From owner-freebsd-net@FreeBSD.ORG Sun Apr 20 02:44:36 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 222E037B401 for ; Sun, 20 Apr 2003 02:44:36 -0700 (PDT) Received: from mail1.psconsult.nl (mail1.psconsult.nl [213.222.19.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id B178B43F85 for ; Sun, 20 Apr 2003 02:44:34 -0700 (PDT) (envelope-from paul@pop3.psconsult.nl) Received: from pop3.psconsult.nl (ps227.psconsult.nl [213.222.19.227]) by mail1.psconsult.nl (8.12.6p2/8.12.6) with ESMTP id h3K9iWwU002909; Sun, 20 Apr 2003 11:44:32 +0200 (CEST) (envelope-from paul@pop3.psconsult.nl) Received: (from paul@localhost) by pop3.psconsult.nl (8.9.2/8.9.2) id LAA74152; Sun, 20 Apr 2003 11:44:31 +0200 (CEST) (envelope-from paul) Date: Sun, 20 Apr 2003 11:44:31 +0200 From: Paul Schenkeveld To: Jeremy Chadwick Message-ID: <20030420114431.A74015@psconsult.nl> References: <20030419064801.GA11635@parodius.com> <1050791079.007237.719.nullmailer@cicuta.babolo.ru> <20030419223913.GA51072@parodius.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20030419223913.GA51072@parodius.com>; from freebsd@jdc.parodius.com on Sat, Apr 19, 2003 at 03:39:13PM -0700 cc: freebsd-net@freebsd.org Subject: Re: BIND-8/9 interface bug? Or is it FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 09:44:36 -0000 Hi Jeremy, On Sat, Apr 19, 2003 at 03:39:13PM -0700, Jeremy Chadwick wrote: > I hadn't considered jails -- I can't believe I forgot about > them. An excellent idea. > > For now, I've moved both of my nameservers over to relying > entirely on the public IP network for transmission of > everything, and as expected, it works great. I might have > to try the jail method for the private network! I've had good results running separate named instances for internal and external zoned within jails for two or three years now. Reading the last few messages in this thread another possible solution came to mind. What about adding host routes for the public address to send all this traffic over your private network. This does not limit traffic to DNS, in fact all traffic between the two machines will be over your private link whether the private or the public address is used. Example External subnet, public addresses ---------------+--------------------------------+--------------- | | | p.q.r.a | p.q.r.b +----------------------------+ +----------------------------+ | | | | | route add -host \ | | route add -host \ | | p.q.r.b 10.0.0.y | | p.q.r.a 10.0.0.x | | | | | | | | | | | | | +----------------------------+ +----------------------------+ | 10.0.0.x | 10.0.0.y | | | | ---------------+--------------------------------+--------------- Internal subnet, private addresses It might be necessary to adjust your ipfw rules a bit but I seem to remember you allow all traffic over your private interface. Regards, Paul Schenkeveld, Consultant PSconsult ICT Dervices BV