By the way, the trace does, and always has, produced the correct name servers (dns1.buehlertech.net and dns2.buehlertech.net), it just continues to trace after that result.
Jeff Jeff Buehler wrote: > Hi Clement - > > Yes - that is the setup, and the m0n0wall provides NAT to the servers > services. > > dig @localhost (or serving LAN ip) triokorausa.com +trace produces the > same "dig: too many lookups" error as does the dig @external-dns > trikorausa.com +trace. Which also seems odd to me, but I have a strange > feeling that it is the correct (to be expected) behavior, even if it is > undesirable in this case. Or perhaps a recent update to FreeBSD is > causing a problem? > > Jeff > > CLEMENT Francis wrote: > >> Hey Jeff >> >> Seams I did not understood all of your dns server setup. >> I thinked you dns only returned a list of NS for the domains it is >> autoritive. >> Sorry :) >> >> Another possibility :) : >> Just in case there is a problem with natted loop-back at monowall = >> router >> >> I suppose you have this physical hardware setup (correct if wrong) : >> >> Internet <-> MonoWall <-> 'autoritive only' dns server ;) / xmail = >> server >> >> Is it this ? >> >> Does the interface between Monowall and dns/xmail server do NAT ? >> >> If NATTED servers : >> >> What does a dig from the dns/xmail server to itself using its internal = >> ip >> address ? >> dig @internal-dns-server-ip-address trikorausa.com +trace >> >> And a dig from the xmail server using the External ip address of the = >> dns >> server (so the Monowall external ip) ? >> dig @monowall-external-internet-ip trikorausa.com +trace >> >> Francis >> >> >> >> >> -----Message d'origine----- >> De : [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] la part de Jeff Buehler >> Envoy=E9 : jeudi 21 f=E9vrier 2008 17:12 >> =C0 : [email protected] >> Objet : [xmail] Re: FreeBSD problem (similar to NetBSD problem report = >> ed >> earlier?) >> >> >> I should also clarify, as you mention users, that none of this has=20 >> anything to do with users on a LAN. This is a hosting server providing = >> >> web services and email, along with some other functionality. The issue = >> >> at question is how this particular server sees domains that are = >> external=20 >> to it. It has no way of knowing about yahoo.com or hotmail.com without = >> >> a name server that provides recursive lookups, so I have assigned it a=20 >> name server that does. It just so happens that in the case of this one = >> >> domain (trikorausa.com) this server provides the authoritative DNS (A=20 >> records, MX records, etc.). There is no way (that I know about) for me = >> >> to have it query itself just for domains it knows about, then query=20 >> external dns for everything else. >> >> Thanks again, >> Jeff >> >> Jeff Buehler wrote: >> >> >>> Hi Clement - >>> >>> Perhaps I am using the wrong semantics, or perhaps I am not = >>> >>> >> completely=20 >> >> >>> understanding you, or possibly I am doing something wrong (even = >>> >>> >> thought=20 >> >> >>> I have been doing it this way more or less for about 10 years!). = >>> >>> >> This=20 >> >> >>> server provides (what I understand to be) true authoritative name=20 >>> resolution for about 60 domains and ONLY those 60 domains, but = >>> >>> >> provides=20 >> >> >>> no recursive lookups nor any caching - no systems on the LAN query = >>> >>> >> it,=20 >> >> >>> or any other server I provide locally, for DNS resolution. It is = >>> >>> >> simply=20 >> >> >>> queried by external caching DNS servers on the net for name = >>> >>> >> resolution=20 >> >> >>> of a small number of domains. I do provide complete zone content for = >>> >>> >> >> >>> these domains, but not for other domains such as yahoo.com = >>> >>> >> (obviously)=20 >> >> >>> which need to be queried elsewhere as no caching is being done. >>> >>> My understanding is that a DNS server generally should not provide=20 >>> recursive lookups and caching while also providing authoritative=20 >>> resolution of domains for security reasons. This at least is a=20 >>> recommendation made by Dan Bernstein (author of Tiny DNS) and makes=20 >>> sense to me - Bind and MS systems allow it, but it is probably not a=20 >>> good idea. >>> >>> Am I missing something? Thanks for your input ... >>> >>> Jeff >>> >>> >>> >> - >> To unsubscribe from this list: send the line "unsubscribe xmail" in >> the body of a message to [EMAIL PROTECTED] >> For general help: send the line "help" in the body of a message to >> [EMAIL PROTECTED] >> >> >> > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
