setting up an internal TLD

Woodchuck djv at bedford.net
Wed Oct 18 12:50:51 PDT 2006 

On Wed, 18 Oct 2006, Mike Taylor wrote:

> Hello,
> 
> I've installed 3.9 on a system connected to a cable modem to act as a firewall.  I'm trying to make a TLD for my internal network.  The domain I'm trying to use is "localnet.dot".
> 
> Below are the files I'm using, but the system keeps using the ISP's DNS servers.  Here's the output I get when I use dig:
> 

Are you logged in on homebox?  or on someotherbox?

> # dig @homebox www.yahoo.com
> ; <<>> DiG 9.3.1 <<>> @homebox www.yahoo.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> 
> What am I doing wrong?

I don't think you're running named, i.e. that it is not starting
for some reason.  Or it is not forwarding queries for some reason.

See below.

but first, kill named if it is running, then restart it.
Observe any error messages in /var/log/messages  There should
be a message even for a successful start.  It should look like

Oct 18 15:17:57 castor named[14107]: starting BIND 9.3.1
Oct 18 15:17:57 castor named[14107]: command channel listening on 127.0.0.1#nnn
Oct 18 15:17:57 castor named[14107]: running

report your messages.

> -----------------------------------------------------------------
> 
> /etc/dhclient.conf
> ----------------
> (added to supplied dhclient.conf)
> 
> supersede host-name "homebox";
> supersede domain-name "localnet.dot";
> prepend domain-name-servers 10.10.10.10;

I dunno about dhcp.  Maybe this is good.

> /etc/hosts
> -----------
> ::1 localhost.localnet.dot localhost
> 127.0.0.1 localhost.localnet.dot localhost
> 10.10.10.10 homebox.localnet.dot homebox
> 
> 
> /etc/myname
> ---------------
> homebox.localnet.dot

I guess you're running on homebox?

> /etc/resolv.conf
> ------------------
> search localnet.dot
> nameserver 10.10.10.10
> nameserver <ISP server>
> nameserver <ISP server>
> lookup file bind

This is a point of ambiguity.  I would prefer to see your
own nameserver forward queries, rather than slowly falling
over to ISP servers.  If you're going to run a nameserver, 
why not run one that does something?

I do not know the circumstances under which the secondary
and tertiary servers are tried.  I believe it may simply be
*server failure*, not lookup failure.  I don't know because I
do not use this feature.  I have only a single nameserver in there,
my own.  If it fails, I want to know.

> /etc/pf.conf

I sincerely hope there are no problems with pf.

Why not kill pf for the time being, until dns works?
Tear down the internet connection and get dns to work locally.

> --------------
> ext_if="dc0"
> int_if="fxp0"
> 
> scrub in
> 
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> 
> anchor "ftp-proxy/*"
> block in
> pass out keep state
> 
> pass quick on $int_if
> antispoof quick for { lo $int_if }
> 
> 
> /var/named/etc/named.conf
> --------------------------------
> (added to supplied named.conf)

I can *guess* which supplied named.conf you used, but could you
just send the whole thing?  I do not keep a pristine OpenBSD box
handy for guessing what "supplied" means.  (Trust me, I'm not being
nasty.  I simply cannot know what patch level you are at, and I
cannot know if the release named.conf is the same as the current
or patch branch ones.  While I have defined and brought up a TLD
to prove things for this post, I am not going to go on a CVS hunt
for old files or ones more recent than what I'm running).

Also, errors are sometimes caused by, well, misteaks. You may have
introduced a typographic error unknowingly in named.conf.

> zone "localnet.dot" {
>         type master;
>         file "master/localnet.dot";

Did you want an "allow-transfer" here?  I don't think it matters.

> };
> 
> zone "10.10.10.IN-ADDR.ARPA" {
>         type master;
>         file "master/10.10.10";
>         allow-transfer { localhost; };
> };

This much looks OK.

But I'm really worrying whether you have forwarding lines
in the named.conf.

> /var/named/master/10.10.10
> --------------------------------
> $TTL 86400
> @       SOA     homebox.localnet.dot. root.homebox.localnet.dot. ( 2 10800 3600 604800 600 )
>         NS      homebox.localnet.dot.
> 
> 1               PTR     homebox.localnet.dot.

Should be:

10		PTR	homebox.localnet.dot.

Evidently the use of IN is now optional/old-fashioned?

10	IN	PTR	homebox.localnet.dot.


> /var/named/master/loclnet.dot
> ----------------------------------------
> $TTL 86400
> @       SOA     homebox root.homebox ( 2 10800 3600 604800 600 )

Clean this SOA up to use FQDNs.  Why tempt fate?

@	SOA	homebox.localnet.dot. root.homebox.localnet.dot. (
		2 10800 3600 604800 600 )

>         NS      homebox

FQDN, please
	NS	homebox.localnet.dot.

> 
> localhost               A       127.0.0.1
> homebox                    A       10.10.10.10
>                         MX      10 homebox


Dave
-- 
       Of a truth, few men desire freedom, the greater part
           are content with just masters. --  Sallust

More information about the Openbsd-newbies mailing list