looking for opinions

[Kevin Darcy]

named needs to talk to root servers, even if it is configured in forward-only mode
(it will try to talk to the root servers _through_ the forwarders in that
configuration). It needs this because it needs good nameserver data for the root
domain. The "hints" in the hints file aren't a substitute for the actual root
NS data, they're just used to *get* the real root NS data.

Perhaps what you should do is run named with a special "disconnected" configuration
when you are not connected. The "disconnected" configuration would have no
forwarders and an internal root zone, so named would never try to contact any other
nameservers with that configuration. When you connect to the Internet, restart
named with the normal, "connected" configuration.

You may not want to use a forwarder at all, if you have full Internet access when
you are connected. If the forwarder has information relevant to your query at the
time you ask it, then yes, you'll probably get the answer faster. But if the
forwarder *doesn't* have enough information to answer your question immediately, it
has to go out and fetch all or part of the answer, then return it to you. This is
likely to be even slower than just getting the answer yourself. There are a lot of
variables involved here, so I would experiment to see if forwarding is gaining you
any performance benefits. If you don't have full Internet connectivity, then
forwarding may be your only option of course.

The /etc/resolv.conf on the Linux firewall should probably be set to point to your
internal nameserver, so that the firewall can resolve both internal and external
names.

Is there some particular reason why you don't just run BIND on the Linux
firewall? You could use ACL's to prevent external clients from querying your
internal domain...


- Kevin

Marco Welti wrote:

> Hi all
>
> I'm relativly new to networking stuff, so i'd like to hear some opinions
> on my setup....
>
> I have the following hardware
> 1 Linux box configured as dialup router/firewall (analog modem)
> 1 NT 4 server running BIND8 (2.2P5)
> 5 Windows clients
>
> Internet connection is done via dialup
> all win-hosts have their dns entry set to the nt-server
>
> I'd actualy liked to have a linux server as well as a NT, but this was not
> my decision and I couldn't change it :-(
>
> The NT box is running BIND8 (i couldn't get ms-dns working with forwarders)
> as master for my internal domain. For external resolution I configured BIND to
> use a forwarder (pointing to the ns of my ISP).
>
> Questions: I had to remove the zone "." from named.conf to avoid occasional
> dialups (tcpdump showed lot's of queries to the root-servers originated
> from BIND) .  I asume BIND checked if the root servers are available....
> Is there another option to avoid this dialups? Would the option forward-only do
> the same trick ? What is the actual reason for this lookups?
>
> Because i use a dialup connections,  it takes quite some time until
> the connection is established. Now if I do a lookup and the connection first
> needs to be established, BIND returns with an error that the forwarder is down.
> To solve this, a added the ns of my IPS a second time to the forwarder list.
> Is this the only method ? Can't i set a timeout for forwarders ?
>
> On the linux box I'm running diald for dialup on demand. I did set some filters
> (udp.dest=udp.netbios-ns etc) in diald.conf to avoid dialup on netbios packets.
> Futher I use the standard SUSE ipchain packet firewall. Would it be a good
> idea also to filter netbios packages with ipchains ?
>
> Due to the fact that all win-clients point to the nt-box as nameserver and only
> the nt-server is doing lookups for external names one could also set ipchains to
>
> allow only the nt-box doing dns-lookups...
>
> And last but not least, should the entry in /etc/resolv.conf point to my
> internal
> nameserver or to the nameserver of my ISP or to none of them ?
>
> thanks for reading thru all this... I'm looking forward to hear your opinion...
>
> regards
> Marco