Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] timeout contacting storage daemon on system with multiple interfaces (SOLVED)

2008-06-06 10:04:53
Subject: Re: [Bacula-users] timeout contacting storage daemon on system with multiple interfaces (SOLVED)
From: Josh Fisher <jfisher AT pvct DOT com>
To: Ariano Bertacca <a.bertacca AT vva DOT de>
Date: Fri, 06 Jun 2008 10:04:43 -0400 
Ariano Bertacca wrote:
> Am 05.06.2008 um 16:32 schrieb Josh Fisher:
>
>   
>> Martin Simmons wrote:
>>     
>>>>>>>> On Wed, 04 Jun 2008 14:16:33 -0400, Josh Fisher said:
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>> Why would they be unroutable? If you have two subnets that are not
>> routable between each other, then it wouldn't make sense to have a DNS
>> server with a single view spanning both of those subnets. Either the  
>> DNS
>> server would have separate views for each of the subnets or each  
>> subnet
>> would use a different DNS server. Come to think of it, you are right.
>> The more I consider it, the more I am coming to believe that this is a
>> DNS configuration problem, not a Bacula problem. Name resolution  
>> should
>> not be returning an unroutable address.
>>     
>
> Imagine:
> Two networks: A = 192.168.1.0/24 and B = 10.1.0.0/24
> The Backup Server contains DIR and SD and has two interfaces:  
> 192.168.1.10/24 and 10.1.0.10/24.
> FD has one interface (10.1.0.11/24).
>
> The backup server has a fqdn which is "backup.internal.foo.local".  
> Both systems use the same dns and backup.internal.foo.local has one A  
> record (192.168.1.10).
>
> Now: the FD will get backup.internal.foo.local as SD and tries to  
> connect. The packet may even be routable, but the answer will always  
> come from the wrong ip, because the SD will answer from the nearest  
> interface, which would be 10.1.0.10. This could be fixed, but that's  
> not the point right now.
>
> When i add the second A record to the host backup.internal.foo.local i  
> will get both addresses and the FD might even check both, but imagine  
> other hosts inside the network 192.168.1.0/24 that might not be able  
> to reach 10.1.0.0/24. These will now fetch a second A record and might  
> fail to connect, since they don't know about 10.1.0.0/24.
>   

No. This is why bind 9+ has the View clause. It allows different views 
of the namespace it is serving depending upon whether the connecting 
client matches certain criteria. The match-clients directive in each 
view determines which view the client will see. The example below 
defines a DNS server with 2 views, one for clients connecting from 
192.168.1.0/24 and one for clients connecting from 10.1.0.0/24. When 
clients on the 192.168.1.0/24 network query the DNS server for the name 
backup.internal.foo.local they will receive the answer 192.168.1.10. But 
when clients on the 10.1.0.0/24 network query the DNS server for the 
same name they will receive the answer 10.1.0.10.

I have found this the best way to handle split networks in general. Much 
easier than fiddling with hosts files on clients or working only with IP 
addresses.


# example bind 9.x views for split network
options {
    ...
};
view lan1 {
    match-clients { 192.168.1.0/24; };
    zone "internal.foo.local" {
        type master;
        file "lan1.hosts";
    };
};
view lan2 {
    match-clients { 10.1.0.0/24; };
    zone "internal.foo.local" {
        type master;
        file "lan2.hosts";
    };
};
#eof

# lan 1 hosts
internal.foo.local   IN  SOA  ns1.internal.foo.local. 
hostmaster.internal.foo.local. {
    ...
backup           A     192.168.1.10
lan1-client       A     192.168.1.20
#eof

#lan 2 hosts
internal.foo.local  IN  SOA  ns1.internal.foo.local. 
hostmaster.internal.foo.local. {
    ...
backup           A     10.1.0.10
lan2-client       A     10.1.0.22
#eof


> It gets even worse when you transform 192.168.1.0/24 to a valid and  
> internet routable address and your servername is something like  
> backup.my-domain.com and people from all over the world get your valid  
> address, as well as your private ip, which - in this case - would  
> definitly be unroutable.
>
> I don't think that would be a good idea ;)
>
>
> Kind regards
>
> Ariano Bertacca
> Systemmanagement
>
>
> fon +49 211 7357-834 | fax +49 211 7357-859
>
>   

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Winbacula installation on Windows 2000 server requires real console, RDP/mstsc doesn't work, Jason A. Kates
Next by Date:  Re: [Bacula-users] Different Friday tapes, Marek Simon
Previous by Thread:  Re: [Bacula-users] timeout contacting storage daemon on system with multiple interfaces (SOLVED), Blake Dunlap
Next by Thread:  Re: [Bacula-users] timeout contacting storage daemon on system with multiple interfaces (SOLVED), Ariano Bertacca
Indexes:  [Date] [Thread] [Top] [All Lists]