Subject: Re: IPMon dns problem.
To: None <tech-net@NetBSD.org, netbsd-users@NetBSD.org>
From: Rob Quinn <rquinn@sec.sprint.net>
List: netbsd-users
Date: 09/29/2003 17:01:38
>> Add your DNS servers to /etc/hosts, and make sure nsswitch.conf is
>> configured to use files before DNS
> [...] it just seemed kludgy - is hardcoding dns server names standard
> practice?
For ipf under Solaris, the default rc2.d/S65ipfboot adds 53/udp rules for each
host in /etc/resolv.conf, before loading ipf.conf. Part of the script:
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>/dev/null`
if [ -z "$NAMESERVERS" ] ; then
return
fi
for NS in $NAMESERVERS ; do
IF_TO_NS=`/usr/sbin/route -n get $NS 2>/dev/null| \
nawk '$1 == "interface:" { print $NF ; exit }' \
2>/dev/null`
if [ -z "$IF_TO_NS" ] ; then
continue
fi
IP_TO_NS=`ifconfig $IF_TO_NS 2>/dev/null| \
nawk 'NR == "2" { print $2 ; exit }' 2>/dev/null`
if [ -z "$IP_TO_NS" ] ; then
continue
fi
echo "pass out quick on $IF_TO_NS proto udp from $IP_TO_NS to $NS port = 53 keep state" | \
ipf -f -
done
}