME record. That is, it might be an alias. The value of that CNAME RR, if not another alias, which it should not be, will give the location where the PTR record is found. That record gives the result of the PTR type lookup. This final result, the value of the PTR RR, is the label which must not be an alias. OK, there's a couple of big questions, which is how many DNS configs actually obey this and how much application code allows for it, but that's the spec. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DNS Question
Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? Thanks, DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
DAve wrote: Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? Yes, you're wrong. In terms of web service, you can use either an A record or a CNAME record to provide the address part of a site's URL[*]. As far as the web server is concerned, it looks for the 'Host=' line in the HTTP packet to decide what name-based VHOST to dispatch the query to internally, and doesn't necessarily do any DNS lookups at all. Web clients just do a gethostbyname(3) or getaddrinfo(3) call to resolve the site name into an IP, and anything supported by those (/etc/hosts, NIS, LDAP, DNS) will do the trick. In terms of the DNS a 'Zone' is a delegated block of the name space under a single administrative control. Typically with BIND this maps onto a single 'Zone file' containing all of the DNS resource records for the zone. The only records a zone *has* to have are: * 1 SOA record, with the zone serial number * Some number of NS records giving the nameservers for the zone. It's perfectly permissible to have a zone that doesn't contain any A records (or records) and in fact, reasonably common: reverse domains generally contain mostly PTR records. Cheers, Matthew [*] Possibly others, but A and CNAME are the vast majority. Being able to use SRV for webservers would be cool. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
FW: DNS Question
Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.comA 192.168.0.1 www.vhost1.com CNAME www.bobshosting.com. www.vhost2.com CNAME www.bobshosting.com. www.vhost3.com CNAME www.bobshosting.com. www.vhost4.com CNAME www.bobshosting.com. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: DNS Question
2009/10/23 Sean Cavanaugh millenia2...@hotmail.com Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.comA 192.168.0.1 www.vhost1.com CNAME www.bobshosting.com. www.vhost2.com CNAME www.bobshosting.com. www.vhost3.com CNAME www.bobshosting.com. www.vhost4.com CNAME www.bobshosting.com. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I try to use CNAMES as much as possible, for one very good reason. If say I have web server with 1000 vhost on it. I have one A record for the server and all the cnames point at that A record. Now i need to change the ip of the server. I update the A record and add a reverse record and im done. IF I had done it your way with all A records I would now have to go and edit another 1000 records. Even worse if some of these domains are not under my control I have to go and liaise with customers, or other third parties, and it becomes a complete mess. The chances of me convincing them all and coordinated it correctly are minimal 8( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Sean Cavanaugh wrote: Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.com http://www.bobshosting.comA 192.168.0.1 www.vhost1.com http://www.vhost1.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost2.com http://www.vhost2.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost3.com http://www.vhost3.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost4.com http://www.vhost4.com CNAME www.bobshosting.com http://www.bobshosting.com. -Sean All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form, but allowed. I can deal with it. But what of having a SOA record for example.com, no A or CNAME record for the TLD example.com, only hosts such as www, ns1, ftp, etc. I tried it an it seems to work fine, but doesn't look proper to me. Then again I remember when CNAME were considered evil. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: DNS Question
-- Original Message -- From: krad kra...@googlemail.com Date: Fri, 23 Oct 2009 15:56:40 +0100 2009/10/23 Sean Cavanaugh millenia2...@hotmail.com Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.comA 192.168.0.1 www.vhost1.com CNAME www.bobshosting.com. www.vhost2.com CNAME www.bobshosting.com. www.vhost3.com CNAME www.bobshosting.com. www.vhost4.com CNAME www.bobshosting.com. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I try to use CNAMES as much as possible, for one very good reason. If say I have web server with 1000 vhost on it. I have one A record for the server and all the cnames point at that A record. Now i need to change the ip of the server. I update the A record and add a reverse record and im done. IF I had done it your way with all A records I would now have to go and edit another 1000 records. Even worse if some of these domains are not under my control I have to go and liaise with customers, or other third parties, and it becomes a complete mess. The chances of me convincing them all and coordinated it correctly are minimal 8( domains sharing records is better handled by $INCLUDE $INCLUDE /path/db.ttl, which contains $TTL 6h $INCLUDE /path/db.ns, which contains @ ns ns1.domain.tld. @ ns ns2.domain.tld. $INCLUDE /path/db.www, which contains @ a ip.ad.re.ss www a ip.ad.re.ss etc. Changing an include file changes all the zone files that include it, giving enormous leverage, while removing the extra query required to resolve a CNAME to canonical. Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form worse, it's illegal. , but allowed. I can deal with it. But what of having a SOA record for example.com, no A or CNAME record for the TLD example.com, only hosts such as www, ns1, ftp, etc. I tried it an it seems to work fine, but doesn't look proper to me. Then again I remember when CNAME were considered evil. CNAMEs are still evil, unless 1) no other solution exists and 2) the user knows how to use CNAMEs (rare). Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FW: DNS Question
Date: Fri, 23 Oct 2009 17:17:48 +0200 From: lcon...@go2france.com To: freebsd-questions@freebsd.org Subject: Re: DNS Question All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form worse, it's illegal. how is this illegal? if you are residing your domain on a hosting service, this makes sense to me. Granted its bad form and should have an A record to the host for the main domain record, but if i had control over otherdomain.com and not example.com and had to change the IP address, example.com would be dead until i was able to reach the owner of that domain and have them change their DNS info. , but allowed. I can deal with it. But what of having a SOA record for example.com, no A or CNAME record for the TLD example.com, only hosts such as www, ns1, ftp, etc. I tried it an it seems to work fine, but doesn't look proper to me. Then again I remember when CNAME were considered evil. CNAMEs are still evil, unless 1) no other solution exists and 2) the user knows how to use CNAMEs (rare). Len there is nothing that says you HAVE to have your tld labled in DNS. you would just run into issues if someone types http://example.com into their web browser and not get a result in DNS. to clarify on CNAME's a bit better. CNAME's are nothing more than DNS aliases. the reason you do not want to overuse them is that you could potentially create a loop if you are not careful www.site1.com CNAMEwww.host1.com. www.host1.comCNAMEwww.site1.com. syntactically, this is correct but would cause an infinite loop until a timeout occurred on your computer. also you want to limit how many weird names you get associated to one box. it makes sense if you want www.example.com to point to your web server, which you may have officially called srvWeb, but looking at things like a mail server, would you rather only have the entry: mail.example.comCNAMEsrvMail.example.com. or have to edit this: pop3.example.comCNAMEsrvMail.example.com. smtp.example.comCNAMEsrvMail.example.com. imap.example.comCNAMEsrvMail.example.com. The other interesting side would be reverse DNS lookups. Only one record would be returned, and most likely would be the original A record. A nice example of this is doing a basic ping -a www.yahoo.com which you get back that it is resolving www-real.wa1.b.yahoo.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS Question
All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form worse, it's illegal. how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Hi-- On Oct 23, 2009, at 9:18 AM, Sean Cavanaugh wrote: worse, it's illegal. how is this illegal? if you are residing your domain on a hosting service, this makes sense to me. Granted its bad form and should have an A record to the host for the main domain record, but if i had control over otherdomain.com and not example.com and had to change the IP address, example.com would be dead until i was able to reach the owner of that domain and have them change their DNS info. You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. See: http://docstore.mik.ua/orelly/networking/sendmail/ch21_03.htm#SML2-CH-21-SECT-3-2 You might also find a discussion of webserver redirects and the like interesting: http://www.aitechsolutions.net/cname-serveralias-redirection.html Regards, -- -Chuck PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS Question
how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. ah yes, forgot about that. you are correct on that line. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Chuck Swiger wrote: Hi-- On Oct 23, 2009, at 9:18 AM, Sean Cavanaugh wrote: worse, it's illegal. how is this illegal? if you are residing your domain on a hosting service, this makes sense to me. Granted its bad form and should have an A record to the host for the main domain record, but if i had control over otherdomain.com and not example.com and had to change the IP address, example.com would be dead until i was able to reach the owner of that domain and have them change their DNS info. You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS Question
On Oct 23, 2009, at 10:31 AM, Matthew Seaman wrote: You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? Consider the case of redirects involving cnames; you end up with a lot of extra DNS traffic. The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. It's generally fine, sure, but almost never ideal. You don't save traffic by using CNAMEs instead of A records PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Shucks, how can you pull in Jeopardy references and then deny giving out prizes? Well, my guess would be ie, although people who speak Finnish and call their home Suomi might find fi odd, also Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Also, MX needs to resolve to an A, not a CNAME.. If you are using mail on all these domains, use A records On Fri, Oct 23, 2009 at 10:19 AM, Sean Cavanaugh millenia2...@hotmail.com wrote: how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. ah yes, forgot about that. you are correct on that line. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
On Fri, 23 Oct 2009 10:33:07 -0700 xSAPPYx xsap...@gmail.com wrote: Also, MX needs to resolve to an A, not a CNAME.. If you are using mail on all these domains, use A records You can use the domains for mail provided that that they share MX servers, if example.com has a CNAME pointing to example.net then mail to example.com will use the mx servers for example.net. What you shouldn't do is mix the CNAME with separate MX records because it creates an ambiguity. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DNS Question
Hello, I am building the DNS Server,But I can't find the script /etc/namedb/make-localhost used in the document, So I can't go on now? Please tell me how to find the script,Thank you very much! Best Regards! Freebsd Lover:Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Question
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 国徽 wrote: Hello, I am building the DNS Server,But I can't find the script /etc/namedb/make-localhost used in the document, So I can't go on now? Please tell me how to find the script,Thank you very much! Unfortunately the documentation is a bit out of date. You no longer need to run 'make-localhost' -- there are pre-built zone files for localhost, and for 1.0.0.127.in-addr.arpa and the equivalent inverse domain for IPv6-ish ::1 that come with the system and which you can just use without further ado. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzsJT3jDkPpsZ+VYRA9/oAJwPFc7OhS/5rl2RAVhqKGRP0ii/8wCbBf+m 0HqFbp1sTRR/wadko9k5BRQ= =ufcj -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Question
Hi Erik: I don't recall the how-to explaining the usage of this script. I too, just recently setup a DNS server for a couple domains. My recommendation is to familiarize yourself with the Administrators Reference Manual (ARM) on BIND's website: http://www.isc.org/index.pl?/sw/bind/arm93/ I found it more valuable than just following someone else's simple steps! David Alanis Quoting ?? [EMAIL PROTECTED]: Hello, I am building the DNS Server,But I can't find the script /etc/namedb/make-localhost used in the document, So I can't go on now? Please tell me how to find the script,Thank you very much! Best Regards! Freebsd Lover:Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This message was sent using IMP, the Internet Messaging Program. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic dns question
On June 25, 2007, gahn wrote: hi all: could anyone here recommend a software package for dynamic dns? thanks I've used http://www.no-ip.com/ for a few years with good success. There is a free version if you're not picky about your domain name. There is a client in the ports (dns/noip). DD-WRT routers (and possibly others) support it directly. Cheers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dynamic dns question
hi all: could anyone here recommend a software package for dynamic dns? thanks Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos more. http://mobile.yahoo.com/go?refer=1GNXIC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dynamic dns question
gahn wrote: hi all: could anyone here recommend a software package for dynamic dns? thanks /usr/ports/dns/ddclient I am using it with no problems on all my Linux/BSD machines. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dns question
Not really a freebsdquestion specifically. My company uses ns.foo.com and ns1.foo.com for primay/secondary dns, about 200 domains rely on these. We want a new physical machine , in a different location, with a different IP to be our secondary dns. lets call it www.jerky.com ip = 244.233.222.211 imaginary.. Can I just make ns1.foo.com point to the new ip address, and update the registrar with the new ip for ns1.foo.com, and here's the kicker _ NOT have to worry about changing the secondary dns info for all 200 other domains _ Thanks folks, I hope i wrote my scenerio clearly enough. Jeff. -- Jeff MacDonald http://www.halifaxbudolife.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dns question
* Jeff MacDonald [EMAIL PROTECTED] [0157 12:57]: Not really a freebsdquestion specifically. My company uses ns.foo.com and ns1.foo.com for primay/secondary dns, about 200 domains rely on these. We want a new physical machine , in a different location, with a different IP to be our secondary dns. lets call it www.jerky.com ip = 244.233.222.211 imaginary.. Can I just make ns1.foo.com point to the new ip address, and update the registrar with the new ip for ns1.foo.com, and here's the kicker _ NOT have to worry about changing the secondary dns info for all 200 other domains _ Is the second NS server listed in the domain by hostname? If so, you'll be alright. freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- 'When you have to kill a man it costs nothing to be polite.' -- Winston Churchill, On formal declarations of war Rasputin :: Jack of All Trades - Master of Nuns ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dns question
I think it depends upon the registrar. Of the 200 domains, they are probably registered across 2 or 3 registrars. Some ask for just the host name, while others ask for both hostname and IP. Jeff. On Thu, 20 Jan 2005 13:14:01 +, Dick Davies [EMAIL PROTECTED] wrote: * Jeff MacDonald [EMAIL PROTECTED] [0157 12:57]: Not really a freebsdquestion specifically. My company uses ns.foo.com and ns1.foo.com for primay/secondary dns, about 200 domains rely on these. We want a new physical machine , in a different location, with a different IP to be our secondary dns. lets call it www.jerky.com ip = 244.233.222.211 imaginary.. Can I just make ns1.foo.com point to the new ip address, and update the registrar with the new ip for ns1.foo.com, and here's the kicker _ NOT have to worry about changing the secondary dns info for all 200 other domains _ Is the second NS server listed in the domain by hostname? If so, you'll be alright. freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- 'When you have to kill a man it costs nothing to be polite.' -- Winston Churchill, On formal declarations of war Rasputin :: Jack of All Trades - Master of Nuns -- Jeff MacDonald http://www.halifaxbudolife.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NAT/DNS question/recommendation?
I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Thanks, - Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
Tom Huppi wrote: I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Maybe you are searching for the wrong keywords. I simply haven't heard of anyone speak of a NAT client or NAT Server before. Secondly you haven't told us anything about how things are setup: Are you using ipfw, ipf or pf? What are your nat-rules? what are your filter rules? You are trying to automount what? nfs, smbfs? ssh delays? did you try to type in the ip to see if it was faster? I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
On Wed, 19 Jan 2005, Erik Norgaard wrote: Tom Huppi wrote: I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Maybe you are searching for the wrong keywords. I simply haven't heard of anyone speak of a NAT client or NAT Server before. I mean one runs NAT, and the other uses it. I've searched various things and have run into subtle refernences which seem related to my problem (like 'gethostbyname' isn't even supposed to consult /etc/hosts), but nothing specific. Secondly you haven't told us anything about how things are setup: Are you using ipfw, ipf or pf? What are your nat-rules? what are your filter rules? I think I did mention that the firewall and NAT are as implemented in user-PPP. I could post my rule-set, but it would take a good bit of space. Clearly DNS requests from 'the-machine-using-NAT- but-not-running-it' are dialbound-accept (either that, or user-ppp's firewall is broken.) That is not to say I know these rules are correct, and in fact I had played around with this aspect of the rules earlier to try to aviod spurious dials associated with a windows 'machine-using-NAT', but unless there is a known mechanism associated with the rules which would cause the unhappiness I'm experiancing, it seems a waste of space. BTW, it does seem that when the user-ppp daemon is shut down completely, these delay's _don't_ exist, and the problem is similarly non-noticable when the connection is actually established (in spite of the fact that, obviously, my local hostnames are not known to the global internet.) If someone knows, for instance, that DNS requests from 'the-machine-not-running-NAT-but-using-it' will quickly and silently give up _or_ revert to files upon hitting a dialbound-blocked rule, I can certainly make it so. Obviously I don't want to block DNS requests from the 'machine-not-running-NAT'. You are trying to automount what? nfs, smbfs? NFS. (unix - unix) ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama - and I have tried various permutations of this on both machines (specifically, the additional 'name.dom.com.' entry which seems to exist on a CD installation
Re: NAT/DNS question/recommendation?
Tom Huppi wrote: I mean one runs NAT, and the other uses it. I've searched various things and have run into subtle refernences which seem related to my problem (like 'gethostbyname' isn't even supposed to consult /etc/hosts), but nothing specific. Yeah, I sort of guessed that, I was thinking that if you were googling then you should probably search for freebsd gateway ppp nat. The common lingo is that your NAT-server is a gateway/firewall and the NAT-client is a host. I think I did mention that the firewall and NAT are as implemented in user-PPP. I could post my rule-set, but it would take a good bit of space. Clearly DNS requests from 'the-machine-using-NAT- but-not-running-it' are dialbound-accept (either that, or user-ppp's firewall is broken.) That is not to say I know these rules are correct, and in fact I had played around with this aspect of the rules earlier to try to aviod spurious dials associated with a windows 'machine-using-NAT', but unless there is a known mechanism associated with the rules which would cause the unhappiness I'm experiancing, it seems a waste of space. OK, let me say first that since I have a permanent connection I haven't messed much with ppp, but this doesn't seem to be your problem. The soluitons I have heard of uses a setup where the pppd (what-ya-call-it) will call up the isp and start the firewall/nat. But fundamentally the firewall/nat is independent of the modem connection. So, what do you use for firewall/nat? ipfw/ipf/pf? I think I can help you with ipf, if you use something else then I'm sure someone can help you once they know they have the knowledge you need. While your filter rules might be long, the nat rules should be quite simple, and typically it's nat that causes problems, so please post that. ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. This is really important because this suggests that there is no problem with your resolv.conf or other named configuration files. I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) Ah, I see, dfrtr is default router? It shouldn't be the isp but the internal ip of your gw. Otherwise you might get some strange behaviour (which you seem to have). I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. Note that nis domain and dns domain is _not_ the same. Setting your default domain in rc.conf sets the nis default domain, and has absolutely nothing to do with dns. BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) Ok, sorry, I'm used to snort output, but good idea, try sniff and dump so you can see what happens in slow. So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama Typo or copy/paste error? One ip per line. In the above 172.16.0.20 becomes an alias for 172.16.0.8 (if it makes sense at all). Just knowing that someone has a similar setup and it works would be of significant help since it would tell me if there even is a solution. Else, and also very good would be to know that it's an intractable problem with the tools I use. I think that when you get to that point it's time to start clean and be systematic. Remove anything that might blur the picture, unneeded services and stuff. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
On Wed, 19 Jan 2005, Erik Norgaard wrote: Tom Huppi wrote: snip So, what do you use for firewall/nat? ipfw/ipf/pf? I think I can help you with ipf, if you use something else then I'm sure someone can help you once they know they have the knowledge you need. user-ppp has it's own firewall implementation which is separate from the above three mentioned. That's what I'm using. I'd have to use it anyway to get dial-bound rules, and its other capabilities are sufficient for my basic needs: ... # And outgoing icmp set filter out 14 permit 0 0 icmp ... # And the remote host can ping the local gateway (only) set filter in 10 permit 0/0 MYADDR icmp src eq 8 ... that sort of thing. While your filter rules might be long, the nat rules should be quite simple, and typically it's nat that causes problems, so please post that. You'r right. They are extreamly simple: nat enable yes (in ppp.conf) There is also an 'enable dns' entry which I may play around with some more. In fact, I'll have to if I...see last para... ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. This is really important because this suggests that there is no problem with your resolv.conf or other named configuration files. I'm not using named...yet I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) Ah, I see, dfrtr is default router? It shouldn't be the isp but the internal ip of your gw. Otherwise you might get some strange behaviour (which you seem to have). Typo in the diagram. 'srvr's defaultrouter is ...20, and it's resolv.conf specifies my ISP's nameserver. My now long gone text was more accurate. I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. Note that nis domain and dns domain is _not_ the same. Setting your default domain in rc.conf sets the nis default domain, and has absolutely nothing to do with dns. Yes and possibly no. I believe that it can have an influence on how the system tries to resolve hostsnames (since Sun wanted like hell for people to use NIS for this purpose decades ago before security was a consideration...), but I doubt that it's the problem here. In fact, I can now say that it isn't. (nsswitch.conf man on some systems mentions this...dunno if the capability even exists on xBSD systems.) BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) Ok, sorry, I'm used to snort output, but good idea, try sniff and dump so you can see what happens in slow. What happens is, 'gila' (aka 'srvr') tries to do a reverse dns lookup and hangs until it times out or until it gets back a reply. 'non-existant domain' in this case. The funny thing is that once it gets even _this_ response it happily proceeds. I don't know what it _would_ be unhappy about...it makes the whole test seem rather pointless in addition to being frustrating from my standpoint. The interesting thing is, as I mentioned, when PPP is completely shut down the 'srvr' doesn't seem to even try this reverse DNS lookup silliness (or else maybe it just fails miserably and silently right away.) That makes me think that maybe there is some method of inducing PPP to lie to it's clients (for lack of a better term) about it's status when it is active but not on-line. So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama Typo or copy/paste error? One ip per line. In the above 172.16.0.20 becomes an alias for 172.16.0.8 (if it makes sense at all). Yup, another typo...this time form re-formatting paragraphs. Just knowing that someone has a similar setup and it works would be of significant help since it would tell me if there even is a solution. Else, and also very good would be to know that it's an intractable problem with the tools I use. I think
A reverse DNS question
Can I use dig, or some tool to query an upstream DNS amchine to findout what rnage it is authoratative for in _reverse_ DNS? -- They that would give up essential liberty for temporary safety deserve neither liberty nor safety. -- Benjamin Franklin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A reverse DNS question
On Thu, Feb 05, 2004 at 10:22:19AM -0500, stan wrote: Can I use dig, or some tool to query an upstream DNS amchine to findout what rnage it is authoratative for in _reverse_ DNS? If you can do it for a normal zone, yes. (hint: there's not really any such thing as reverse DNS). Ceri -- pgp0.pgp Description: PGP signature
dns question
have dns working perfectly on one system copied the files over to another system made the necessary domain changes but when bind is invoked i cannot ping remote hosts #ping google.ca ping: cannot resolve google.ca: No address associated with name when i do a nslook up i get this it does not matter if the lookup is internal or external have been stumped for a week now can someone please help. #nslookup v21001 Server: v21.highcoup.ca Address: 142.59.20.186 Name:v21001 Served by: - L.ROOT-SERVERS.NET - M.ROOT-SERVERS.NET - A.ROOT-SERVERS.NET - B.ROOT-SERVERS.NET - C.ROOT-SERVERS.NET - D.ROOT-SERVERS.NET - E.ROOT-SERVERS.NET - F.ROOT-SERVERS.NET - G.ROOT-SERVERS.NET - H.ROOT-SERVERS.NET ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
DNS question...
Hi list, I'm getting a problem with my DNS, I'm running 4.7 + named, the config files are teorically well, but when I tried to get access from outside (of the network) to my ftp site, no returns records, when I tried with the real IP, everything's fine, any suggestion...??? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS question...
Hi, Have you try host command ? host your_server_name Maybe DNS takes a couple day for propagation. If this is the case try later in next 2-3 days. Cheers, --- Xpression [EMAIL PROTECTED] wrote: Hi list, I'm getting a problem with my DNS, I'm running 4.7 + named, the config files are teorically well, but when I tried to get access from outside (of the network) to my ftp site, no returns records, when I tried with the real IP, everything's fine, any suggestion...??? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
DNS question...
Hi list: I want to change my DNS server/service, I still using named almost understand it so good, then I want to know is anyone have knowledge of any other DNS server that can be installed to serve DNS requests...thanks... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS question...
On Wed, Jun 04, 2003 at 12:29:29PM -0400, Xpression wrote: Hi list: I want to change my DNS server/service, I still using named almost understand it so good, then I want to know is anyone have knowledge of any other DNS server that can be installed to serve DNS requests...thanks... djbdns is highly recommended - very easy to setup if you already understand the concept of zone files with named (although the syntax of djbdns 'data' files is different). djbdns is nice in that it separates the various tasks that named does into distinct modules - one for udp auth nameserver queries (tinydns), another for tcp (axfrdns), another for caching name server (dnscache). The best place to read is here: http://cr.yp.to/djbdns.html note that djbdns is in the ports under /usr/ports/net/djbdns iirc. Best Regards, Jez ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
DNS question
I've got a dns running on a freebsd computer at my company. I'm new to the concept of DNS and how it all works. My question is: When a person does a dns lookup to the server and its not already cached, how does It find out the correct name server to use to find the ip? Thanks! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: DNS question
[please wrap you lines at 72 characters or so] aSe wrote: When a person does a dns lookup to the server and its not already cached, how does It find out the correct name server to use to find the ip? FreeBSD comes with a list of root DNS servers. These are master servers maintained by many different sources that have information on the top level domains. From this list, the DNS can figure out which root server to contact for .com or .net or .whatever. That server then directs your server to the specific DNS server that has the information you are asking for. This is oversimplified. If you have forwarders configured, then the forwarders check their cache first, before consulting the root servers. But the basic method is described there. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: DNS question
When a person does a dns lookup to the server and its not already cached, how does It find out the correct name server to use to find the ip? The DNS navigates the DNS namespace until it finds a positive or negative answer, or the until DNS's that should have the answer fail to respond. Len To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: DNS question
Ahh okay, I understand that. Someone once told me the information is already downloaded in a list, so the server doesn't have to contact root all the time to get ns information. Is this not true anymore? bind9 has the root-servers hints zone in its binary, but will use an external hints zone if listed in named.conf. Len To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
