Date: Tue, 4 Jan 2000 09:34:56 -0800 (PST) From: Alfred Perlstein <bright@wintelcom.net> To: Dan Langille <dan@freebsddiary.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: two copies of bind or two name servers? Message-ID: <Pine.BSF.4.21.0001040929180.227-100000@fw.wintelcom.net> In-Reply-To: <200001041035.XAA56537@ducky.nz.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Jan 2000, Dan Langille wrote:
> At present, I'm running all of my zones on a single instance of bind. But
> I don't like that. I have internal zones which I don't want the outside
> world to know about. I have restricted access by using allow-transfer
> and allow-query but I want more separation.
>
> I tried running two instances of bind on the same box by using the listen-
> on option. When I start the first instance of bind I get:
>
> named[56043]: listening on [192.168.1.1].53 (ed0)
> named[56043]: Forwarding source address is [0.0.0.0].53
>
> The second one gives:
>
> named[56046]: ctl_server: bind: Address already in use
> named[56046]: listening on [192.168.0.20].53 (ed1)
> named[56046]: opensocket_f: bind([0.0.0.0].53): Address already in use
>
> I don't understand why it is trying to listen on 0.0.0.0. Any clues?
>
> I'm now beginning to think that a better solution is to have two name
> servers. One servicing external requests, the other servicing internal
> requests. The external one would be non-recursive. The internal one
> would be rescursive. Does that make sense?
The new bind is a royal pain in the behind to get this type of configuration
setup on, here's how I do it:
options {
directory "/etc/namedb/foo";
pid-file "/var/run/named.foo.pid";
listen-on { 10.0.0.5; }; query-source address 10.0.0.5 ;
transfer-source 10.0.0.5;
check-names master warn;
};
controls {
unix "/var/run/ndc-foo" perm 0600 owner 0 group 0;
};
make sure to substitute all instances of 'foo' and the IP with
the interface/name you'll be running your other copy of bind on.
particularly in the 'controls' section.
yes it was hard to find and yes it brought down my name service
few times before i got it right. (don't forget to have a little
scripty to swap back and forth from your new to old config in case
something goes wrong).
i'm pretty sure the reason why the second instance is failing to
come up is the conflict for the 'ndc' listen port.
good luck,
-Alfred
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0001040929180.227-100000>