Date: Fri, 5 Jan 2001 08:11:18 GMT From: Cliff Sarginson <cliff@raggedclown.net> To: Nick Slager <nicks@albury.net.au>, Keith Walker <kew@icehouse.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Using BIND in a local, bogus network Message-ID: <E14ERy2-0004Ea-00@post.mail.nl.demon.net>
next in thread | raw e-mail | index | archive | help
> Thus spake Keith Walker (kew@icehouse.net): > > > In my perfect world, the firewall would have a named running that would be a > > domain master for the bogus network, would cache "real" addresses, and just > > generally, DTRT. > > > > I've had *some* success with this, but I cannot get the nameserver to quit > > forcing dial-outs, keeping the modem connected almost 24/7. I have done exactly the same as you, and have exactly the same concerns, although my dialouts are not quite so constant. I too am looking for a way to perfect this... > > Ok, so: > > > > 1) How come the named program keeps dialing out? My prime candidate for this is my MTA. This runs on the firewall but passes all mail staight to another PC acting as a mailhost. If the mailhost is not running the mail sits in the queue and and gets flushed when the mailhost comes online (done by use of deferred SMTP delivery in Postfix and a a little shell script). However when the mail is flushed a call is made to my ISP, and I assume to the DNS there - even though all the DNS information mail should require it can get from my name server. I intend when I get some time at the weekend to sniff the traffic and see exactly what it wishes to find out.In particular if I disable the modem then after a minute or so (presumably when the DNS lookup times-out), the MTA happily delivers my mail to the mailhost !) I too am getting concerned about phone calls; my work around is to use scripts to control when PPP is running or not. I have noted that when I boot the firewall it usually makes a call as well, in this case I am wondering if it is named itself that is initiating it. > > 2) How can I prevent this? And here is the problem. You can prevent it by blocking in your firewall rules access to the DNS port. That works. However you may as well not use DOD anymore if you do it, since anything you do that requires an IP address that you don't have in your cache will stimulate a call ! > > 3) Are nameservers designed to run only on full time systems? Well, on the Internet they are. But what we are doing it is running it on a local network, so I don;t see that it should be a problem. The "dnswalk" program bitches about my setup that I don;t have a slave DNS configured .. but for the rest it is happy enough. > > 4) Is there a better way of doing this? > > You might want to look into userland PPP's filters to stop the auto dial > on DNS lookups. Have a look at the examples in /usr/share/examples/ppp. > See the Catch 22 above. This must be solvable ! Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14ERy2-0004Ea-00>