[opensuse] Multiple DNS servers in /etc/resolv.conf
Hi, I recently (just now), installed and configured the pptp-client, to help me hook me up to my workplace's MS VPN server. Unfortunately, i have ran into a little bump in the road, regarding nameservers, and how hosts are looked up. Take this scenario: ------------------------------ Company setup: VPN server: vpn.company.com Internal network (company.net): 10.0.0.0/8 Internal gateway: 10.5.26.2 VPN client IP's: 10.5.26.X DNS: 10.12.1.2 / 10.12.2.2 My setup: Local IP (eth0): 10.0.0.2/24 Default GW (router): 10.0.0.1 DNS: 10.0.0.1 Tunnel device: ppp0 ------------------------------ I dont want to route my normal internet traffic through the VPN, so i connect to vpn.company.com, and add the network with: add -net 10.0.0.0 netmask 255.0.0.0 ppp0 So far so good. Connection to both internet and internal company hosts are working. Now, i want to be able to go to opensuse.org, routed through eth0, using 10.0.0.1 as nameserver. At the same time, i want to be able to go to intranet.company.net, routed through ppp0, using 10.12.1.2 as nameserver. My guess at this configuration would be: /etc/resolv.conf: domain company.net nameserver 10.0.0.1 nameserver 10.12.1.2 But this results in opensuse.org being looked up, while intranet.company.net fails. Another guess: /etc/resolv.conf domain company.net nameserver 10.12.1.2 nameserver 10.0.0.1 Which leads to intranet.company.net being looked up, while opensuse.org fails. How on earth do i get around this, and why does it seem that both nameservers are not queried ? Best Regards Sylvester Lykkehus
On Tuesday 05 December 2006 14:17, Sylvester Lykkehus wrote:
My guess at this configuration would be: /etc/resolv.conf: domain company.net nameserver 10.0.0.1 nameserver 10.12.1.2 But this results in opensuse.org being looked up, while intranet.company.net fails.
Another guess: /etc/resolv.conf domain company.net nameserver 10.12.1.2 nameserver 10.0.0.1 Which leads to intranet.company.net being looked up, while opensuse.org fails.
How on earth do i get around this, and why does it seem that both nameservers are not queried ?
Secondary name servers are ONLY queried if the first one FAILS or is not reachable. Its a misconception that secondaries will be checked if the primary can not come up with an IP for you. -- _____________________________________ John Andersen
John Andersen wrote:
On Tuesday 05 December 2006 14:17, Sylvester Lykkehus wrote:
My guess at this configuration would be: /etc/resolv.conf: domain company.net nameserver 10.0.0.1 nameserver 10.12.1.2 But this results in opensuse.org being looked up, while intranet.company.net fails.
Another guess: /etc/resolv.conf domain company.net nameserver 10.12.1.2 nameserver 10.0.0.1 Which leads to intranet.company.net being looked up, while opensuse.org fails.
How on earth do i get around this, and why does it seem that both nameservers are not queried ?
Secondary name servers are ONLY queried if the first one FAILS or is not reachable. Its a misconception that secondaries will be checked if the primary can not come up with an IP for you.
Hi John, I see, this was what i thought happened, server 1 to fail if it could not look up the IP, therefore trying the next. Thanks for clearing that out. Are there any way I can get it query both, or alternatively use my 10.0.0.1 DNS, if it is not a company.net address ? I know from that-other-os(tm), it is possible, since it works when using VPN. Best regards Sylvester Lykkehus
On Tuesday 05 December 2006 23:33, Sylvester Lykkehus wrote:
Are there any way I can get it query both, or alternatively use my 10.0.0.1 DNS, if it is not a company.net address ? I know from that-other-os(tm), it is possible, since it works when using VPN.
You need to run your own in house DNS server. (Usually BIND). Yast will even help set that up for you. It should have some local resources (ptr records to local network machines), and it should query your ISP for things it does not know. I set one up on SLES, using Yast, and it was pretty easy considdering how little I actually know about running BIND. You need to have your dhcp server feed all your in house machines the IP of your in-house dns server (if you use dhcp), or configure all your machines manually to use your in-house DNS server. -- _____________________________________ John Andersen
John Andersen wrote:
On Tuesday 05 December 2006 23:33, Sylvester Lykkehus wrote:
Are there any way I can get it query both, or alternatively use my 10.0.0.1 DNS, if it is not a company.net address ? I know from that-other-os(tm), it is possible, since it works when using VPN.
You need to run your own in house DNS server. (Usually BIND).
Yast will even help set that up for you. It should have some local resources (ptr records to local network machines), and it should query your ISP for things it does not know. I set one up on SLES, using Yast, and it was pretty easy considdering how little I actually know about running BIND.
You need to have your dhcp server feed all your in house machines the IP of your in-house dns server (if you use dhcp), or configure all your machines manually to use your in-house DNS server.
I really have to run a DNS server to do this ? I'm not quite sure how that would work out. Besides, the main PC to use VPN is a laptop, and will move across multiple wireless lans, school networks etc., so this is really not an option. /Sylvester
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-12-06 at 17:14 +0100, Sylvester Lykkehus wrote: Note: your cryptografic signature is too big, couldn't you use something else (pgp, for instance)?.
Besides, the main PC to use VPN is a laptop, and will move across multiple wireless lans, school networks etc., so this is really not an option.
You can use profiles to have a different set of configuration files for each site. Explained in the admin book (pdf or html) in the distro. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFdu4stTMYHG2NR9URAmBfAJwI3HKOkrj0lJx6tbvzGiCUAwWq7wCfUb0S E7wxyUoWP6QyYifValcoWUA= =88js -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-12-06 at 09:33 +0100, Sylvester Lykkehus wrote: I know that this message is old, but I found it today looking inside my spam folder, with two other from you of the same day, because SpamAssassin said (spaces added around the " . " to avoid false detection) : | 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist | [URIs: company . net] Which matches the following paragraph:
My guess at this configuration would be: /etc/resolv.conf: domain company . net
- -- Cheers, Carlos E.R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFhxvftTMYHG2NR9URAqzaAJ92/FSKHGansZ+4Oi33BAkEqi0nZgCgjax/ M/RlV4hXyjcmtk5U5PVmg+I= =R9fG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Dec 06, 2006 at 12:17:36AM +0100, Sylvester Lykkehus wrote:
How on earth do i get around this, and why does it seem that both nameservers are not queried ?
The easiest solution I've found to this problem is to use pdns-recursor, which is available via the build service: http://repos.opensuse.org/server:/dns/ Add the .repo file corresponding to your distribution to yast or smart and install pdns-recursor. Edit /etc/resolv.conf to use only one nameserver 127.0.0.1 Use the pdns_recursor --config option to generate a blank config template. Edit the config file as you see fit. You probably won't need to change anything. Add an appropriate line like this: forward-zones=int.wirex.com=10.30.0.15,suse.cz=10.20.0.2 This says that queries ending in .int.wirex.com go to DNS server at 10.30.0.15, queries ending in .suse.cz go to server 10.20.0.2. I've been thrilled by my new DNS experience. :)
Seth Arnold wrote:
On Wed, Dec 06, 2006 at 12:17:36AM +0100, Sylvester Lykkehus wrote:
How on earth do i get around this, and why does it seem that both nameservers are not queried ?
The easiest solution I've found to this problem is to use pdns-recursor, which is available via the build service:
http://repos.opensuse.org/server:/dns/
Add the .repo file corresponding to your distribution to yast or smart and install pdns-recursor.
Edit /etc/resolv.conf to use only one nameserver 127.0.0.1
Use the pdns_recursor --config option to generate a blank config template. Edit the config file as you see fit. You probably won't need to change anything. Add an appropriate line like this: forward-zones=int.wirex.com=10.30.0.15,suse.cz=10.20.0.2
This says that queries ending in .int.wirex.com go to DNS server at 10.30.0.15, queries ending in .suse.cz go to server 10.20.0.2.
I've been thrilled by my new DNS experience. :)
Hi Seth, Seems very interesting, and sounds exactly like what I was looking for. I will test this out at first opportunity I get, and post the results :-) Best regards Sylvester Lykkehus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sylvester Lykkehus wrote:
Seth Arnold wrote:
On Wed, Dec 06, 2006 at 12:17:36AM +0100, Sylvester Lykkehus wrote:
How on earth do i get around this, and why does it seem that both nameservers are not queried ?
The easiest solution I've found to this problem is to use pdns-recursor, which is available via the build service:
http://repos.opensuse.org/server:/dns/
Add the .repo file corresponding to your distribution to yast or smart and install pdns-recursor.
Edit /etc/resolv.conf to use only one nameserver 127.0.0.1
Use the pdns_recursor --config option to generate a blank config template. Edit the config file as you see fit. You probably won't need to change anything. Add an appropriate line like this: forward-zones=int.wirex.com=10.30.0.15,suse.cz=10.20.0.2
This says that queries ending in .int.wirex.com go to DNS server at 10.30.0.15, queries ending in .suse.cz go to server 10.20.0.2.
I've been thrilled by my new DNS experience. :)
Hi Seth,
Seems very interesting, and sounds exactly like what I was looking for. I will test this out at first opportunity I get, and post the results :-)
Best regards Sylvester Lykkehus
As promised, my results. I followed Seth's instructions, and added forward-zones=company.net=10.12.1.2 to the /etc/pdns/recursor.conf Now I am able to look up both intranet hostnames and internet hostnames , and route them through ppp0 and eth0 respectively. Thanks! /Sylvester
participants (4)
-
Carlos E. R.
-
John Andersen
-
Seth Arnold
-
Sylvester Lykkehus