DNS / Resolver question

Reg_gie · July 29, 2010, 12:02pm

Hello,

I have (or had would be more accurate) a pretty simply DNS setup. Basically my workstation’s DNS pointed to my server and then to public DNS servers so my resolver file looked something like this:

search mydomain.com
nameserver 192.168.nnn.nnn
nameserver 68.87.76.178
nameserver 66.240.48.9

This is necessary because my server makes some DNS addresses accessible only to computers on my LAN – mainly my development websites (e.g.: dev.newwebsite.com).

Now I have new variable which is a VPN connection to a client’s LAN and here I have a problem I am not sure how to solve. That is, I can see my client’s DNS server, or my DNS but not both. To elaborate if setup my resolver file like this:

search clientsdomain.com mydomain.com
nameserver 10.nnn.nnn.nnn (client LAN)
nameserver 192.168.nnn.nnn (my LAN)
nameserver 68.87.76.178 (WAN)
nameserver 66.240.48.9 (WAN)

Then I can see my client’s DNS server (their network is on 10…) just fine, and the Internet. However, I cannot see my internal websites.

And, if I reverse the top entries so it looks like this:

search clientsdomain.com mydomain.com
nameserver 192.168.nnn.nnn (my LAN)
nameserver 10.nnn.nnn.nnn (client LAN)
nameserver 68.87.76.178 (WAN)
nameserver 66.240.48.9 (WAN)

Then I can see my internal websites but not the client’s. So it looks like the first nameserver is tried, fails and then it quits.

Yet, in each case I can resolve public DNS domains. I’m guessing this is because both mine and the client’s DNS servers will forward to the Internet if they can’t find the domain so my resolver really isn’t ever using anything by the first entry… but that’s just my guess.

The goal of course is to see my internal websites, the clients internal websites and the Internet.

Is there a simple way to make sure that the resolver does go down through the list if a not found occurs? I am testing this simply by using:

host myinternaldomain.com
host clientsinternaldomain.com
host publicdomain.com

If there is no simple way then I am sure I could control this with BIND which I have no problem setting up as I have already set it up for my server. However, it seems a bit extreme for just a workstation so hopefully someone knows the better solution.

Thanks,
Reg

pjessen · July 29, 2010, 1:00pm

Reg gie wrote:

> Then I can see my internal websites but not the client’s. So it looks
> like the first nameserver is tried, fails and then it quits.

There is a difference between “lookup failed” and “not found”. If a
lookup fails, the next server is tried etc. If a server says “not
found”, that is a valid answer and no more lookups are done.

> Yet, in each case I can resolve public DNS domains. I’m guessing this
> is because both mine and the client’s DNS servers will forward to the
> Internet if they can’t find the domain

Yes, that’s the recursive lookup.

> so my resolver really isn’t ever using anything by the first entry…
> but that’s just my guess.

You’re guessing right.

> Is there a simple way to make sure that the resolver does go down
> through the list if a not found occurs?

Not to my knowledge.

> If there is no simple way then I am sure I could control this with
> BIND which I have no problem setting up as I have already set it up
> for my server.

Set up forwarding zones for the domains you’re interested in.

–
Per Jessen, Zürich (17.1°C)
http://en.opensuse.org/User:pjessen

Reg_gie · July 29, 2010, 9:57pm

Thanks, that pretty much answers everything.

Reg_gie · July 29, 2010, 11:27pm

Actually, the easiest solution is to put the known hosts that I want to find from the VPN network in the /etc/hosts file and then make sure that /etc/nsswitch.conf specifies to check the hosts file before the /etc/resolv.conf file - which is the default behavior anyway.