Date: Sat, 19 Apr 2003 15:39:13 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: freebsd-net@freebsd.org Subject: Re: BIND-8/9 interface bug? Or is it FreeBSD? Message-ID: <20030419223913.GA51072@parodius.com> In-Reply-To: <1050791079.007237.719.nullmailer@cicuta.babolo.ru> References: <20030419064801.GA11635@parodius.com> <1050791079.007237.719.nullmailer@cicuta.babolo.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I hadn't considered jails -- I can't believe I forgot about them. An excellent idea. For now, I've moved both of my nameservers over to relying entirely on the public IP network for transmission of everything, and as expected, it works great. I might have to try the jail method for the private network! Thanks. :-) -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. | On Sun, Apr 20, 2003 at 02:24:38AM +0400, "."@babolo.ru wrote: > > The secondary is configured literally identical to the > > primary, except that the IPs have changed and _all_ of > > the zones are type slave. > > > > I see the exact same problem on the secondary (again, > > outgoing traffic on the public interface with an IP of > > the private), except that the src & dst IPs apply to > > the private IP on the secondary and the WAN IP of the > > primary, respectively. Sorry if that's confusing. :-) > > > > Thank you for your below example -- I didn't consider that > > BIND would do something that ""silly"" (note quotes), but > > now it makes sense. > > > > I believe removing the query-source option could in fact > > solve the problem, but there is a specific reason for it's > > existance -- we rely on the MAPS RBL+ service for SBL lookups, > > which are DNS based. Permission to the RBL+ service is based > > on the IP doing the query. Since the nameserver IPs are > > IP aliases, if I do not specify this, the queries come from > > the first IP in the list shown in ifconfig -a. > > > > If there's a workaround for this, I'd love to hear it. :-) > I use different named in different jails for > public and private zones. > Each pair on one host. > Jail garantee that only dedicated IP will be used. > > possible transfers are: > > host1 host2 > > priv named <---> priv named > ^ ^ > | | > V V > pub named <----> pub named > > public named knows nothing about private zones > private named is used by clients and > forwards queryes to his public partner > on the same host for non-private zones > and have all private zones as master or slave > > PS > http://free.babolo.ru/ports/jailup/ > to easy establish jailed services > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030419223913.GA51072>