Hey Jeff Seams I did not understood all of your dns server setup. I thinked you dns only returned a list of NS for the domains it is autoritive. Sorry :)
Another possibility :) : Just in case there is a problem with natted loop-back at monowall = router I suppose you have this physical hardware setup (correct if wrong) : Internet <-> MonoWall <-> 'autoritive only' dns server ;) / xmail = server Is it this ? Does the interface between Monowall and dns/xmail server do NAT ? If NATTED servers : What does a dig from the dns/xmail server to itself using its internal = ip address ? dig @internal-dns-server-ip-address trikorausa.com +trace And a dig from the xmail server using the External ip address of the = dns server (so the Monowall external ip) ? dig @monowall-external-internet-ip trikorausa.com +trace Francis -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jeff Buehler Envoy=E9 : jeudi 21 f=E9vrier 2008 17:12 =C0 : [email protected] Objet : [xmail] Re: FreeBSD problem (similar to NetBSD problem report = ed earlier?) I should also clarify, as you mention users, that none of this has=20 anything to do with users on a LAN. This is a hosting server providing = web services and email, along with some other functionality. The issue = at question is how this particular server sees domains that are = external=20 to it. It has no way of knowing about yahoo.com or hotmail.com without = a name server that provides recursive lookups, so I have assigned it a=20 name server that does. It just so happens that in the case of this one = domain (trikorausa.com) this server provides the authoritative DNS (A=20 records, MX records, etc.). There is no way (that I know about) for me = to have it query itself just for domains it knows about, then query=20 external dns for everything else. Thanks again, Jeff Jeff Buehler wrote: > Hi Clement - > > Perhaps I am using the wrong semantics, or perhaps I am not = completely=20 > understanding you, or possibly I am doing something wrong (even = thought=20 > I have been doing it this way more or less for about 10 years!). = This=20 > server provides (what I understand to be) true authoritative name=20 > resolution for about 60 domains and ONLY those 60 domains, but = provides=20 > no recursive lookups nor any caching - no systems on the LAN query = it,=20 > or any other server I provide locally, for DNS resolution. It is = simply=20 > queried by external caching DNS servers on the net for name = resolution=20 > of a small number of domains. I do provide complete zone content for = > these domains, but not for other domains such as yahoo.com = (obviously)=20 > which need to be queried elsewhere as no caching is being done. > > My understanding is that a DNS server generally should not provide=20 > recursive lookups and caching while also providing authoritative=20 > resolution of domains for security reasons. This at least is a=20 > recommendation made by Dan Bernstein (author of Tiny DNS) and makes=20 > sense to me - Bind and MS systems allow it, but it is probably not a=20 > good idea. > > Am I missing something? Thanks for your input ... > > Jeff > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
