The state of resolv.conf

Les Mikesell lesmikesell at gmail.com
Wed Sep 17 12:50:25 UTC 2008 

Nils Philippsen wrote:
> On Tue, 2008-09-16 at 11:23 -0500, Les Mikesell wrote:
>> For private ranges/domain views, you'd normally either have a local DNS 
>>   server configured as primary or secondary for those zones that can 
>> also resolve public addresses, or for roaming vpn users you'd use a 
>> similar central private server that can resolve everything, public or 
>> private while you are connected.  You'll quickly go insane if you try to 
>> mix unrelated private connections (for example, if there really are 
>> different parts of your 10.x.x.x range that don't know about each 
>> other).   If there isn't some 'other' part of your 10.x range, you can 
>> point the whole /8 to a server that knows about the part you use.
> 
> I have a private network which has its own non-public name server. I
> connect to a VPN with "similar" addresses (10.x.y.z) that doesn't know a
> thing about my home network (and neither should it). From my POV, that
> bind still doesn't allow to properly separate responsibilities here is
> an oversight that needs fixing.

As long as someone coordinates addresses on the private ranges you can 
survive, but the internet wasn't designed to permit duplicate addressing 
so you can't expect this to work in general.   In your scenario I'd have 
a local name server set up with the forward and reverse zones for the 
private local zones, with forwarders set for the private zones on the 
VPN pointed to a DNS server there (or, depending on your relationship, 
configure as secondary for those zones).   Likewise, depending on your 
relationship and whether the VPN is up all the time, you can let the DNS 
server on the VPN forward everything thing including public addresses to 
simplify the config, or you can use your ISP's servers, or just go to 
the public yourself.

Named can be configured to do what you want, it just is not graceful 
about dynamic changes.  You might have a complaint if you regularly 
switch your vpn connections among different private networks and had to 
switch the forwarders.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the fedora-devel-list mailing list