From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Wed Jul 14 2004 - 15:01:51 CDT
Jeff A. Earickson wrote:
> Hi,
> I've tried various permutations like:
>
> view "selfhelp"
> {
> match-clients { 137.146.214.50; 127.0.0.1; };
> zone "msft.com" ....
> };
>
> view "bogus"
> {
> match-clients {any};
> zone "." ....
> };
>
> with "bogus" first and last, different match-clients entries, etc, etc.
> All I got from any of these was a list of the single letter root servers,
> which is worse off than getting back the IP of the netreg box.
>
> I don't have a complete file to show because I've tried so many different
> things. It is a test box, so I don't have to be careful...
>
> The msft.com zone never seems to get exercised.
First off, get rid of the views. You just don't need them. Next, what
do you have in the zone statement for msft.com?
zone "msft.com" {
type forward;
forwarders { a.b.c.d; };
forward only;
};
where a.b.c.d is your real nameserver
???
If that doesn't work, then try adding:
msft.com NS your.netreg.box.edu.
to your root file (incrementing the SOA serial number, of course, and
reloading). Note, NS records require *names* not IP addresses.
This delegates the msft.com zone to your bogus nameserver. I wouldn't
think that this should be necessary, but try it as a last resort.
I'm still thinking that running your own update server may be the
best bet, since for real security you have to run all of these
outbound connections through a proxy that doesn't allow any other
connections. Not blocking outbound connections from unregistered
IP addresses is not an option for me.
-Robert
> On Wed, 14 Jul 2004, Robert Lowe wrote:
>
>> Jeff A. Earickson wrote:
>>
>>> Hi,
>>> I too am jumping on this bandwagon -- unfortunately the wagon refuses
>>> to go where I want. My netreg system with the fake DNS setup
>>> (137.146.214.50)
>>> has the following in its boot file, after the options declarations:
>>>
>>> zone "msft.com"
>>> {
>>> type forward;
>>> forwarders { 137.146.210.51; };
>>> };
>>>
>>> #---the root of this domain is our bogus netreg info
>>> zone "." {
>>> type master;
>>> file "primary/fake-root-for-netreg";
>>> };
>>>
>>> Where 137.146.210.51 is our real DNS secondary/forwarder. When I do
>>>
>>> dig @137.146.214.50 www.colby.edu or
>>> dig @137.146.214.50 www.msft.com
>>>
>>> I get back the answer "137.146.214.50" for both. The forwarding for
>>> msft.com doesn't happen. I too only want three DNS boxes in my picture:
>>> (a) my real primary, (b) my real secondary/forwarder 137.146.210.51, (c)
>>> my netreg box with the fake DNS stub plus selected zones like msft.com.
>>>
>>> I've tried views but that didn't help either. Any ideas?
>>
>>
>> Have you setup different views on the NetReg box??? Client requests
>> will fall into which ever view matches first. Can you show us the
>> full named.conf on 137.146.214.50?
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:46 CDT