FC28.
I'm running a DNS server (unbound) on a VOIP server. It's crucial that I can always resolve addresses, even if it's slower. Now DNS1 is set to 127.0.0.1, peerdns no. Giving:
cat /etc/resolv.conf # Generated by dnssec-trigger-script nameserver 127.0.0.1
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
Any help appreciated.
sean
On 12/8/18 8:23 AM, sean darcy wrote:
I'm running a DNS server (unbound) on a VOIP server. It's crucial that I can always resolve addresses, even if it's slower. Now DNS1 is set to 127.0.0.1, peerdns no. Giving:
How does the local DNS do the resolving. Why is it slower?
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
This will not work the way you are expecting. Resolving will always go to the first one unless it doesn't respond. In that case it will go to the second one, but that will be slow because every request has to timeout on the first one before that.
On 12/8/18 5:53 PM, Samuel Sieb wrote:
On 12/8/18 8:23 AM, sean darcy wrote:
I'm running a DNS server (unbound) on a VOIP server. It's crucial that I can always resolve addresses, even if it's slower. Now DNS1 is set to 127.0.0.1, peerdns no. Giving:
How does the local DNS do the resolving. Why is it slower?
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
This will not work the way you are expecting. Resolving will always go to the first one unless it doesn't respond. In that case it will go to the second one, but that will be slow because every request has to timeout on the first one before that.
My local server - unbound - works great. Never a problem, almost. Sometimes there's a problem on reboot, and unbound doesn't start. For that very rare event, I'd like a backup - even if it's very slow. The VOIP server - asterisk - will shut down if it can't resolve ip addresses within 4 or 5 minutes. And then I have a real problem.
I'd like to avoid a single point of failure, even if unlikely.
sean
On 09Dec2018 18:33, sean darcy seandarcy2@gmail.com wrote:
My local server - unbound - works great. Never a problem, almost. Sometimes there's a problem on reboot, and unbound doesn't start.
Do you know why this is? I run unbound on my Mac, but I start it by hand post boot (just don't ask).
How is unbound started? If it's a script (like /etc/rc.local) you could fall back to bind, eg:
unbound || bind
so that if unbound fails its setup (hopefully before it forks off) you can run ISC bind instead.
But it might be more profitable to identify what it is unhappy about when it doesn't start.
Cheers, Cameron Simpson cs@cskk.id.au
On 12/9/18 10:19 PM, Cameron Simpson wrote:
On 09Dec2018 18:33, sean darcy seandarcy2@gmail.com wrote:
My local server - unbound - works great. Never a problem, almost. Sometimes there's a problem on reboot, and unbound doesn't start.
Do you know why this is? I run unbound on my Mac, but I start it by hand post boot (just don't ask).
How is unbound started? If it's a script (like /etc/rc.local) you could fall back to bind, eg:
unbound || bind
so that if unbound fails its setup (hopefully before it forks off) you can run ISC bind instead.
But it might be more profitable to identify what it is unhappy about when it doesn't start.
Cheers, Cameron Simpson cs@cskk.id.au
I agree. And I've done that. I think I've solved the root cause. But...
I still have a single point of failure. A backup would be very handy.
sean
Allegedly, on or about 10 December 2018, sean darcy sent:
I still have a single point of failure. A backup would be very handy.
Within a small network, it's usual to run two DNS servers on two different machines. On the WWW, it's usual to run more.
You really haven't provided enough information about your situation for people to advise you constructively.
Allegedly, on or about 8 December 2018, sean darcy sent:
I'm running a DNS server (unbound) on a VOIP server. It's crucial that I can always resolve addresses, even if it's slower. Now DNS1 is set to 127.0.0.1, peerdns no. Giving:
What makes you think it'll be slower?
I run a local DNS server, and it resolves my LAN addresses as well as internet addresses. It does that by going out to the root servers, like a normal DNS server does, completely ignoring my ISP's DNS servers. It does a good job, better than using my ISP's.
Sure, your own DNS server won't have a pre-cached result for things that you request. But your ISP mayn't have them, too. They'll only cache things already requested by you or other customers. And only the addresses that external hosts allow to be cached (so many things are deliberately uncacheable, these days). The time delay of you getting them is minuscule (especially compared with the much longer time other things, like browsers and mail clients, actually take to make connections and interact with the WWW). Quite often an ISP's DNS servers are overloaded and slow (my ISPs have always been slower than my own DNS servers).
About the only downside I see to ignoring ISP DNS servers, is when you have to resolve the ISP's own addresses. It *can* be that they offer their clients different addresses for the same things that the outside world can connect to. e.g. If your ISP was example.com, then using their mailserver at mail.example.com *might* have a different IP within their network than outside of it. Though I've not experienced this.
You can put ISP DNS server addresses into your DNS server configuration, for it to forward unknown requests to. But if your ISP's DNS server addresses change, you have to update them.
I have experienced two really annoying problems with ISP's DNS servers:
Firstly, there's been failing ones that are overloaded, badly configured, compromised, whatever.
Secondly there's been interfering ones, that either censor the internet, or intercept attempts to connect to wrong addresses with unhelpful "perhaps you wanted this" correction, or even advertising pages (instead of giving the proper "address doesn't exist" error warning).
I'd run a local DNS server, ignore the ISPs, and have it resolve LAN and all WWW addresses for you.
On 12/9/18 12:23 AM, sean darcy wrote:
FC28.
I'm running a DNS server (unbound) on a VOIP server. It's crucial that I can always resolve addresses, even if it's slower. Now DNS1 is set to 127.0.0.1, peerdns no. Giving:
cat /etc/resolv.conf # Generated by dnssec-trigger-script nameserver 127.0.0.1
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
Any help appreciated.
It seems, from the above, that you don't have a requirement for using a DNSSEC capable DNS server. I say that since you're willing to accept "whatever dhcp gives".
If that is true, then why don't you not run dnssec-trigger and use the NetworkManager interface to manually assign multiple nameservers?
Allegedly, on or about 8 December 2018, sean darcy sent:
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
Is the DHCP server configurable by you? If so, then enter the list of DNS servers that you want clients to use into the DHCP server, and let it configure your clients.
On 12/11/18 3:10 PM, Tim via users wrote:
Allegedly, on or about 8 December 2018, sean darcy sent:
What I want is:
nameserver 127.0.0.1 nameserver <whatever dhcp gives>
Is the DHCP server configurable by you? If so, then enter the list of DNS servers that you want clients to use into the DHCP server, and let it configure your clients.
I think you missed one important line in the original post.
# Generated by dnssec-trigger-script
dnssec-triggerd overrides what it provided by the DHCP server.
I have no experience running dnssec-triggerd, but I would think it has some configuration allowing one to specify additional nameservers. And, it seems to me, dnssec is a concern to the OP so I wonder why run dnssec-trigger at all.
-
Cameron Simpson -
Ed Greshko -
Samuel Sieb -
sean darcy -
Tim