# We've almost got our internet connection ... but the question of how to
# make e-mail work is puzzling some of us.
#
# We are using filters in a router to block undesirable packets from reaching
# our local net from the big bad world. Most of our systems are Sun4's of
# various vintages mostly running SunOS 4.1.2.
#
# My question is on how to set up DNS. Currently we don't care if the outside
# world can see our local hostnames ... in fact some parts of the company seem
# to think that it is a neat idea for their workstation name to appear on e-mail
# headers ... this means that we have to support incoming mail with addresses
# like:
# <user @
machine .
our .
domain>
#
# If we ran separate name servers for internal and external consumption, we
# could support this by advertising MX records on the internet for all local
# machines pointing them at our two mail servers ... while internally the
# MX records for each host would point at themselves.
#
# But, we don't think that we want separate name servers. So currently we are
# planning on advertising 3 MX records for each host. The highest priority
# will point to itself, the next two point to each of the mail gateways. Thus
# from inside the firewall, people will choose the first MX record and deliver
# directly. From outside, machines will first try direct delivery and get
# bounced by the filter in the router with ICMP_UNREACHABLE ... and so they
# should fall back to one of the other MX records and deliver to one of our
# gateways.
#
# Is this an OK plan? Will it even work!? Should we really go for different
# internal and external name servers? Has anyone ever ``fixed'' named to give
# different answers depending on who is asking the questions?
#
# -Tony Luck <aegl @
ossi .
com>
Did you ever get an answer to this? Basicly, yes, it will work. I've
got a couple of sites that are set up that way. The biggest thing you
have to be careful of is that some versions of Sendmail (particularly
on Suns, unless you've installed Sun patch 100377) are buggy, and
don't reliably recognize themselves in a list of MX records for an
internal host. If you're running such a broken Sendmail on your
gateway, and the internal host happens to be down, the gateway will
happily try the next host in the list, which is itself. What it
_should_ do is notice that the next-best-host is itself, and simply
hold on to the message. What it _will_ do is open an SMTP connection
to itself, which trips the "I refuse to talk to myself" or "hostname
configuration error" trap (depending on which version of Sendmail you
have), and bounces the message.
Setting up multiple DNS servers is not difficult. You set up the
gateway machine to have a DNS server that only knows what you want the
outside world to know. You set up another DNS server on an internal
machine that knows about all your hosts and forwards non-local queries
to the gateway DNS server (via a "forwarders" line in the
/etc/named.boot file). You rig all DNS clients (via their
/etc/resolv.conf files), PARTICULARLY including those on the gateway
host, to talk to the internal server. If a client (even on the
gateway) asks a question about an internal machine, it gets the answer
from the internal server. If a client (internal or gateway) asks
about an external machine, the internal server forwards the query to
the gateway server, then forwards the response back to the client. If
somebody out on the Internet asks something, however, they can only
get back what the gateway server knows (which isn't much).
-Brent
--
Brent Chapman Great Circle Associates
Brent @
GreatCircle .
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041
|
|
