[sf-lug] user on sf-lug.com (DNS, etc.)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu Jun 14 23:51:43 PDT 2007

Well, first of all you might want to write the list with the more
general questions - e.g. if it's not quite specifically related to just
aspects of BALUG on the sf-lug.com. box, no real need to target the
question specifically to me or just those mostly focusing on the BALUG
side of things.

Anyway, on your questions and such, ... "answers"/replies in context,
with references/excerpts (and slightly redacted):

> Date: Sun, 10 Jun 2007 23:05:23 -0700 (PDT)
> From: Alex Kleider <a_kleider at yahoo.com>
> Reply-To: alex at kleider.net
> Subject: Re: [sf-lug] user on sf-lug.com
> To: Michael Paoli <Michael.Paoli at cal.berkeley.edu>

> I just sent you a note at mpaoli at sf-lug.com
> but forgot one more thing I was going to ask:
> can you run more than one DNS server on a single host or do you mean
> one on each of the two hosts: balug and sf-lug?

One can run multiple DNS servers simultaneously on a single host.
They must not conflict/collide on both same IP and port (and
interface) simultaneously, or have conflicts on how they're handling
their files/configurations/control and such, but other than those
and BALUG related DNS on  Both also use rndc on, but they use distinct ports for rndc.  They have their own
configuration files, start/stop scripts, etc.

BIND can also support multiple "views" - but that's something rather
different (in that case a DNS server gives different "views" (answers,
etc.) depending upon the IP from which the query came).

> Or do you mean one server but zone files for each lug?

"We" have chosen to implement much of this in this manner (relatively
independent services) so we can avoid stepping on each others toes (much
less coordination needed for services that are highly independent), and
this also allows us the freedom to run quite different services (e.g.
SF-LUG and BALUG may want to run completely different SMTP servers and


> Return-Path: <akleider at sf-lug.com>
> Date: Sun, 10 Jun 2007 22:59:12 -0700
> From: akleider at sf-lug.localdomain
Uhm, ... that's an "interesting" From: address ... won't work too well.
> To: mpaoli at sf-lug.com
> Subject: questions

> I ran sudo -l and after entering my password I got a list of commands that I
> "may run" but was in fact not able to do so: permission denied!

The commands should work fine.  The part that may be confusing in the
sudo -l output, is that the commands are separated by , (comma) -
however the commands actually end in ,v (comma and v), as they operate
directly on (reading) the RCS files.  E.g. if you see something like:
$ sudo -l
User akleider may run the following commands on this host:
    (root) /bin/cat /some_pathname/some_file,v, yet more commands ...
So, with something like that, you should be able to run:
sudo /bin/cat /some_pathname/some_file,v

> I checked out the IP Addresses:
> HSRP is something new to me-
> is the virtual router/gateway i.e no physical host here?
> while ...250 and ...251 are the routers running HSRP? Are they cisco routers
> or are they linux boxes?
You probably know almost as much about HSRP as I do.  I first bumped
into it some weeks/months ago regarding the sf-lug.com. box & BALUG &
IPs and planning IPs and such.  I dropped in some links on the
documentation that reference more information about HSRP.  From what I
recall from what I quickly skimmed of it, it's a Cisco proprietary
protocol for high availability router failover configuration.  At least
typically (e.g. "our" configuration with such), there's a high
availability IP used for routing, which is provided by exactly one of
the routers at any given time, and there are also two other IPs, used
for the routers to communicate with and monitor each other and
negotiate movement/failover of the routing IP between the two routers.

> Your network is fundamentally different in that all hosts have a public
internet IP address.
> What I've been studying is the situation where I have a private
You've got an RFC 1918 IP - 192.168/16 IPs aren't useable on the
Internet - e.g. they're not routable.  For such IPs to communicate with
the Internet, they have to go through some type of IP address
translation (often also accompanied by port remapping) to talk to the
Internet - e.g. NAT/SNAT, or in the case of LINUX, masquerading.

> local area network (<redacted>) interfacing through a (<redacted>) router.
If I'm not mistaken, that's a consumer grade device which also includes
NAT/SNAT and/or masquerading.

> My ISP gives me an IP address by dhcp so it might (but doesn't seem to) change.
Most typically it can and will change - though that might be a rather to
exceedingly rare occurrence, depending on usage and other factors.  The
IP address you obtain from the ISP is an Internet IP.  If you have more
than one IP device you want to simultaneously have Internet
connectivity with, while only having one Internet IP from your ISP,
that's where NAT/SNAT/masquerading comes in - they effectively let
multiple such devices "share" a single Internet IP address.

Running an Internet DNS server without a fixed IP address will be rather
difficult to infeasible, but by no means impossible.  Given the
relatively static IP requirements of typical BIND configurations for
serving DNS, I certainly wouldn't recommend DNS server on dynamic IP
address as an easy place to start.

> I'm trying to set up ddns with easydns.com.
> I've got dns server running on <redacted>@<redacted> and it seems to be
providing dns services for <redacted> (since <redacted> /etc/resolv.conf has
been completely commented out except for nameserver but when other
computers on the network have /etc/resolv.conf configured to read nameserver
192.168.<redacted> (<redacted>'s fixed IP) things don't work. I can ssh between
computers but I think they are using the hosts file rather than <redacted>s dns

For the DNS server to be useable, it must be reachable from the client.
If it's only running on 127/8 IP(s), it won't be accessible beyond the
server itself (unless you have a highly unusual configuration).  If it's
running on RFC 1918 ("Intranet") IP(s), those will generally only be
reachable from clients that know how to reach those IPs.  From the
Internet, they'll need to know Internet IP(s) to use, and some type of
NAT/SNAT/masquerading will have to handle the go-between between the
Internet IP(s) being used for the DNS server, and actual DNS server host
RFC 1918 IPs used by the DNS server.

> One more question: what distribution of linux is/are being used on balug and
on sf-lug.com?

You've got the access to pretty well answer that one yourself, at least
for the sf-lug.com. box.  I'll offer some hints:
It's also of note that for UNIX, the problem is rather similar,
e.g. uname -a is often not sufficient to identify the operating system
and its version/release.  Many UNIX flavors each have their own unique
commands to get that information.  At least with LINUX, there's the
LSB ... so there should be convergence towards a solution on that.

More information about the sf-lug mailing list