On Thu, 24 Nov 2005 01:16:41 -0500
Dan Shoop <email@hidden> wrote:
Many things will fail without _*name resolution*_. If you have bad
DNS then names are resolved improperly and things break. If you
either choose not to use names, not to use DNS namespaces, or to
resolve names differently this is all perfectly acceptable too.
It's not that you /must/ have DNS, it's just if you /do/ have DNS
it /must/ be right.
DNS is just *a* way to resolve names.
You may find this hard to believe but DNS is a very recent
protocol, and the Internet ran fine for eons without it. You might
not remember it, but to me it's still a relative newcomer, like
HTTP.
Uh, DNS was used on ARPAnet starting in 1983-4.
Introduced, though not widely used during those years. yp was far,
far more prevalent. Heck, SunOS didn't even understand DNS for some
time afterwards.
And regardless, NAT is a level 2/3 mapping and cares not one bit
about DNS. It doesn't use it, need it or care about it. Not one
bit. It's all IP addresses, no names are involved to protect the
guilty. It says some IP address get's remapped to some other IP
address, nothing more. NAPT says that some IP-address:port gets
mapped to some other IP-address:port, still no names their either.
NAT does not need DNS. Period.
Correct. You're the only person in this discussion who has
brought up this argument. You said most people shouldn't be running
their own DNS, and I suggested that if the OP was NATing, he should
run his own internally to resolve the private addresses, as that's
*generally* easier than trying to get an ISP to resolve
host.domain.com to two different IPs depending on where the request
is coming from. You chose to read what I said as me asserting that
NAT somehow requires DNS. Well, it doesn't and we both know that.
At 11:10 AM -0600 11/22/05, Brendan O'Toole wrote:
In most cases ppl don't need to or shouldn't be running their DNS locally.
Except anyone running NAT who needs resolution of internal
addresses, which the OP is...
Implies DNS is required. It's not.
Either you implied incorrectly that DNS was required for NAT, or that
DNS was required for resolution of internal addresses, which is also
untrue. Take your pick.
Assuming the internal DNS server has a private IP and isn't
multi-homed, there's no need for any border hacking OR extra BIND
configuration.
While it can't be queried, it can poison other servers if it can
access them through a gateway.
Can we agree that best practice for DNS resolution for a site using
NAT/PAT and private IPs is to have public IPs resolved by an
upstream ISP's DNS server and private IPs resolved by an internal,
not routed, DNS server that will forward queries for hosts outside
the private space to external DNS?
No.
While a practice, I don't consider it optimal as it requires multiple
name servers for the same zone. Why not simply use views on the
external server, and optionally have a caching server locally that
does nothing else?
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
