Hi Clement - Yes - that is the setup, and the m0n0wall provides NAT to the servers services.
dig @localhost (or serving LAN ip) triokorausa.com +trace produces the same "dig: too many lookups" error as does the dig @external-dns trikorausa.com +trace. Which also seems odd to me, but I have a strange feeling that it is the correct (to be expected) behavior, even if it is undesirable in this case. Or perhaps a recent update to FreeBSD is causing a problem? Jeff CLEMENT Francis wrote: > Hey Jeff > > Seams I did not understood all of your dns server setup. > I thinked you dns only returned a list of NS for the domains it is > autoritive. > Sorry :) > > Another possibility :) : > Just in case there is a problem with natted loop-back at monowall = > router > > I suppose you have this physical hardware setup (correct if wrong) : > > Internet <-> MonoWall <-> 'autoritive only' dns server ;) / xmail = > server > > Is it this ? > > Does the interface between Monowall and dns/xmail server do NAT ? > > If NATTED servers : > > What does a dig from the dns/xmail server to itself using its internal = > ip > address ? > dig @internal-dns-server-ip-address trikorausa.com +trace > > And a dig from the xmail server using the External ip address of the = > dns > server (so the Monowall external ip) ? > dig @monowall-external-internet-ip trikorausa.com +trace > > Francis > > > > > -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de Jeff Buehler > Envoy=E9 : jeudi 21 f=E9vrier 2008 17:12 > =C0 : [email protected] > Objet : [xmail] Re: FreeBSD problem (similar to NetBSD problem report = > ed > earlier?) > > > I should also clarify, as you mention users, that none of this has=20 > anything to do with users on a LAN. This is a hosting server providing = > > web services and email, along with some other functionality. The issue = > > at question is how this particular server sees domains that are = > external=20 > to it. It has no way of knowing about yahoo.com or hotmail.com without = > > a name server that provides recursive lookups, so I have assigned it a=20 > name server that does. It just so happens that in the case of this one = > > domain (trikorausa.com) this server provides the authoritative DNS (A=20 > records, MX records, etc.). There is no way (that I know about) for me = > > to have it query itself just for domains it knows about, then query=20 > external dns for everything else. > > Thanks again, > Jeff > > Jeff Buehler wrote: > >> Hi Clement - >> >> Perhaps I am using the wrong semantics, or perhaps I am not = >> > completely=20 > >> understanding you, or possibly I am doing something wrong (even = >> > thought=20 > >> I have been doing it this way more or less for about 10 years!). = >> > This=20 > >> server provides (what I understand to be) true authoritative name=20 >> resolution for about 60 domains and ONLY those 60 domains, but = >> > provides=20 > >> no recursive lookups nor any caching - no systems on the LAN query = >> > it,=20 > >> or any other server I provide locally, for DNS resolution. It is = >> > simply=20 > >> queried by external caching DNS servers on the net for name = >> > resolution=20 > >> of a small number of domains. I do provide complete zone content for = >> > > >> these domains, but not for other domains such as yahoo.com = >> > (obviously)=20 > >> which need to be queried elsewhere as no caching is being done. >> >> My understanding is that a DNS server generally should not provide=20 >> recursive lookups and caching while also providing authoritative=20 >> resolution of domains for security reasons. This at least is a=20 >> recommendation made by Dan Bernstein (author of Tiny DNS) and makes=20 >> sense to me - Bind and MS systems allow it, but it is probably not a=20 >> good idea. >> >> Am I missing something? Thanks for your input ... >> >> Jeff >> >> > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
