Primary DNS server, NAT, and sendmail configuration problems.
Steve Fabac
information on aplawrence.com. Yes I checked the examples in
/etc/named.d and modified them as appears appropriate for the local
system. No the name registered to company.com is not pointing to the
single IP address assigned by the ISP for company.com (a prior
registration for company.com hosted by a different ISP is still in
effect until the ADSL line is "up" and we make the change).
I have previously set up another client with the same ISP, ADSL router
and SCO 5.0.5 but did not set up DNS. On that system I merely setup
the /etc/resolv.conf file and pointed to the ISP's DNS server. I set
all the Windows 95 machines to point to the ISP's DNS server and set the
default rout to the ADSL routers LAN IP. In that case, the ADSL line
was working at the time and I did not have to try to set up DNS. For
that company, I setup Netscape Communicator 4.7 on all the Windows
machines and pointed the incoming and outgoing mail to the UNIX box.
everything works peachy on that system. However, I don't have ppp dial
in networking configured and so don't have experience that translates
to the current problem.
The problem:
On a network where the local machines are on 192.168.x.x private
network and a ADSL router is providing NAT so that the only one public
IP address is defined by the ISP's DNS server, can I setup a Primary
DNS server for the local network? And have this primary server also be
responsible for defining the company.com public IP address and propagate
the DNS record up to the root servers? Or must I rely on the ISP DNS
server to resolv queries for company.com?
If I setup a primary server, it must resolv the dial-up ppp links where
by the company outbound sales staff will connect to the UNIX box and
demo the companies products from client locations (all local calls, no
need to do it over the internet). It would then be natural that the
sales people will want to access the e-mail from the UNIX box over the
dialup ppp connection.
I have read the manuals and modified the /etc/named.d/ named.local,
named.rev, and named.hosts using the IP addresses and local machine
names so that Termlite can connect from the Windows 95 machines to the
UNIX box without the 2 minute delay common when DNS is mis-configured.
The ADSL router has been installed and configured but the line to the
provider is not yet working as the local telco reports "bad pair" and
the installation is in "engineering."
Prior to setting up DNS, I was using /etc/hosts without DNS and company
mail was handled by a Windows machine using a dialup ISP account.
In anticipation of getting the ADSL line up and working, I have created
a Primary DNS server (as secondary, caching only, and forwarding, are
not available until the line is working) and tried to configure MS
Outlook on the Windows PC to send and receive e-mail through the UNIX
server.
I have two problems: Outlook connects to the UNIX box ok and copies
messages in the /usr/spool/mail/user_name files to the pc without
problem but can't send e-mail from any of the Win 95 boxes to anywhere
because it gets an error message "forwarding not allowed."
The forwarding message is being generated by sendmail as I configured
the SCO 5.0.5 default sendmail.cf file to enable the mail forwarding
restrictions in /usr/spool/mail/antispam/README.spam to prevent the
SCO box from being a forwarder for anonymous Internet users.
With DNS configured as a primary server, the outlook clients on the
Windows 95 boxes send mail in the form of "j...@company.com" and the
primary DNS server on the UNIX box can't resolv company.com. It
can resolv j...@mail.company.com, but of corse, we want the e-mail
address to be us...@company.com and hide the machine name.
Once the ADSL line is up, I can kill DNS on the UNIX box and rely on
the ISP's DNS server to resolv company.com for sendmail.
For the time being, I would like to get outlook woking and moving
mail between Windows 95 pc on the local network and from ppp dial-in
machines.
If anyone can help with examples of working configuration files that
allow a primary DNS server to service a private network and resolv
PPP dialup machines and satisfy MS Outlook/sendmail, the information
contributed may be suitable for a "how to" to be contributed to news
group FAQ
TIA
Steve Fabac
S.M. Fabac & Associates
816/765-1670
Stuart J. Browne
server.. possibly put "company.com. IN A <unix host ip>" in the name
server config..
take your pick. they should both do the same.
NOTE: The "." on the end of company.com. for the name server means it's a
root-address. If you left it as 'company.com IN A ..', it would then
try to do "company.com.company.com." which, err, well it's wrong.
bkxie
--
Yes! I am a pixie!
"Steve Fabac" <smf...@worldnet.att.net> wrote in message
news:39737C7F...@worldnet.att.net...
Steve Fabac
>
> quick 'n nasty.. put 'company.com' on the line in /etc/hosts for the unix
> server.. possibly put "company.com. IN A <unix host ip>" in the name
> server config..
>
> take your pick. they should both do the same.
>
> NOTE: The "." on the end of company.com. for the name server means it's a
> root-address. If you left it as 'company.com IN A ..', it would then
> try to do "company.com.company.com." which, err, well it's wrong.
>
> bkxie
> --
> Yes! I am a pixie!
>
This is my original, unmodified /etc/hosts as was working prior to
setting up primary DNS.
cat /etc/hosts
# @(#)hosts,v 6.1 1993/08/21 02:17:48 stevea Exp - STREAMware
TCP/IP source
# SCCS IDENTIFICATION
127.0.0.1 localhost
192.168.10.1 tf064 tf064
192.168.10.2 winpc1 winpc1
192.168.10.3 winpc2 winpc2
192.168.10.4 winpc3 winpc3
192.168.10.5 winpc5 winpc5
192.168.10.6 winpc4 winpc4
192.168.10.7 winpc6 winpc6
192.168.10.8 winpc7 winpc7
192.168.10.9 winpc8 winpc8
192.168.10.10 delpc1 delpc1
192.168.10.250 netopia netopia
192.168.20.1 ppphost
192.168.20.2 pppclient angie
# nslookup
Default Server: tf064.company.com
Address: 192.168.10.1
> company.com
Server: tf064.company.com
Address: 192.168.10.1
Name: tf064.company.com
Address: 192.168.10.1
Aliases: company.com, mail.company.com
> pppclient
Server: tf064.company.com
Address: 192.168.10.1
Name: pppclient.company.com
Address: 192.168.20.2
> ppphost
Server: tf064.company.com
Address: 192.168.10.1
Name: ppphost.company.com
Address: 192.168.20.1
> ls company.com
[tf064.company.com]
ns_initparse: Message too long
*** Can't list domain company.com: Unspecified error
> exit
# cat named.local
;
; @(#) named.local 68.2 98/01/14
;
;
; Don't forget to increment the serial number in named.soa
;
$INCLUDE named.soa
1 IN PTR localhost.
1.10 IN PTR tf064.company.com
2.10 IN PTR winpc1.company.com
3.10 IN PTR winpc2.company.com
4.10 IN PTR winpc3.company.com
6.10 IN PTR winpc4.company.com
5.10 IN PTR winpc5.company.com
7.10 IN PTR winpc6.company.com
8.10 IN PTR winpc7.company.com
9.10 IN PTR winpc8.company.com
1.20 IN PTR ppphost.company.com
2.20 IN PTR pppclient.company.com
10.10 IN PTR delpc1.company.com
250.10 IN PTR netopia.company.com
# cat named.hosts
;
; @(#) named.hosts 68.2 98/01/14
;
;
; Don't forget to increment the serial number in named.soa
;
$INCLUDE named.soa
localhost IN A 127.0.0.1
IN MX 50 tf064.company.com.
tf064 IN A 192.168.10.1
mail IN CNAME tf064
mailhost IN CNAME tf064
> This is the last change I made to named.hosts. It produces the nslookup
> result where company.com resolves as shown. Howerver now nslookup ls
> command fails with the message " ns_initparse: Message too long
> *** Can't list domain company.com: Unspecified error"
> company.com. IN CNAME mail.company.com.
winpc1 IN A 192.168.10.2
winpc2 IN A 192.168.10.3
winpc3 IN A 192.168.10.4
winpc4 IN A 192.168.10.6
winpc5 IN A 192.168.10.5
winpc6 IN A 192.168.10.7
winpc7 IN A 192.168.10.8
winpc8 IN A 192.168.10.9
delpc1 IN A 192.168.10.10
netopia IN A 192.168.10.250
ppphost IN A 192.168.20.1
pppclient IN A 192.168.20.2
company.com. IN MX 0 mail.company.com.
# cat named.rev
;
; @(#) named.rev 68.2 98/01/14
;
; Don't forget to increment the serial number in named.soa
;
$INCLUDE named.soa
1 IN PTR tf064.company.com.
1 IN PTR mail.company.com.
2 IN PTR winpc1.company.com.
3 IN PTR winpc2.company.com.
4 IN PTR winpc3.company.com.
5 IN PTR winpc5.company.com.
6 IN PTR winpc4.company.com.
7 IN PTR winpc6.company.com.
8 IN PTR winpc7.company.com.
9 IN PTR winpc8.company.com.
10 IN PTR delpc1.company.com.
20.1 IN PTR ppphost.company.com.
20.2 IN PTR pppclient.company.com.
250 IN PTR netopia.company.com.
This is before the CNAME line was added above:
# nslookup
Default Server: tf064.company.com
Address: 0.0.0.0
> tf064.company.com
Server: tf064.company.com
Address: 0.0.0.0
Name: tf064.company.com
Address: 192.168.10.1
> mail.company.com
Server: tf064.company.com
Address: 0.0.0.0
Name: tf064.company.com
Address: 192.168.10.1
Aliases: mail.company.com
> company.com
Server: tf064.company.com
Address: 0.0.0.0
*** tf064.company.com can't find company.com: Non-existent host/domain
> ppphost
Server: tf064.company.com
Address: 0.0.0.0
Name: ppphost.company.com
Address: 192.168.20.1
> pppclient
Server: tf064.company.com
Address: 0.0.0.0
Name: pppclient.company.com
Address: 192.168.20.2
> ls company.com
[tf064.company.com]
$ORIGIN company.com.
@ 1D IN SOA tf064 root.company.com (
2132646216 ; serial
3H ; refresh
30M ; retry
5w6d16h ; expiry
1D ) ; minimum
1D IN NS tf064
1D IN MX 0 mail
ppphost 1D IN A 192.168.20.1
winpc5 1D IN A 192.168.10.5
winpc6 1D IN A 192.168.10.7
winpc7 1D IN A 192.168.10.8
winpc8 1D IN A 192.168.10.9
tf064 1D IN A 192.168.10.1
mailhost 1D IN CNAME tf064
netopia 1D IN A 192.168.10.250
localhost 1D IN MX 50 tf064
1D IN A 127.0.0.1
mail 1D IN CNAME tf064
pppclient 1D IN A 192.168.20.2
winpc1 1D IN A 192.168.10.2
winpc2 1D IN A 192.168.10.3
delpc1 1D IN A 192.168.10.10
winpc3 1D IN A 192.168.10.4
winpc4 1D IN A 192.168.10.6
@ 1D IN SOA tf064 root.company.com (
2132646216 ; serial
3H ; refresh
30M ; retry
5w6d16h ; expiry
1D ) ; minimum
> exit
#
The modifications to named.hosts above seems to have allowd
DNS to resolve company.com but now the ls function is not working.
What do I need to cleanup in the named.xxx files to preserve the
resolution of company.com and restore nslookup ls function?
Tony Earnshaw
> If anyone can help with examples of working configuration files that
> allow a primary DNS server to service a private network and resolv
> PPP dialup machines and satisfy MS Outlook/sendmail, the information
> contributed may be suitable for a "how to" to be contributed to news
> group FAQ
You'fve already had an extremely long and comprehensive reply. All I'm
going to do is to tell you what works for us, using a registered domain
and ethernet / frame relay router connection:
BIND 8.2.2 patch 5, SCO OpenServer 5.0.5 with tls709 for NAT, just about
NOTHING in /etc/hosts. /etc/resolv.conf refers back to our server as
nameserver. hostresorder bind, local.
1: frame relay <-> frame relay/ethernet router <-> \
SCO Openserver 5.0.5 with NAT <-> private network
The frame relay router and the external NIC of the SCO server have
public IP addresses in the same class C block, the internal NIC has
private addresses in a class C block. netmasks are appropriate to the IP
numbers and size of the block.
2: the nameserver on the SCO server/router is configured in zones. the
primary (external NIC) zone, for which the nameserver has Internet
authority (available from your ISP) is company.com. The internal zone
(private network) is localhosts.company.com. Both zones have different
SOA files, master zone files and in-addr.arpa zone files.
In fact, your nameserver can be authoritative for as many zones
(domains) as you wish, but each authority will have to be cleared/agreed
with your ISP before it can become such (not the private network, of
course)..
3: Dial-in PPP connections are to the internal network and get their IP
numbers from a dhcp server (on the SCO server).
Tony Earnshaw
Steve Fabac
>
> Steve Fabac wrote:
>
> > If anyone can help with examples of working configuration files that
> > allow a primary DNS server to service a private network and resolv
> > PPP dialup machines and satisfy MS Outlook/sendmail, the information
> > contributed may be suitable for a "how to" to be contributed to news
> > group FAQ
>
> You'fve already had an extremely long and comprehensive reply. All I'm
> going to do is to tell you what works for us, using a registered domain
> and ethernet / frame relay router connection:
I've checked the reply Tony, and, it's from >me< replying to Stuart
Browne. That reply contains information from my last stab at
configuring DNS. It resolves company.com but Outlook is still not
happy, and nslookup "ls company.com" fails with an error message.
>
> BIND 8.2.2 patch 5, SCO OpenServer 5.0.5 with tls709 for NAT, just about
> NOTHING in /etc/hosts. /etc/resolv.conf refers back to our server as
> nameserver. hostresorder bind, local.
>
> 1: frame relay <-> frame relay/ethernet router <-> \
> SCO Openserver 5.0.5 with NAT <-> private network
>
> The frame relay router and the external NIC of the SCO server have
> public IP addresses in the same class C block, the internal NIC has
> private addresses in a class C block. netmasks are appropriate to the IP
> numbers and size of the block.
>
> 2: the nameserver on the SCO server/router is configured in zones. the
> primary (external NIC) zone, for which the nameserver has Internet
> authority (available from your ISP) is company.com. The internal zone
> (private network) is localhosts.company.com. Both zones have different
> SOA files, master zone files and in-addr.arpa zone files.
Good information but still doesn't help me duplicate your configuration.
I read what you posted as "I make a good chocolate cake and you can
too."
Without posting your recipe, I can spend weeks trying all combinations
of ingredients until I hit it lucky.
Please, please take a minute and post an abbreviated (and edited for
privacy) copy of your DNS files so that I can try to understand how
such a configuration can be accomplished.
And Tony, please don't take offense at the above. I am just exasperated
at trying to get this stuff to play nice together.
>
> In fact, your nameserver can be authoritative for as many zones
> (domains) as you wish, but each authority will have to be cleared/agreed
> with your ISP before it can become such (not the private network, of
> course)..
>
> 3: Dial-in PPP connections are to the internal network and get their IP
> numbers from a dhcp server (on the SCO server).
Is that SCO ppp or Morningstar ppp? I have never had to configure more
than one modem per site for PPP connection and so have always just
assigned the IP address manually. Normally, I use ppphost for the
server end of the connection and pppclient for the Win95 computer.
In my last attempt to setup the client's system, ns lookup resolves
pppclient and ppphost to the correct IP. If I try to ping
mail.company.com from the Windows box, It can't find the host. If I
ping ppphost then ping works and SCO Termlite can be set to connect
to ppphost.
Steve Fabac
>
> Tony Earnshaw
Tony Earnshaw
> Good information but still doesn't help me duplicate your configuration.
> I read what you posted as "I make a good chocolate cake and you can
> too."
Eeee. I can't bake chocolate cakes. My Norwegian girl friend _loves_
baking chocolate cakes, but I don't like cakes of any kind. Now, stake
and kidney pies, sausage roles, - drool :-)
> Without posting your recipe, I can spend weeks trying all combinations
> of ingredients until I hit it lucky.
> Please, please take a minute and post an abbreviated (and edited for
> privacy) copy of your DNS files so that I can try to understand how
> such a configuration can be accomplished.
I'll not post them, but send you a tarball separately with the contents
of the complete /var/named directory of a domain name server that I had
running at my last firm.
Don't forget that the named.conf only works with BIND version 8, not
version 4.
None of the domains served exist any more, but as an example you might
find it useful :-) I've always used /var/named as nameserver directory,
since Novell's UnixWare days. Our /etc/named.conf is a symlink to
/var/named/named.conf.
> And Tony, please don't take offense at the above. I am just exasperated
> at trying to get this stuff to play nice together.
Course I don't take offence.
> > 3: Dial-in PPP connections are to the internal network and get their IP
> > numbers from a dhcp server (on the SCO server).
> Is that SCO ppp or Morningstar ppp? I have never had to configure more
> than one modem per site for PPP connection and so have always just
> assigned the IP address manually. Normally, I use ppphost for the
> server end of the connection and pppclient for the Win95 computer.
Sorry, I've used Shiva LanRovers for multiple dial-in points and
AccessPorts for single/double dial-in. I've used MorningStar PPP for
OpenServer dial-out to ISPs; in the latter case the PPP configuration
was always used as an Internet connection. I've never used MorningStar
for dial-in points, and I've never used SCO PPP at all.
> In my last attempt to setup the client's system, ns lookup resolves
> pppclient and ppphost to the correct IP. If I try to ping
> mail.company.com from the Windows box, It can't find the host.
> If I
> ping ppphost then ping works and SCO Termlite can be set to connect
> to ppphost.
This should be resolved once you get the nameserver working properly. By
the way, take note of every single dot ('.') in the zone files! Every
single one!!! Without any of them your name server will not work. Also,
be sure to configure tour in-addr.arpa files correctly and give each
zone table a name server.
Tony Earnshaw
Bill Vermillion
>> Steve Fabac wrote:
>> > If anyone can help with examples of working configuration files
>> > that allow a primary DNS server to service a private network
>> > and resolv PPP dialup machines and satisfy MS Outlook/sendmail,
>> > the information contributed may be suitable for a "how to" to
>> > be contributed to news group FAQ
>> You'fve already had an extremely long and comprehensive reply.
>> All I'm going to do is to tell you what works for us, using a
>> registered domain and ethernet / frame relay router connection:
>I've checked the reply Tony, and, it's from >me< replying to Stuart
>Browne. That reply contains information from my last stab at
>configuring DNS. It resolves company.com but Outlook is still not
>happy, and nslookup "ls company.com" fails with an error message.
Running 8.2.2-P5-NOESW on FreeBSD and trying just a plain ls
xxx.xxx I will see error messages in the log files for domains
that I am not designated master/slave for that domain.
Does your named.conf designate your DNS as master for
'company.com', or are you running a cacheing only DNS. I will also
get this error if I am a secondary for a site and the secondary
files are not transfered and stored on my DNS server. The
transfers do take place to the namerserver as a SIGINT will
dump the named_dump.db file and those seconaries are indeed in
memory.
So check to make sure that you have 'type master' in the named.conf
entry for company.com. If you do check to see what exact error
messages you are getting the message logs when you get
the above error message.
>Please, please take a minute and post an abbreviated (and edited for
>privacy) copy of your DNS files so that I can try to understand how
>such a configuration can be accomplished.
I'll make a counter offer. Since I'm assuming your files are small
tar up the directory, compress it and encode it an ship it to me by
mail. The current DNS I'm maintaining comes up to about a 350K tar
file, and the past place with lot's off addresses and domains, the
directroy was a 1.2MB gzipped tar file. I can't say I'm an expert
but I can usually make it work.
Have you searched the net for 'nslint' You'll need to compile it
but I've found it's an invalable tool for maintaining DNS once you
get above a couple of domain names.
>And Tony, please don't take offense at the above. I am just exasperated
>at trying to get this stuff to play nice together.
I can empathize with that. I found that a combination of the SCO
style and that in the 'cricket' book [DNS/BIND - O'Reilly], works
best. Then I've thrown my own naming convention in on top of that
- and for me it's easier.
Bill
--
Bill Vermillion bv @ wjv.com
Steve Fabac
>
> Steve Fabac wrote:
>
> > I read what you posted as "I make a good chocolate cake and you can
> > too."
>
> Eeee. I can't bake chocolate cakes. My Norwegian girl friend _loves_
> baking chocolate cakes, but I don't like cakes of any kind. Now, stake
> and kidney pies, sausage roles, - drool :-)
>
> > Without posting your recipe, I can spend weeks trying all combinations
> > of ingredients until I hit it lucky.
>
> > privacy) copy of your DNS files so that I can try to understand how
> > such a configuration can be accomplished.
>
> of the complete /var/named directory of a domain name server that I had
> running at my last firm.
>
> Tony Earnshaw
Tony,
Thanks for sending me your tarball. I have not had time to analyze
it and try to apply its configuration to my client's system.
Since my last post, the IDSL line was brought on-line and
I have removed the named.conf file in /etc and killed named.
I have installed the /etc/resolv.conf that points to the ISP's
DNS server and have had the ISP hosting the client's web site
to update their DNS records so that company.com points to the
public IP address of the IDSL router.
Browsing the internet works ok and e-mail to some sites works,
but e-mail to att.net and swbell.net fails.
The odd thing is that if I telnet to port 25 on the mail host
for swbell (returned by dig MX swbell.net) I can interactively
enter HELO, MAIL FROM:, and RCPT TO: using the account names
on company.com and my mail address at swbell.net and the mail
is accepted and delivered to target address. If I try "telnet
swbell.net 25" I get connected to a web server and not the mail
host(s) machine.
If I use mail -s "testing" smf...@swbell.net, the message
hangs up in /usr/spool/mqueue and is returned to me as undeliverable.
As I pointed out in my first posting, I have two clients on same
ISP with IDSL connections. Both running SCO 5.0.5 Enterprise and
both setup the same way (/etc/resolv.conf, sendmail.cf, etc.
modified with the appropriate company information).
One client can send mail without problems to att.net and swbell.net.
the other client (company.com) can not.
The only difference between the two sites, is the bad site was setup
with a primary dns server (now disabled) while the IDSL line was
inoperable. The other company's sendmail.cf and resolve.conf was setup
after the IDSL line was working and DNS was never attempted on their
system.
I am pulling my hair over this one. It looks like sendmail at the
"bad" site is not correctly getting the MX record for swbell.net
or att.net. Sending e-mail addressed to smf...@mta1.rcsntx.swbell.net
works from the "bad" site, but smf...@swbell.net does not.
Any suggestions?
Steve Fabac
>
> Tony Earnshaw wrote:
> >
> > Steve Fabac wrote:
> >
> > > Good information but still doesn't help me duplicate your configuration.
Snip
Found it!!!!
This system was setup with the "service.switch" modification in
SCO TA107669 created on 07 April 1997 , last updated on 18 January 2000
This modification was applied to the system some months back to try
to resolve the apparent problem with SCO 5.0.5 with 3Com 3C905 NIC
and Digi MPI 3.0.
When I began working on this client to reconfigure the system for
internet mail. I edited the sendmail.cf file and changed the line
OI-DNSRCH back to just OI. I then removed the lines in sendmail.cf
that refer to /etc/service.switch.
BUT I DID NOT remove /etc/service.switch. Even without the line in
sendmail.cf that referred to /etc/service.switch, SCO's version 8.8.8
will still find the /etc/service.switch file and then it failed
to resolve the MX records for att.net and swbell.net
I hope this post helps some one else fighting the same problem.
Steve Fabac
S.M. Fabac & Associates