On Fri, Jul 12, 2002 at 11:21:43AM -0500, Alex Malinovich wrote:
[name-based access goes to "old" machine]
| I'm figuring that there should be some form of DNS "trickery" that I
| can do to achieve the desired effect, but I'm not sure how to go
| about it.
Yes, it sounds like your problem is completely wrapped up in the name
not pointing to the machine you really want.
| Here's my current setup:
|
| Two domains: the-love-shack.net (registered external domain name) and
| theloveshack.local (internal domain name).
Why not just use the-love-shack.net as the internal domain as well?
Just don't use the same names for both NICs in a system.
| One external IP address.
No problem here, as long as you have the right NAT setup on the
external interface. (and as long as appearing to have only one system
is sufficient for your needs)
| 2 servers, BigBrother (W2K) and Gandalf (Debian).
Ok, so you have the following _base_ DNS RRs (in bind format) :
; substitue the actual IP address
BigBrother.the-love-shack.net. IN A 192.168.0.1
Gandalf.the-love-shack.net. IN A 192.168.0.2
| The only idea that I have is perhaps somehow (don't know how :) putting
| an entry for www.the-love-shack.net into theloveshack.local DNS listing
| and have it point to the internal IP for Gandalf. Just putting in a
| www(.theloveshack.local, which is not what I want) entry is easy enough,
| but how do I put a DNS entry for a "foreign" domain into my local DNS
| domain?
You can only change your own DNS server.
Here's what I've done with my system. I have the host/domain name
"dman.ddts.net". You can check with the ddt project to see how that
works, but I get a single (dynamically updated) A record. I am also
allowed to have MX records. The authoritative name servers are
ns0.ddts.net and ns1.ddts.net.
I set up bind in my own machine, and told it that it is authoritative
for the domain "dman.ddts.net". What that means is that _from my
machine_ (since that's the only one(s) that will ever query my name
server), I will only get answers for the entries I have. I will not
get data from ns[01].ddts.net.
Now I can create hosts in my domain, for use on my own system(s). No
one in the outside will be able to see it, but I can use it for
myself.
You can do this too. Just include entries like the above in your DNS
so that you can access each machine directly by name. Also delegate
names like 'www', 'ns', 'jabber' (etc) so that you can direct each
service (via a CNAME) to the right host independent of the other
services. Then on your server, you can even use the internal IP for
everything since you are not the (externally visible) authoritative
name server.
Basically what you do is "hijack" the domain, but the only machines
that will notice the hijacking is your own.
Hmm, your machine isn't the authoritative name server for your domain,
is it?
If it is, you can still achieve the desired results by using a "hosts"
entry to override DNS as far as that machine is concerned. It should
still work, though, because the internal machines will try connecting
to the public IP, and that will get redirected to the correct internal
machine. (just use SNAT as well as DNAT so that replies are also
properly NATted since both machines are on the same side of the
NATting router)
HTH,
-D
--
The lot is cast into the lap,
but its every decision is from the Lord.
Proverbs 16:33
http://dman.ddts.net/~dman/
Attachment:
pgp8jOOYAFd6e.pgp
Description: PGP signature