Date: Fri, 5 Jan 2001 08:15:35 GMT From: Cliff Sarginson <cliff@raggedclown.net> To: Cliff Sarginson <cliff@raggedclown.net>, Nick Slager <nicks@albury.net.au>, Keith Walker <kew@icehouse.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Using BIND in a local, bogus network. Clarification. Message-ID: <E14ES2B-000Bp7-00@post.mail.nl.demon.net>
next in thread | raw e-mail | index | archive | help
> > Thus spake Keith Walker (kew@icehouse.net): > > > > > In my perfect world, the firewall would have a named running that would be a > > > domain master for the bogus network, would cache "real" addresses, and just > > > generally, DTRT. > > > > > > I've had *some* success with this, but I cannot get the nameserver to quit > > > forcing dial-outs, keeping the modem connected almost 24/7. > > I have done exactly the same as you, and have exactly the same concerns, > although my dialouts are not quite so constant. I too am looking for a > way to perfect this... > > > > Ok, so: > > > > > > 1) How come the named program keeps dialing out? > > My prime candidate for this is my MTA. This runs on the firewall > but passes all mail staight to another PC acting as a mailhost. > If the mailhost is not running the mail sits in the queue and > and gets flushed when the mailhost comes online (done by use of > deferred SMTP delivery in Postfix and a a little shell script). > However when the mail is flushed a call is made to my ISP, and I > assume to the DNS there - even though all the DNS information mail > should require it can get from my name server. I intend when I get > some time at the weekend to sniff the traffic and see exactly what > it wishes to find out.In particular if I disable the modem then after > a minute or so (presumably when the DNS lookup times-out), the MTA > happily delivers my mail to the mailhost !) > > I too am getting concerned about phone calls; my work around is to > use scripts to control when PPP is running or not. > > I have noted that when I boot the firewall it usually makes a call as > well, in this case I am wondering if it is named itself that is initiating > it. > > > > 2) How can I prevent this? > > And here is the problem. You can prevent it by blocking in your firewall > rules access to the DNS port. That works. However you may as well not > use DOD anymore if you do it, since anything you do that requires an IP > address that you don't have in your cache will stimulate a call ! -- A call which will be ignored.. sorry about replying to my own post.. wanted to clarify it. > > > > 3) Are nameservers designed to run only on full time systems? > Well, on the Internet they are. But what we are doing it is running > it on a local network, so I don;t see that it should be a problem. > The "dnswalk" program bitches about my setup that I don;t have a slave > DNS configured .. but for the rest it is happy enough. > > > > 4) Is there a better way of doing this? > > > > You might want to look into userland PPP's filters to stop the auto dial > > on DNS lookups. Have a look at the examples in /usr/share/examples/ppp. > > > See the Catch 22 above. > > This must be solvable ! > > Cliff > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14ES2B-000Bp7-00>