Subject: | |
From: | |
Reply To: | |
Date: | Tue, 12 Jun 2007 03:55:25 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Mon, 11 Jun 2007, Keith Lofstrom wrote:
> My firewall has an inside "green" interface on eth0, and an outside
> "red" interface on eth1. eth1 is connected to a dynamic address at
> comcast. The firewall also has a bind (named) and dhcpd server on it,
> providing name service and dynamic addresses for the internal green
> network. named is also configured to respond to 127.0.0.1, so in
> theory the firewall itself can get dns service from the named
> running on it. dhcpd and logging need the internal name service.
So far I think I understand what you are doing...
> Perhaps I have nsswitch set up incorrectly. Or something. When
> the green interface eth0 starts, /sbin/dhclient-script puts the
> appropriate information in /etc/resolv.conf. That seems to be the
> only way the firewall internal programs know about the name server.
Now this confuses me. You are running a dhcp server on the host (for your
eth0 -- 'green' network), and also using dhcp to get the address for
eth0?? How can that work? Am I just mis-understanding you?
> /etc/resolve.conf is almost immediately written over when the red
> interface eth1 starts, with the comcast name servers replacing
> (instead of appending to) the eth0 information.
That seems to be the default dhclient/dhclient-script behaviour...
> So the firewall no longer knows about dns for internal machines. I can
> write everything into /etc/hosts, but that is Yet Another File to
> maintain. There must be a better way.
See man dhclient.conf for many options...
> As a temporary hack kludge, I combined the information from both
> name servers into /etc/resolve.conf by hand, then set it to
> chmod 444 and chattr +i . I can still turn the interfaces on and
> off, but dchlient-script leaves /etc/resolv.conf alone. This will
> work until comcast moves their name servers.
>
> Does anyone know of a better way?
I've never done it myself but man dhclient.conf suggests that something
like:
interface "eth1" {
prepend domain-name-servers 127.0.0.1;
}
will cause 127.0.0.1 to be prepended to the list of DNS server returned
(from the dhcp request on interface eth1).
Is this sufficient or do you really need to arrange to get a list of
nameservers from both eth0 and eth1?
I can see ways to do that but they all involve some evil hackery.
BTW if your bind is intended to be configured to use the ISP nameservers
as 'forwarders' then something (somewhere) needs to update the named.conf
to list those server... e.g.
options {
...
forwarders {
<list of ISP servers here>
}
...
}
etc etc. I don't see anything in the standard dhclient-script which
attempts to do that.
-- Jon
|
|
|