DNS setup for a Mandriva Directory Server 5.0

Question

I just inherited an intranet where a Mandriva Directory Server 5.0 acts as internal DNS and DHCP server, based on an LDAP server for configuration storage.

The idea is that all intranet hosts get a DNS entry name-ipdaddres where the ip address is in a NATted private space 10.0.*.*

Some of those hosts are also declared on a real public DNS (internet :-) ) pointing to our router public IP address; it takes care of some port-forwarding and http-redirections to allow some intranet services to be available from outside the office without a VPN-like or SSH-tunnel access.

The MDS DNS server thus only covers private ip addresses and relies on public DNS servers for the rest.

Now I have a couple of strictly related questions about this setup; I am not used to mandriva configuration files, and am a bit confused about the correct practice for this 'double' dns setup

1. WHERE can I modify the 'public' nameservers for MDS?

   Is it in /etc/sysconfig/network-scripts/ifcfg-eth0 , DNS1 and DNS2 ? They have changed since.

2. What's the best practice to have an host first check the MDS DNS, then use the public DNS? Should hosts only use the MDS DNS, and MDS goes to public DNSs to get the missing entries, or...?

edit

Advancing but still the main issue seems the same.

Please not that the server is currently working and most domain names are resolved, but some are not, and likely it was using and old, outdated public DNS.

Following @TiZon advise I have edited /etc/resolvconf/resolv.conf.d/tail to add the public nameservers.

Now this is what happens. When the main nameserver fails, it does not fallback to the public ones:

dig rueducommerce.com @10.0.0.10

; <<>> DiG 9.5.0-P2 <<>> rueducommerce.com @10.0.0.10
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55845
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rueducommerce.com.             IN      A

;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Thu May 19 15:50:55 2011
;; MSG SIZE  rcvd: 35

Dig (or nslookup, same behaviour) without specifying a server will get the fail code and try the next server in /etc/resolv.conf and correctly return the result.

dig rueducommerce.com

;; Got SERVFAIL reply from 127.0.0.1, trying next server

; <<>> DiG 9.5.0-P2 <<>> rueducommerce.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38942
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rueducommerce.com.             IN      A

;; ANSWER SECTION:
rueducommerce.com.      440     IN      A       178.251.201.141
rueducommerce.com.      440     IN      A       178.251.200.141

;; Query time: 279 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu May 19 15:51:51 2011
;; MSG SIZE  rcvd: 67

but stackoverflow works

dig stackoverflow.com @10.0.0.10

; <<>> DiG 9.5.0-P2 <<>> stackoverflow.com @10.0.0.10
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40964
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;stackoverflow.com.             IN      A

;; ANSWER SECTION:
stackoverflow.com.      1800    IN      A       64.34.119.12

;; AUTHORITY SECTION:
stackoverflow.com.      38      IN      NS      ns3.serverfault.com.
stackoverflow.com.      38      IN      NS      ns2.serverfault.com.
stackoverflow.com.      38      IN      NS      ns1.serverfault.com.

;; Query time: 230 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Thu May 19 16:02:24 2011
;; MSG SIZE  rcvd: 117

Qhat can I debug to understand why stackoverflow is working but rueducommerce is not?

I could add a public DNS as a secondary DNS in the DHCP (how?) and the clients are probably going to behave better (same as this command line), but is that the correct way to solve this problem? To me it sounds like clients could start to get contraddictory results from the private and public server.

Is there a way for bind/named to go fetch those results or tell the client where to go fetch them?

Hope the question is clear enough, don't hesitate adding comments should I need to state it more clearly or add details.. thanks!

Answer 1

The DNS-settings are stored in /etc/resolv.conf. The server (or other clients that use DHCP and get the same list) will use the first nameserver if available, he will only fall back if the first one doesn't respond (not if he doesn't know it). So you should try to configure the first (private) DNS to relay for the public DNS.

In /etc/resolv.conf the first line should be nameserver 127.0.0.1. Put your public one on the second line: nameserver 8.8.8.8.

If you have resolv.conf.d running (check if folder etc/resolvconf/resolv.conf.d exists), in that case, append the public nameserver to /etc/resolvconf/resolv.conf.d/tail

Now test it from another computer in the network:

nslookup serverfault.com 10.0.X.X

(where 10.0.X.X should be the IP the MDS server has)