My firewall has an inside "green" interface on eth0, and an outside
"red" interface on eth1.  eth1 is connected to a dynamic address at
comcast.   The firewall also has a bind (named) and dhcpd server on it,
providing name service and dynamic addresses for the internal green
network.    named is also configured to respond to 127.0.0.1, so in
theory the firewall itself can get dns service from the named
running on it.  dhcpd and logging need the internal name service.

Perhaps I have nsswitch set up incorrectly.  Or something.  When 
the green interface eth0 starts, /sbin/dhclient-script puts the
appropriate information in /etc/resolv.conf.  That seems to be the
only way the firewall internal programs know about the name server.
/etc/resolve.conf is almost immediately written over when the red
interface eth1 starts, with the comcast name servers replacing
(instead of appending to) the eth0 information.  So the firewall no
longer knows about dns for internal machines.  I can write everything
into /etc/hosts, but that is Yet Another File to maintain.  There must
be a better way.

As a temporary hack kludge, I combined the information from both
name servers into /etc/resolve.conf by hand, then set it to 
chmod 444 and chattr +i .  I can still turn the interfaces on and
off, but dchlient-script leaves /etc/resolv.conf alone.  This will
work until comcast moves their name servers.  

Does anyone know of a better way?

Keith

-- 
Keith Lofstrom          [log in to unmask]         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs