On Fri, Jul 12, 2002 at 11:21:43AM -0500, Alex Malinovich wrote: [name-based access goes to "old" machine] | I'm figuring that there should be some form of DNS "trickery" that I | can do to achieve the desired effect, but I'm not sure how to go | about it. Yes, it sounds like your problem is completely wrapped up in the name not pointing to the machine you really want. | Here's my current setup: | | Two domains: the-love-shack.net (registered external domain name) and | theloveshack.local (internal domain name). Why not just use the-love-shack.net as the internal domain as well? Just don't use the same names for both NICs in a system. | One external IP address. No problem here, as long as you have the right NAT setup on the external interface. (and as long as appearing to have only one system is sufficient for your needs) | 2 servers, BigBrother (W2K) and Gandalf (Debian). Ok, so you have the following _base_ DNS RRs (in bind format) : ; substitue the actual IP address BigBrother.the-love-shack.net. IN A 192.168.0.1 Gandalf.the-love-shack.net. IN A 192.168.0.2 | The only idea that I have is perhaps somehow (don't know how :) putting | an entry for www.the-love-shack.net into theloveshack.local DNS listing | and have it point to the internal IP for Gandalf. Just putting in a | www(.theloveshack.local, which is not what I want) entry is easy enough, | but how do I put a DNS entry for a "foreign" domain into my local DNS | domain? You can only change your own DNS server. Here's what I've done with my system. I have the host/domain name "dman.ddts.net". You can check with the ddt project to see how that works, but I get a single (dynamically updated) A record. I am also allowed to have MX records. The authoritative name servers are ns0.ddts.net and ns1.ddts.net. I set up bind in my own machine, and told it that it is authoritative for the domain "dman.ddts.net". What that means is that _from my machine_ (since that's the only one(s) that will ever query my name server), I will only get answers for the entries I have. I will not get data from ns[01].ddts.net. Now I can create hosts in my domain, for use on my own system(s). No one in the outside will be able to see it, but I can use it for myself. You can do this too. Just include entries like the above in your DNS so that you can access each machine directly by name. Also delegate names like 'www', 'ns', 'jabber' (etc) so that you can direct each service (via a CNAME) to the right host independent of the other services. Then on your server, you can even use the internal IP for everything since you are not the (externally visible) authoritative name server. Basically what you do is "hijack" the domain, but the only machines that will notice the hijacking is your own. Hmm, your machine isn't the authoritative name server for your domain, is it? If it is, you can still achieve the desired results by using a "hosts" entry to override DNS as far as that machine is concerned. It should still work, though, because the internal machines will try connecting to the public IP, and that will get redirected to the correct internal machine. (just use SNAT as well as DNAT so that replies are also properly NATted since both machines are on the same side of the NATting router) HTH, -D -- The lot is cast into the lap, but its every decision is from the Lord. Proverbs 16:33 http://dman.ddts.net/~dman/
Attachment:
pgp8jOOYAFd6e.pgp
Description: PGP signature