I believe this is completely OT, but I want to be positive. I have a fully up to date CentOS 5.2 box. During the past week, when surfing with Firefox (and today, while testing with Konqueror), frequently, especially when DNS is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get to. My ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS servers. I haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
On Tue, Jul 08, 2008, Lanny Marcus wrote:
I believe this is completely OT, but I want to be positive. I have a fully up to date CentOS 5.2 box. During the past week, when surfing with Firefox (and today, while testing with Konqueror), frequently, especially when DNS is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get to. My ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS servers. I haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
I would suggest that you set up your own caching dns server, and don't depend on your ISP's.
We use dnscache from djbdns, avoiding BIND (Buggy Internet Name Daemon).
Bill
On 7/8/08, Bill Campbell centos@celestial.com wrote:
On Tue, Jul 08, 2008, Lanny Marcus wrote:
I believe this is completely OT, but I want to be positive. I have a fully up to date CentOS 5.2 box. During the past week, when surfing with Firefox (and today, while testing with Konqueror), frequently, especially when DNS is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get
to. My
ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS servers.
I
haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
I would suggest that you set up your own caching dns server, and don't depend on your ISP's.
We use dnscache from djbdns, avoiding BIND (Buggy Internet Name Daemon).
Interesting idea! I will read the IPCop documentation, to see if I can do that on my IPCop box. If not, I'm interested in SME Server, if that will do the job. What I don't like about SME Server is that their documentation isn't available for download. I like to have local documentation on my hard drive. My strong belief is that this is coming from my ISP, but they claim I'm the only one with this problem. I can't imagine that it would be coming from the OS and nothing has changed in my IPCop box. ISP's like to claim that problems are on the users end, rather than on their end. Once or twice, I've pointed out a problem to a previous ISP, been told there was no problem, and then later, they tell me that yes, they had a problem.... The phone company is the best ISP I have had, so far, and they seem to be "pro active" and usually they fix problems, without me calling them, which I truly appreciate and respect.
Lanny Marcus wrote:
Interesting idea! I will read the IPCop documentation, to see if I can do that on my IPCop box. If not, I'm interested in SME Server, if that will do the job. What I don't like about SME Server is that their documentation isn't available for download. I like to have local documentation on my hard drive. My strong belief is that this is coming from my ISP, but they claim I'm the only one with this problem. I can't imagine that it would be coming from the OS and nothing has changed in my IPCop box. ISP's like to claim that problems are on the users end, rather than on their end. Once or twice, I've pointed out a problem to a previous ISP, been told there was no problem, and then later, they tell me that yes, they had a problem.... The phone company is the best ISP I have had, so far, and they seem to be "pro active" and usually they fix problems, without me calling them, which I truly appreciate and respect.
As for the SME documentation, you can select to view as one page [the option is at the bottom of the page when you are browse to the specific documentattion].
eg. http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Book...
Then, you can print it to PDF if you want.
-Ross-
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
Lanny Marcus wrote:
Interesting idea! I will read the IPCop documentation, to see if I can do that on my IPCop box. If not, I'm interested in SME Server, if that will do the job. What I don't like about SME Server is that their documentation isn't available for download. I like to have local documentation on my hard drive. My strong belief is that this is coming from my ISP,
<snip> _______________________________________________
As for the SME documentation, you can select to view as one page [the option is at the bottom of the page when you are browse to the specific documentattion].
eg. http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Book...
Then, you can print it to PDF if you want.
Ross: I tried that, once before and it didn't work. I just tried it, again, after reading your post. Not only did Firefox 3.0 (which I got in an update today) crash, but I crashed out of GNOME, back to the login screen where you select which Desktop to use. I will send this reply and try it again. If I can get the SME Server documentation in one .pdf document on my hard drive, I'm quite interested in SME Server. Thanks. Lanny
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
<snip>
As for the SME documentation, you can select to view as one page [the option is at the bottom of the page when you are browse to the specific documentattion].
eg. http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Book...
Then, you can print it to PDF if you want.
Ross: I tried that, once before and it didn't work. I just tried it, again, after reading your post. Not only did Firefox 3.0 (which I got in an update today) crash, but I crashed out of GNOME, back to the login screen where you select which Desktop to use. I will send this reply and try it again. If I can get the SME Server documentation in one .pdf document on my hard drive, I'm quite interested in SME Server. Thanks. Lanny
This is unrelated to the opendns.com thread that I began. There is something wrong with GNOME and Firefox. At this time, I am using KDE and Konqueror. I can view the SME Server document Ross has the link for, without any problem, and without my browser and desktop crashing. I haven't found the place where you view the entire document as one page yet, but this is huge improvement, after having Firefox 3.0 and GNOME crash, while trying to view the document.
On Tue, Jul 8, 2008 at 7:56 PM, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
<snip> >>> >> As for the SME documentation, you can select to view as one page [the >> option is at the bottom of the page when you are browse to the specific >> documentattion]. >> >> eg. >> http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Booklet >> >> Then, you can print it to PDF if you want. > > > Ross: I tried that, once before and it didn't work. I just tried it, again, > after reading your post. Not only did Firefox 3.0 (which I got in an update > today) crash, but I crashed out of GNOME, back to the login screen where you > select which Desktop to use. I will send this reply and try it again. If I > can get the SME Server documentation in one .pdf document on my hard drive, > I'm quite interested in SME Server. Thanks. Lanny
This is unrelated to the opendns.com thread that I began. There is something wrong with GNOME and Firefox. At this time, I am using KDE and Konqueror. I can view the SME Server document Ross has the link for, without any problem, and without my browser and desktop crashing. I haven't found the place where you view the entire document as one page yet, but this is huge improvement, after having Firefox 3.0 and GNOME crash, while trying to view the document.
I can't replicate a crash. EG the infamous, it works for me. I think there is something up with your system/network.
On 7/8/08, Stephen John Smoogen smooge@gmail.com wrote:
On Tue, Jul 8, 2008 at 7:56 PM, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
<snip> >>> >> As for the SME documentation, you can select to view as one page [the >> option is at the bottom of the page when you are browse to the specific >> documentattion]. >> >> eg. >> http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Booklet >> >> Then, you can print it to PDF if you want.
Cool. Thanks! I got it OK, using Konqueror on KDE. The .pdf file is on my hard drive. <snip>
I can't replicate a crash. EG the infamous, it works for me. I think there is something up with your system/network.
Stephen: I will go back to GNOME and FIrefox now and try it again. It was pretty ugly and I tried it twice. There were no error messages, like I sometimes get in GNOME, when closing Firefox and Evolution and I get an error message that Evolution Calendar (which I do not use) has crashed and then Bug Buddy cannot report, because it needs a newer version of GNOME. Lanny
On Tue, July 8, 2008 10:03 pm, Stephen John Smoogen wrote:
On Tue, Jul 8, 2008 at 7:56 PM, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
<snip> >>> >> As for the SME documentation, you can select to view as one page >> [the option is at the bottom of the page when you are browse to the >> specific documentattion]. >> >> eg. >> http://wiki.contribs.org/SME_Server:Documentation:Administration_Ma >> nual:Booklet >> >> Then, you can print it to PDF if you want. > > > Ross: I tried that, once before and it didn't work. I just tried it, > again, after reading your post. Not only did Firefox 3.0 (which I got > in an update today) crash, but I crashed out of GNOME, back to the > login screen where you select which Desktop to use. I will send this > reply and try it again. If I can get the SME Server documentation in > one .pdf document on my hard drive, I'm quite interested in SME > Server. Thanks. Lanny
This is unrelated to the opendns.com thread that I began. There is something wrong with GNOME and Firefox. At this time, I am using KDE and Konqueror. I can view the SME Server document Ross has the link for, without any problem, and without my browser and desktop crashing. I haven't found the place where you view the entire document as one page yet, but this is huge improvement, after having Firefox 3.0 and GNOME crash, while trying to view the document.
I can't replicate a crash. EG the infamous, it works for me. I think there is something up with your system/network.
I can replicate it every time I try with Firefox under CentOS 5, but it works fine with Konqueror. An EeePC and a laptop running Ubuntu don't have any problems accessing this page with Firefox.
On Tue, July 8, 2008 9:56 pm, Lanny Marcus wrote:
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Jul 8, 2008 at 8:00 PM, Ross Cavanagh ross-cavanagh@bm-sms.co.jp wrote:
<snip> >>> >> As for the SME documentation, you can select to view as one page [the >> option is at the bottom of the page when you are browse to the >> specific documentattion]. >> >> eg. >> http://wiki.contribs.org/SME_Server:Documentation:Administration_Manu >> al:Booklet >> >> Then, you can print it to PDF if you want. > > > Ross: I tried that, once before and it didn't work. I just tried it, > again, after reading your post. Not only did Firefox 3.0 (which I got > in an update today) crash, but I crashed out of GNOME, back to the > login screen where you select which Desktop to use. I will send this > reply and try it again. If I can get the SME Server documentation in > one .pdf document on my hard drive, I'm quite interested in SME Server. > Thanks. Lanny
This is unrelated to the opendns.com thread that I began. There is something wrong with GNOME and Firefox. At this time, I am using KDE and Konqueror. I can view the SME Server document Ross has the link for, without any problem, and without my browser and desktop crashing. I haven't found the place where you view the entire document as one page yet, but this is huge improvement, after having Firefox 3.0 and GNOME crash, while trying to view the document.
The same happens on my machine with Firefox under KDE. After the crash, in /var/log/messages I see the following:
Jul 8 21:45:50 xxxx gconfd (root-12641): Received signal 15, shutting down cleanly Jul 8 21:45:50 xxxx gconfd (root-12641): Exiting
I have experienced this several months ago on a different CentOS 5 machine, but only when I tried to access documentation on the SME Server web site (contribs.org).
On 7/8/08, Marko A. Jennings markobiz@bluegargoyle.com wrote: <snip>
Konqueror. I can view the SME Server document Ross has the link for, without any problem, and without my browser and desktop crashing. I haven't found the place where you view the entire document as one page yet, but this is huge improvement, after having Firefox 3.0 and GNOME crash, while trying to view the document.
The same happens on my machine with Firefox under KDE. After the crash, in /var/log/messages I see the following:
Jul 8 21:45:50 xxxx gconfd (root-12641): Received signal 15, shutting down cleanly Jul 8 21:45:50 xxxx gconfd (root-12641): Exiting
I have experienced this several months ago on a different CentOS 5 machine, but only when I tried to access documentation on the SME Server web site (contribs.org).
Marko: Thank you. I am now going to log out of KDE and go back to GNOME (which I use about 99% of the time) and try it again, with Firefox 3.0. If it crashes again, I will check /var/log/messages Lanny
why not use the dig command to query your isp dns system to see if they forward requests to opendns. By the way, OpenDNS is a great way to help prevent phishing attacks.
Lastly, you should use this opp to create a opendns signon, this will give you control over your dns request options. You could block any domain via dns quikly.
On 7/8/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/8/08, Bill Campbell centos@celestial.com wrote:
On Tue, Jul 08, 2008, Lanny Marcus wrote:
I believe this is completely OT, but I want to be positive. I have a fully up to date CentOS 5.2 box. During the past week, when surfing with Firefox (and today, while testing with Konqueror), frequently, especially when DNS is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get
to. My
ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS servers.
I
haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
I would suggest that you set up your own caching dns server, and don't depend on your ISP's.
We use dnscache from djbdns, avoiding BIND (Buggy Internet Name Daemon).
Interesting idea! I will read the IPCop documentation, to see if I can do that on my IPCop box. If not, I'm interested in SME Server, if that will do the job. What I don't like about SME Server is that their documentation isn't available for download. I like to have local documentation on my hard drive. My strong belief is that this is coming from my ISP, but they claim I'm the only one with this problem. I can't imagine that it would be coming from the OS and nothing has changed in my IPCop box. ISP's like to claim that problems are on the users end, rather than on their end. Once or twice, I've pointed out a problem to a previous ISP, been told there was no problem, and then later, they tell me that yes, they had a problem.... The phone company is the best ISP I have had, so far, and they seem to be "pro active" and usually they fix problems, without me calling them, which I truly appreciate and respect.
On 7/10/08, Rob Townley rob.townley@gmail.com wrote:
why not use the dig command to query your isp dns system to see if they forward requests to opendns. By the way, OpenDNS is a great way to help prevent phishing attacks.
Rob: What other parameters or arguments I should add onto the dig command, to see if they use opendns.com ? I don't see opendns.com in the below, but probably that is not the correct dig command.
[lanny@dell2400 ~]$ dig emcali.net
; <<>> DiG 9.3.4-P1 <<>> emcali.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION: ;emcali.net. IN A
;; ANSWER SECTION: emcali.net. 3600 IN A 66.45.254.245 emcali.net. 3600 IN A 66.45.254.244
;; AUTHORITY SECTION: emcali.net. 172800 IN NS ns3.hostingchange.net. emcali.net. 172800 IN NS ns2.hostingchange.net. emcali.net. 172800 IN NS ns1.hostingchange.net.
;; Query time: 1100 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu Jul 10 15:46:18 2008 ;; MSG SIZE rcvd: 128
[lanny@dell2400 ~]$
Lastly, you should use this opp to create a opendns signon, this will give you control over your dns request options. You could block any domain via dns quikly.
I will look at the opendns.com web site. I just cannot imagine that the Firefox browser is ending up at opendns.com (intermittently) on it's own. It must be coming from the DNS we are using. Thanks much! Lanny
on 7-10-2008 1:55 PM Lanny Marcus spake the following:
On 7/10/08, Rob Townley rob.townley-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
why not use the dig command to query your isp dns system to see if they forward requests to opendns. By the way, OpenDNS is a great way to help prevent phishing attacks.
Rob: What other parameters or arguments I should add onto the dig command, to see if they use opendns.com ? I don't see opendns.com in the below, but probably that is not the correct dig command.
[lanny@dell2400 ~]$ dig emcali.net
; <<>> DiG 9.3.4-P1 <<>> emcali.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION: ;emcali.net. IN A
;; ANSWER SECTION: emcali.net. 3600 IN A 66.45.254.245 emcali.net. 3600 IN A 66.45.254.244
;; AUTHORITY SECTION: emcali.net. 172800 IN NS ns3.hostingchange.net. emcali.net. 172800 IN NS ns2.hostingchange.net. emcali.net. 172800 IN NS ns1.hostingchange.net.
;; Query time: 1100 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu Jul 10 15:46:18 2008 ;; MSG SIZE rcvd: 128
[lanny@dell2400 ~]$
Lastly, you should use this opp to create a opendns signon, this will give you control over your dns request options. You could block any domain via dns quikly.
I will look at the opendns.com web site. I just cannot imagine that the Firefox browser is ending up at opendns.com (intermittently) on it's own. It must be coming from the DNS we are using. Thanks much! Lanny
Try dig +trace emcali.net It should show all servers "your" query goes through.
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
Try dig +trace emcali.net It should show all servers "your" query goes through.
Scott: Please note that I added ".co" (for Colombia) emcali.net.co Is this showing which DNS Servers my DNS requests use, or, which DNS Servers serve their web site? Also note that when I tried "dig +trace" or "dig trace" I got very abbreviated answers. Probably I don't have the syntax correct. Question: Is there another command I can use, to another web site (irs.gov or something) that shows which DNS Servers I am using, to get to that web site? My wife is complaining, again, as I write this, so getting our own Caching DNS Server, ASAP, has become a priority. When Colombian women are mad... :-) TIA, Lanny
P.S. The first time I tried to send this email, I ended up at opendns.com instead of getting a response from Gmail.
[lanny@dell2400 ~]$ dig emcali.net.co
; <<>> DiG 9.3.4-P1 <<>> emcali.net.co ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24430 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION: ;emcali.net.co. IN A
;; ANSWER SECTION: emcali.net.co. 10800 IN A 200.29.96.38
;; AUTHORITY SECTION: emcali.net.co. 10800 IN NS dns1.emcali.net.co. emcali.net.co. 10800 IN NS dns2.emcali.net.co. emcali.net.co. 10800 IN NS dns3.emcali.net.co.
;; ADDITIONAL SECTION: dns1.emcali.net.co. 10800 IN A 200.29.96.22 dns2.emcali.net.co. 10800 IN A 200.29.96.27 dns3.emcali.net.co. 10800 IN A 200.29.104.22
;; Query time: 314 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu Jul 10 16:12:53 2008 ;; MSG SIZE rcvd: 152
[lanny@dell2400 ~]$
[lanny@dell2400 ~]$ dig trace emcali.net.co ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30304 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;trace. IN A
;; Query time: 2 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu Jul 10 16:20:28 2008 ;; MSG SIZE rcvd: 23
; <<>> DiG 9.3.4-P1 <<>> trace emcali.net.co ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24706 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;emcali.net.co. IN A
;; ANSWER SECTION: emcali.net.co. 10346 IN A 200.29.96.38
;; Query time: 1 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu Jul 10 16:20:28 2008 ;; MSG SIZE rcvd: 47
[lanny@dell2400 ~]$
[lanny@dell2400 ~]$ dig +trace emcali.net.co
; <<>> DiG 9.3.4-P1 <<>> +trace emcali.net.co ;; global options: printcmd . 0 IN A 192.168.1.1 ;; Received 33 bytes from 192.168.10.1#53(192.168.10.1) in 3 ms
[lanny@dell2400 ~]$
on 7-10-2008 2:32 PM Lanny Marcus spake the following:
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > Try dig +trace emcali.net > It should show all servers "your" query goes through.
Scott: Please note that I added ".co" (for Colombia) emcali.net.co Is this showing which DNS Servers my DNS requests use, or, which DNS Servers serve their web site? Also note that when I tried "dig +trace" or "dig trace" I got very abbreviated answers. Probably I don't have the syntax correct. Question: Is there another command I can use, to another web site (irs.gov or something) that shows which DNS Servers I am using, to get to that web site? My wife is complaining, again, as I write this, so getting our own Caching DNS Server, ASAP, has become a priority. When Colombian women are mad... :-) TIA, Lanny
When you set up your connection to your provider, do you have a static address or dynamic? If static, you had to set your next step resolver in the config. If you are dynamic, you get what your provider sends with the dhcp request. Since you said you have an ipcop box for your router you should be able to ssh into it and run setup and change your nameserver setting to 127.0.0.1 and your ipcop should be a caching nameserver. If you have another address there it will query to that server.
I just tried it from one of my ipcop boxes and got a query all the way to the root servers;
dig +trace gmail.com
; <<>> DiG 9.3.4-P1 <<>> +trace gmail.com ;; global options: printcmd . 353305 IN NS E.ROOT-SERVERS.NET. . 353305 IN NS F.ROOT-SERVERS.NET. . 353305 IN NS G.ROOT-SERVERS.NET. . 353305 IN NS H.ROOT-SERVERS.NET. . 353305 IN NS I.ROOT-SERVERS.NET. . 353305 IN NS J.ROOT-SERVERS.NET. . 353305 IN NS K.ROOT-SERVERS.NET. . 353305 IN NS L.ROOT-SERVERS.NET. . 353305 IN NS M.ROOT-SERVERS.NET. . 353305 IN NS A.ROOT-SERVERS.NET. . 353305 IN NS B.ROOT-SERVERS.NET. . 353305 IN NS C.ROOT-SERVERS.NET. . 353305 IN NS D.ROOT-SERVERS.NET. ;; Received 376 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
com. 172800 IN NS G.GTLD-SERVERS.NET. com. 172800 IN NS D.GTLD-SERVERS.NET. com. 172800 IN NS H.GTLD-SERVERS.NET. com. 172800 IN NS J.GTLD-SERVERS.NET. com. 172800 IN NS F.GTLD-SERVERS.NET. com. 172800 IN NS B.GTLD-SERVERS.NET. com. 172800 IN NS A.GTLD-SERVERS.NET. com. 172800 IN NS E.GTLD-SERVERS.NET. com. 172800 IN NS C.GTLD-SERVERS.NET. com. 172800 IN NS K.GTLD-SERVERS.NET. com. 172800 IN NS I.GTLD-SERVERS.NET. com. 172800 IN NS M.GTLD-SERVERS.NET. com. 172800 IN NS L.GTLD-SERVERS.NET. ;; Received 499 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 23 ms
gmail.com. 172800 IN NS ns1.google.com. gmail.com. 172800 IN NS ns2.google.com. gmail.com. 172800 IN NS ns3.google.com. gmail.com. 172800 IN NS ns4.google.com. ;; Received 170 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 22 ms
gmail.com. 60 IN A 209.85.171.83 gmail.com. 60 IN A 64.233.171.83 gmail.com. 60 IN A 64.233.161.83 gmail.com. 345600 IN NS ns1.google.com. gmail.com. 345600 IN NS ns2.google.com. gmail.com. 345600 IN NS ns3.google.com. gmail.com. 345600 IN NS ns4.google.com. ;; Received 218 bytes from 216.239.32.10#53(ns1.google.com) in 44 ms
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
When you set up your connection to your provider, do you have a static address or dynamic?
We get a dynamic IP address when we connect to ADSL.
If static, you had to set your next step resolver in the config. If you are dynamic, you get what your provider sends with the dhcp request. Since you said you have an ipcop box for your router you should be able to ssh into it and run setup and change your nameserver setting to 127.0.0.1 and your ipcop should be a caching nameserver. If you have another address there it will query to that server.
I will try to SSH into the ipcop box. I've never tried to SSH into it. I've always looked at it via the web interface.
I just tried it from one of my ipcop boxes and got a query all the way to the root servers;
dig +trace gmail.com
I tried dig +trace from my Desktop and it didn't work. Probably because I'm behind the Firewall. If I can SSH into the ipcop box I will try dig +trace from there.
If I can get the above to work, I suspect I may also need to change something in the configuration for the ADSL modem for DNS. Sounds like a quick and easy way to do this!
I have my notes from when I installed IPCop on that box, last September. The ADSL modem IP is 192.168.1.1 and the Red NIC IP is 192.168.1.2 and the Green NIC IP is 192.168.10.1 and in the DHCP Server Configuration Menu the Primary DNS is 192.168.10.1
Thanks much!
On Thu, 2008-07-10 at 19:31 -0500, Lanny Marcus wrote:
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> ><snip>
I will try to SSH into the ipcop box. I've never tried to SSH into it. I've always looked at it via the web interface.
Be aware that port 222, no 22, is used for slightly increased resistance to attacks.
I just tried it from one of my ipcop boxes and got a query all the way to the root servers;
dig +trace gmail.com
I tried dig +trace from my Desktop and it didn't work. Probably because I'm behind the Firewall. If I can SSH into the ipcop box I will try dig +trace from there.
IPCop is based on 2.4 kernel, IIRC. I don't know if it has dig. Try using nslookup (see the man page for details - I don't remember them all).
<snip>
HTH
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
When you set up your connection to your provider, do you have a static address or dynamic?
Dynamic IP
If static, you had to set your next step resolver in the config. If you are dynamic, you get what your provider sends with the dhcp request. Since you said you have an ipcop box for your router you should be able to ssh into it and run setup and change your nameserver setting to 127.0.0.1 and your ipcop should be a caching nameserver. If you have another address there it will query to that server.
I never tried to SSH into the IPCop box before. I've always connected to it via the web interface. I tried to SSH into it, but apparently I have that Blocked, in the IPCop configuration settings.
[root@dell2400 ~]# ssh ipcop.homelan ssh: connect to host ipcop.homelan port 22: Connection refused [root@dell2400 ~]#
Obviously, I need to change that, so I can run Setup from a terminal window, run the dig + trace command as you did from one of your IPCop boxes, etc. I just turned on SSH access in IPCop. It says it uses Port 222 which is non standard for SSH....
I am looking at it from the web interface. Under DHCP, for the Green Interface, for Primary DNS, it shows 192.168.10.1 If I change that to 127.0.0.1 I'm done? Other than possibly needing to change a configuration setting in the ADSL Modem, regarding DNS? Thanks much!
On 7/10/08, Lanny Marcus lmmailinglists@gmail.com wrote: <snip>
your ipcop should be a caching nameserver. If you have another address there it will query to that server.
Obviously, I need to change that, so I can run Setup from a terminal window, run the dig + trace command as you did from one of your IPCop boxes, etc. I just turned on SSH access in IPCop. It says it uses Port 222 which is non standard for SSH....
Still not able to SSH into the IPCop box. Something wrong in the syntax I tried or SSH didn't get turned on in the IPCop box, via the web interface, as I thought? The sshd is running in my Desktop box.
[root@dell2400 ~]# ssh ipcop.homelan:222 ssh: ipcop.homelan:222: Name or service not known [root@dell2400 ~]#
On 7/10/08, Ian Blackwell ian@ikel.id.au wrote:
Lanny Marcus wrote:
[root@dell2400 ~]# ssh ipcop.homelan:222 ssh: ipcop.homelan:222: Name or service not known [root@dell2400 ~]#
Try:-
ssh -p 222 ipcop.homelan
Bingo! Ian, I was able to get into the IPCop box. :-) Thank you, for giving me the correct syntax! Lanny
On Thu, 2008-07-10 at 20:07 -0500, Lanny Marcus wrote:
On 7/10/08, Lanny Marcus lmmailinglists@gmail.com wrote:
<snip> >><snip>
Still not able to SSH into the IPCop box. Something wrong in the syntax I tried or SSH didn't get turned on in the IPCop box, via the web interface, as I thought? The sshd is running in my Desktop box.
Sshd is for incoming connections. You need to enable it on IPCop (using web interface is easiest). I also suggest using ssh keys instead of password *if* you want increased security. Paranoia level is the determining factor.
You should not need to fron the trace (dig or nslookup from the IPCop box.
[wild-bill@centos501 ~]$ dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd . 376531 IN NS E.ROOT-SERVERS.NET. . 376531 IN NS D.ROOT-SERVERS.NET. . 376531 IN NS M.ROOT-SERVERS.NET. . 376531 IN NS B.ROOT-SERVERS.NET. . 376531 IN NS F.ROOT-SERVERS.NET. . 376531 IN NS K.ROOT-SERVERS.NET. . 376531 IN NS A.ROOT-SERVERS.NET. . 376531 IN NS L.ROOT-SERVERS.NET. . 376531 IN NS I.ROOT-SERVERS.NET. . 376531 IN NS H.ROOT-SERVERS.NET. . 376531 IN NS C.ROOT-SERVERS.NET. . 376531 IN NS J.ROOT-SERVERS.NET. . 376531 IN NS G.ROOT-SERVERS.NET. ;; Received 504 bytes from 192.168.2.20#53(192.168.2.20) in 28 ms
com. 172800 IN NS F.GTLD-SERVERS.NET. com. 172800 IN NS H.GTLD-SERVERS.NET. <snip>
[root@dell2400 ~]# ssh ipcop.homelan:222 ssh: ipcop.homelan:222: Name or service not known [root@dell2400 ~]#
I've not used it for awhile, but I think you need to look at the man page. ISTR that user@host is somewhere in there. Unsure though.
<snip sig stuff>
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote: <snip>
Sshd is for incoming connections. You need to enable it on IPCop (using web interface is easiest). I also suggest using ssh keys instead of password *if* you want increased security. Paranoia level is the determining factor.
Paranoia level has me wanting to: (a) Be able to dig +trace and verify that opendns.com is not in the loop; Preferably from both my Desktop and from the ipcop box (b) Be using Authoritative DNS servers at all times, as dnscache does. (c) Avoid DNS Cache poisoning, if possible. :-)
http://en.wikipedia.org/wiki/DNS_cache_poisoning
You should not need to fron the trace (dig or nslookup from the IPCop box.
I cannot dig +trace from my Desktop, as me or as root and I also cannot dig +trace from the ipcop box as of this time.
[wild-bill@centos501 ~]$ dig +trace smtp-server.triad.rr.com ; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd
<snip results of Bill's dig +trace from his Desktop>
Here's what happens when I try that from my Desktop:
[lanny@dell2400 ~]$ dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]$ su - Password: [root@dell2400 ~]# dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd ;; connection timed out; no servers could be reached [root@dell2400 ~]#
<snip> Here's what happened, when I tried dig +trace from the ipcop box: After SSH into ipcop.homelan I can dig gmail.com but I cannot dig +trace gmail.com as Scott Silva did on his IPCop box.
root@ipcop:~ # dig +trace gmail.com
; <<>> DiG 9.4.0 <<>> +trace gmail.com ;; global options: printcmd ;; connection timed out; no servers could be reached root@ipcop:~ # dig gmail.com
; <<>> DiG 9.4.0 <<>> gmail.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26895 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION: ;gmail.com. IN A
;; ANSWER SECTION: gmail.com. 55 IN A 209.85.171.83 gmail.com. 55 IN A 64.233.171.83 gmail.com. 55 IN A 64.233.161.83
;; AUTHORITY SECTION: gmail.com. 311436 IN NS ns1.google.com. gmail.com. 311436 IN NS ns3.google.com. gmail.com. 311436 IN NS ns2.google.com. gmail.com. 311436 IN NS ns4.google.com.
;; ADDITIONAL SECTION: ns4.google.com. 345468 IN A 216.239.38.10 ns1.google.com. 345285 IN A 216.239.32.10 ns2.google.com. 345383 IN A 216.239.34.10 ns3.google.com. 341939 IN A 216.239.36.10
;; Query time: 166 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jul 11 06:18:17 2008 ;; MSG SIZE rcvd: 218
I need to get out of here now. Later, I will try this on our backup IPCop box. I want to be able to ssh into the IPCop box, and make the change Scott Silva suggested for the DNS Server, rather than using the IPCop web interface / GUI, because I know that it is common for GUI's not to work as advertised. If I screw up the backup IPCop box, I can continue using the one we are now using and we will still be online until I get this working the way I want it to. :-)
I have the Firewall running in my Desktop, which possibly is a factor here.
I greatly appreciate the time and help of everyone in this mailing list!
On Fri, 2008-07-11 at 06:49 -0500, Lanny Marcus wrote:
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
<snip> ><snip>
I cannot dig +trace from my Desktop, as me or as root and I also cannot dig +trace from the ipcop box as of this time.
Must be either firewall on your desktop or IPCop has some blocked resources. Try to dig something from your desktop that is on your local lan. Your IPCop box(es) should make good targets *if* nothing blocks the needed responses.
If you can get dig +trace to any other box on the lan, with trace information shown, that means your desktop should be fine.
If not, inconclusive I guess.
I would use the web interface to the IPCop box and see what has been enabled/disabled. Unless the IPCop box has been really "buttoned down tight", this should work as it does here. Caveat: IIRC, you don't have the caching DNS running on the IPCop box? Maybe that has some affect? I can't figure how, since when you try from the IPCop box it works. That means the remote DNS server allows this action and IPCop should normally just do a "pass through" of these packets.
Hmm... opined the grizzled old veteran. I guess we should ask the version of IPCop here - they are not all created equally. Mine is the 1.4.18 (IIRC), latest and greatest. Which reminds me - project has not had an upgrade for a long time now. I wonder if it died?
[wild-bill@centos501 ~]$ dig +trace smtp-server.triad.rr.com ; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd
<snip results of Bill's dig +trace from his Desktop>
Here's what happens when I try that from my Desktop:
[lanny@dell2400 ~]$ dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd ;; connection timed out; no servers could be reached
Try specifying the DNS server on the end of the line (IIRC - maybe check the man page to see).
[lanny@dell2400 ~]$ su - Password: [root@dell2400 ~]# dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com ;; global options: printcmd ;; connection timed out; no servers could be reached [root@dell2400 ~]#
<snip> Here's what happened, when I tried dig +trace from the ipcop box: After SSH into ipcop.homelan I can dig gmail.com but I cannot dig +trace gmail.com as Scott Silva did on his IPCop box.
Works OK here. So there's certainly something different there.
root@ipcop:~ # dig +trace gmail.com
; <<>> DiG 9.4.0 <<>> +trace gmail.com ;; global options: printcmd ;; connection timed out; no servers could be reached root@ipcop:~ # dig gmail.com
<snip>
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote: <snip>
I cannot dig +trace from my Desktop, as me or as root and I also cannot dig +trace from the ipcop box as of this time.
Must be either firewall on your desktop or IPCop has some blocked resources. Try to dig something from your desktop that is on your local lan. Your IPCop box(es) should make good targets *if* nothing blocks the needed responses.
If you can get dig +trace to any other box on the lan, with trace information shown, that means your desktop should be fine.
My wife is using her Desktop box (compaq1300) on MS Windows at this time. I can dig but I cannot dig + trace to her box:
[lanny@dell2400 ~]$ dig compaq1300.homelan
; <<>> DiG 9.3.4-P1 <<>> compaq1300.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45929 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;compaq1300.homelan. IN A
;; ANSWER SECTION: compaq1300.homelan. 0 IN A 192.168.10.56
;; Query time: 19 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 15:52:34 2008 ;; MSG SIZE rcvd: 52
[lanny@dell2400 ~]$
[lanny@dell2400 ~]$ dig +trace compaq1300.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace compaq1300.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]
If not, inconclusive I guess.
I am going to Disable the Firewall in my Desktop box and see if I can dig +trace with it off.
I would use the web interface to the IPCop box and see what has been enabled/disabled. Unless the IPCop box has been really "buttoned down tight", this should work as it does here.
I believe it is pretty much "out of the box". Possibly the only setting I changed was not to respond to ping on the Red interface.
Caveat: IIRC, you don't have the caching DNS running on the IPCop box? Maybe that has some affect? I can't figure how, since when you try from the IPCop box it works.
No Bill. Very early this morning, when I was able to SSH into the IPCop box, I was *not* able to dig +trace from it, with the results Scott Silva showed to gmail.com Caching DNS in the IPCop box is not running at this time. I will try that on our Backup IPCop box, when my demanding users (wife and 7 year old daughter) are not online.
That means the remote DNS server allows this action and IPCop should normally just do a "pass through" of these packets.
Hmm... opined the grizzled old veteran. I guess we should ask the version of IPCop here - they are not all created equally. Mine is the 1.4.18 (IIRC), latest and greatest. Which reminds me - project has not had an upgrade for a long time now. I wonder if it died?
My IPCop installation shows that no Updates are available for it. "Available updates: All updates installed"
Linux ipcop.homelan 2.4.34 #1 Mon Jul 16 23:11:03 GMT 2007 i586 pentium-mmx i386 GNU/Linux
<snip>
Try specifying the DNS server on the end of the line (IIRC - maybe check the man page to see).
I will read up on dig and dig +trace
Works OK here. So there's certainly something different there.
I will try it without the Firewall enabled in the Desktop, but I am wondering if my ISP is blocking use of the dig +trace command. I doubt that, but they may be blocking something? However, the fact that I am unable to dig +trace to my wife's box indicates the problem probably is with the Firewall in my Desktop, or something else within our home LAN.
Thank you, very much, for your time and help! Lanny
On 7/11/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
<snip> >> I cannot dig +trace from my Desktop, as me or as root and I also >> cannot dig +trace from the ipcop box as of this time. > > Must be either firewall on your desktop or IPCop has some blocked > resources. Try to dig something from your desktop that is on your local > lan. Your IPCop box(es) should make good targets *if* nothing blocks the > needed responses. > > If you can get dig +trace to any other box on the lan, with trace > information shown, that means your desktop should be fine.
I disabled the Firewall in my Desktop. I can dig to my daughters box, but I cannot dig +trace to it. Same results as with the Firewall in my Desktop enabled. I have SELinux running in Permissive Mode in my box and am not receiving Warnings, so I do not believe that is causing the problem. I will look at the web interface for the IPCop box, to see if I can find something I think might cause this problem.
[lanny@dell2400 ~]$ dig dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> dell1602.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28804 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;dell1602.homelan. IN A
;; ANSWER SECTION: dell1602.homelan. 0 IN A 192.168.10.57
;; Query time: 2 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 16:35:11 2008 ;; MSG SIZE rcvd: 50
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]$ dig dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> dell1602.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55631 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;dell1602.homelan. IN A
;; ANSWER SECTION: dell1602.homelan. 0 IN A 192.168.10.57
;; Query time: 2 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 16:36:38 2008 ;; MSG SIZE rcvd: 50
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]$
I then Disabled the Firewall on my daughters box:
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd . 0 IN A 192.168.1.1 ;; Received 33 bytes from 192.168.10.1#53(192.168.10.1) in 2 ms
[lanny@dell2400 ~]$
That is the FIRST time I have been able to use the dig +trace successfully! :-)
The Firewall is off in my Desktop and also in my Daughter's Desktop.
[lanny@dell2400 ~]$ dig +trace gmail.com
; <<>> DiG 9.3.4-P1 <<>> +trace gmail.com ;; global options: printcmd . 0 IN A 192.168.1.1 ;; Received 33 bytes from 192.168.10.1#53(192.168.10.1) in 2 ms
[lanny@dell2400 ~]$
The dig +trace to gmail.com does not look at all correct to me, but I only know about 1% of what I would like to know about Linux or Networking.
Probably that is caused by settings in the IPCop box?
On Fri, 2008-07-11 at 17:12 -0500, Lanny Marcus wrote:
On 7/11/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
<snip> >> I cannot dig +trace from my Desktop, as me or as root and I also >> cannot dig +trace from the ipcop box as of this time. > > Must be either firewall on your desktop or IPCop has some blocked > resources. Try to dig something from your desktop that is on your local > lan. Your IPCop box(es) should make good targets *if* nothing blocks the > needed responses. > > If you can get dig +trace to any other box on the lan, with trace > information shown, that means your desktop should be fine.
I disabled the Firewall in my Desktop. I can dig to my daughters box, but I cannot dig +trace to it. Same results as with the Firewall in my Desktop enabled.
After reading your other post, I see why. With no DNS server (caching or otherwise), your routing is strictly via routing tables and /etc/hosts. So no trace is possible because no DNS server is involved. When you have some kind of DNS going on, your *first* attempt to do a look-up (presuming /etc/hosts on you machine does not contain the host - address resolution is then required to get the IP address) may give you something.
I have SELinux running in Permissive Mode in my box and am not receiving Warnings, so I do not believe that is causing the problem. I
Selinux would not be involved in this I think.
will look at the web interface for the IPCop box, to see if I can find something I think might cause this problem.
See above. W/o a DNS function, with hosts defined in /etc/hosts, +trace should not give anything. Dig needs some kind of DNS server to be found to get the results we are looking for. For doing a dig *outside* your local lan, it will/should got to the servers specified when the IPCop boots and gets dynamic IP from your USP or gets fixed IP and you have coded the servers in /etc/resolv.conf. E.g. my workstation has this (populated when IPCop assigns the IP - do not modify by hand if your IPCop is dispatching dynamic IPs).
$ cat /etc/resolv.conf ; generated by /sbin/dhclient-script search HomeGroanNetworking nameserver 192.168.2.20
Note that IPCop is the ...20 address and has the DNS caching active and also has the dhcpd daemon running to assign IPs to my local network.
<snip>
WAIT! You *do* have DNS cache running I think. Check the lines below that say "server::
<*cluebat for me/you/us*>
Knowing this, you can't test on the local lan using +trace because there are no other servers. One hop and back to you.
</*cluebat for me/you/us*>
[lanny@dell2400 ~]$ dig dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> dell1602.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28804 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;dell1602.homelan. IN A
;; ANSWER SECTION: dell1602.homelan. 0 IN A 192.168.10.57
;; Query time: 2 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 16:35:11 2008 ;; MSG SIZE rcvd: 50
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]$ dig dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> dell1602.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55631 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;dell1602.homelan. IN A
;; ANSWER SECTION: dell1602.homelan. 0 IN A 192.168.10.57
;; Query time: 2 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 16:36:38 2008 ;; MSG SIZE rcvd: 50
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]$
I then Disabled the Firewall on my daughters box:
[lanny@dell2400 ~]$ dig +trace dell1602.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace dell1602.homelan ;; global options: printcmd . 0 IN A 192.168.1.1 ;; Received 33 bytes from 192.168.10.1#53(192.168.10.1) in 2 ms
[lanny@dell2400 ~]$
That is the FIRST time I have been able to use the dig +trace successfully! :-)
The Firewall is off in my Desktop and also in my Daughter's Desktop.
[lanny@dell2400 ~]$ dig +trace gmail.com
; <<>> DiG 9.3.4-P1 <<>> +trace gmail.com ;; global options: printcmd . 0 IN A 192.168.1.1 ;; Received 33 bytes from 192.168.10.1#53(192.168.10.1) in 2 ms
[lanny@dell2400 ~]$
The dig +trace to gmail.com does not look at all correct to me, but I only know about 1% of what I would like to know about Linux or Networking.
Try the smtp-server.triad.rr.com or pop-server.triad.rr.com and see if it looks at all like the sample I sent earlier.
Regardless, that's progress.
Probably that is caused by settings in the IPCop box?
I couldn't say at the moment. But keep this in mind. The exact results you get may not approach too closely samples you've been provided. Different targets will have different gateway involved. Those may have different levels of caches, there may be distributed servers, etc.
<snip sig stuff>
On Fri, 2008-07-11 at 16:15 -0500, Lanny Marcus wrote:
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
<snip> >><snip>
My wife is using her Desktop box (compaq1300) on MS Windows at this time. I can dig but I cannot dig + trace to her box:
That makes sense. I was thinking that you would have the backup (new) IPCop going with DNS caching going (and, naturally, local hosts defined, local domain defined, ...). Sorry for the confusion.
Unless some unit is a DNS server, or caching sever on the local lan, that would be a wasted effort.
[lanny@dell2400 ~]$ dig compaq1300.homelan
; <<>> DiG 9.3.4-P1 <<>> compaq1300.homelan ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45929 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;compaq1300.homelan. IN A
;; ANSWER SECTION: compaq1300.homelan. 0 IN A 192.168.10.56
;; Query time: 19 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Fri Jul 11 15:52:34 2008 ;; MSG SIZE rcvd: 52
[lanny@dell2400 ~]$
[lanny@dell2400 ~]$ dig +trace compaq1300.homelan
; <<>> DiG 9.3.4-P1 <<>> +trace compaq1300.homelan ;; global options: printcmd ;; connection timed out; no servers could be reached [lanny@dell2400 ~]
If not, inconclusive I guess.
<snip>
I would use the web interface to the IPCop box and see what has been enabled/disabled. Unless the IPCop box has been really "buttoned down tight", this should work as it does here.
I believe it is pretty much "out of the box". Possibly the only setting I changed was not to respond to ping on the Red interface.
Caveat: IIRC, you don't have the caching DNS running on the IPCop box? Maybe that has some affect? I can't figure how, since when you try from the IPCop box it works.
No Bill. Very early this morning, when I was able to SSH into the IPCop box, I was *not* able to dig +trace from it, with the results Scott Silva showed to gmail.com Caching DNS in the IPCop box is not running at this time. I will try that on our Backup IPCop box, when my demanding users (wife and 7 year old daughter) are not online.
That means the remote DNS server allows this action and IPCop should normally just do a "pass through" of these packets.
Hmm... opined the grizzled old veteran. I guess we should ask the version of IPCop here - they are not all created equally. Mine is the 1.4.18 (IIRC), latest and greatest. Which reminds me - project has not had an upgrade for a long time now. I wonder if it died?
My IPCop installation shows that no Updates are available for it. "Available updates: All updates installed"
He-he! A misleading message if there ever was one! IPCop expects that you have downloaded an update image. Later you can install it. There is no yum-like facility going on there (from a paranoid security POV that would be a big NO-NO).
You have to check your version (should appear in the installed updates section), go to the website and see if there is something new. The 1.4.18 was latest last I looked.
Linux ipcop.homelan 2.4.34 #1 Mon Jul 16 23:11:03 GMT 2007 i586 pentium-mmx i386 GNU/Linux
That doesn't show the IPCop software version. From the web interface, IIRC you can find out the version on one of its screens.
<snip>
<snip>
Thank you, very much, for your time and help! Lanny
NP!
<snip sig stuff>
On Fri, 2008-07-11 at 18:16 -0400, William L. Maltby wrote:
<snip>
He-he! A misleading message if there ever was one! IPCop expects that you have downloaded an update image. Later you can install it. There is no yum-like facility going on there (from a paranoid security POV that would be a big NO-NO).
You have to check your version (should appear in the installed updates section), go to the website and see if there is something new. The 1.4.18 was latest last I looked.
Linux ipcop.homelan 2.4.34 #1 Mon Jul 16 23:11:03 GMT 2007 i586 pentium-mmx i386 GNU/Linux
That doesn't show the IPCop software version. From the web interface, IIRC you can find out the version on one of its screens.
I've attached a partial snapshot of what you should see in your browser when you got into IPCop. System->updates.
<snip>
On Fri, Jul 11, 2008 at 5:48 PM, William L. Maltby CentOS4Bill@triad.rr.com wrote:
<snip>> You have to check your version (should appear in the installed updates
section), go to the website and see if there is something new. The 1.4.18 was latest last I looked.
Looks like I'm up to date and that the last update to IPCop was installed twice... Attaching screenshot of my IPCop box. Screenshot.png
In some other replies you sent to me, I understand that you thought I already had DNS Caching running on the IPCop box. It isn't set up that way, however, looking at System Status in the IPCop web interface, it shows "DNS proxy server" RUNNING
So, maybe I just need to change the configuration settings in the IPCop box and in the ADSL Modem and if it works as planned, I will have my Catching DNS Server up and running. I will try that, when the VIP users are not online and I can use the other IPCop box to play with. I do not want to "LBD" (Learn By Destroying) on the IPCop box that is working for us now. If I screw up the other one (probably that won't happen), I can work with it when I have the time and maybe put SME Server or the CentOS 4.4 Server CD on it.
The other thing is, someone who replied suggested that I get an account on opendns.com and use opendns.com and I may look into that, and use opendns.com for DNS, until I can work with the other IPCop box and try the caching DNS Server. I need to find his reply and reply to him.
Late yesterday afternoon, I had a long phone conversation with someone in Support at our ISP. I have been in touch with a Supervisor there for the past 10 days since this thing with opendns.com began and she had him call me. I got into the web interface for the ADSL modem and changed the configuration, so he could log into it, remotely. He found a problem, which their men working in our subdivision found, a few weeks ago, where our signal is has a problem, they think 2 cables are touching. The cables for our 2 phone lines (long cables, about 100 (?) meters long, running along the street) are underground and they mentioned running them above ground. However, that has nothing to do with our slow DNS, no DNS, or getting to opendns.com problem I saw where the Primary and Secondary DNS Servers are in the configuration for the ADSL modem and if I get an account on opendns.com maybe I will use their DNS Servers, temporarily.. :-
Lanny Marcus wrote:
[240kB png]
DON'T EVER DO THAT AGAIN.
You just sent out ~1GB of data.
As of now (as that already happened last week), the maximum message size for this list is 50kB.
So people: Trim your mails >:)
Ralph
On 7/12/08, Ralph Angenendt ra+centos@br-online.de wrote:
Lanny Marcus wrote: [240kB png] DON'T EVER DO THAT AGAIN. You just sent out ~1GB of data. As of now (as that already happened last week), the maximum message size for this list is 50kB. So people: Trim your mails >:)
To: Ralph and everyone on the list: I apologize, sincerely. Bill sent a .png attachment of the screen in his IPCop box and I sent mine back. Please forgive me. I will not send an attachment like that to the list again. Lanny
On Sat, 2008-07-12 at 17:23 -0500, Lanny Marcus wrote:
On 7/12/08, Ralph Angenendt ra+centos@br-online.de wrote:
Lanny Marcus wrote: [240kB png] DON'T EVER DO THAT AGAIN. You just sent out ~1GB of data. As of now (as that already happened last week), the maximum message size for this list is 50kB. So people: Trim your mails >:)
To: Ralph and everyone on the list: I apologize, sincerely. Bill sent a .png attachment of the screen in his IPCop box and I sent mine back. Please forgive me. I will not send an attachment like that to the list again. Lanny
FYI: When you have a large thing to post publicly there are sites such as http://pastebin.com/ and others. Googling will get you some.
<snip>
On 7/13/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
again. Lanny
FYI: When you have a large thing to post publicly there are sites such as http://pastebin.com/ and others. Googling will get you some. Bill
Bill: You'd attached your file, Friday night. I attached mine, when I replied. That was a *bad* thing to do and if I need to post something public in the future, I will try to remember pastebin. Lanny
I've attached a partial snapshot of what you should see in your browser when you got into IPCop. System->updates. IPCopSnap.png
On Sun, 2008-07-13 at 11:57 -0500, Lanny Marcus wrote:
On 7/13/08, William L. Maltby CentOS4Bill@triad.rr.com wrote:
again. Lanny
FYI: When you have a large thing to post publicly there are sites such as http://pastebin.com/ and others. Googling will get you some. Bill
Bill: You'd attached your file, Friday night. I attached mine, when I replied. That was a *bad* thing to do and if I need to post something public in the future, I will try to remember pastebin. Lanny
It wasn't a bad thing to do. IMO the bad thing to do was for someone to "rebuke" you in such a "short" manner when you had made the list aware of your "noobiness". But that's really irrelevant and I'm not in the habit of telling others how to behave. Their mommies raised them, not me. Their personal problems are theirs and will not become mine.
Having said that, I sense an emotional current underlying your reply, so I'll offer the below. If I read incorrectly I apologize in advance for the below.
First, *I* had no problem with your post and was not aware that you would post back with a snapshot, regardless of size. So don't take umbrage at my suggestion. It was in good spirit and posted so that you wouldn't have to hear posts from Ralph et al in the future, but could still make large attachments available to the community as the need arises.
Second, my post of the attachment has nothing to do with the response from the list. Mine was much smaller (appx. 100K, which I checked first). Generally the list has not expressed problems in the past with smaller attachments and it never occurred to me that a problem would result or I would have warned you. Being a *long* time user of various net-centric resources, I already knew to check my size first and that is why I sent only a partial snapshot of the whole screen.
Typically users, like myself, forget that other newer users need to be advised of such things. *shrug* I will say that my style often varies from theirs when I feel the need to help a newer user "learn the ropes".
I have more I could say, but I'll just end it with this. Chalk it up to learning curve, let the emotional aspects of the *apparent* rebuke slide and "sailor on". No harm done unless you let it eat at you. Remember there are "brusque" personalities generally associated with lists such as this.
Keep the emotional responses reserved for those who matter - the VIPs - not the folks on lists such as this.
I've attached a partial snapshot of what you should see in your browser when you got into IPCop. System->updates. IPCopSnap.png
<snip sig stuff>
William L. Maltby wrote:
It wasn't a bad thing to do. IMO the bad thing to do was for someone to "rebuke" you in such a "short" manner when you had made the list aware of your "noobiness".
Had I seen your attachement first (which somehow got around me), you would have gotten "the notice". That has nothing to do with "noobiness" or not, just with common sense: One does not send large mails/files to thousands of users. At least not via public mailing lists.
And yes, I was astonished that the list even allowed mails that large.
Ralph
On Sun, 2008-07-13 at 21:41 +0200, Ralph Angenendt wrote:
William L. Maltby wrote:
It wasn't a bad thing to do. IMO the bad thing to do was for someone to "rebuke" you in such a "short" manner when you had made the list aware of your "noobiness".
Had I seen your attachement first (which somehow got around me), you would have gotten "the notice". That has nothing to do with "noobiness" or not, just with common sense: One does not send large mails/files to thousands of users. At least not via public mailing lists.
"Common sense" is almost always derived from the experience of those who have it. Some things a plumber would consider common sense would be beyond the ken of you and me, I imagine.
Same here in the virtual world. In fact, probably worse. A plumber has a relatively smaller knowledge base to digest. And a relatively smaller selection of sources for that knowledge.
So I take the approach that unless someone is an obvious repeat offender, or just doesn't care, I cut them some slack and approach them as I would like to be approached if I was new to the venue.
But that's just me. I don't expect others to adhere to my standards.
And yes, I was astonished that the list even allowed mails that large.
<*chuckle*> "That large"? I'd *almost* bet I'd seen regular posts in some of our longer threads (mostly careening OT severely) that were larger just because folks are too damn lazy to snip.
Q: since you have seen me on here for a long time and know that I am generally observant of the courtesies, would you have "shouted" at me in the same way?
Your answer should provide insight to future hapless victims of your wrath. :-)
Ralph
<snip sig stuff>
William L. Maltby wrote:
Q: since you have seen me on here for a long time and know that I am generally observant of the courtesies, would you have "shouted" at me in the same way?
Yes, sure.
Your answer should provide insight to future hapless victims of your wrath. :-)
Ah, wrath would have been removal from the list without notice >:)
Ralph
Robert - elists wrote:
As of now (as that already happened last week), the maximum message size for this list is 50kB.
So people: Trim your mails >:)
Ralph
Will the server notify us if we exceed that threshold ?
Yes. You'll get an error mail.
Ralph
on 7-10-2008 5:52 PM Lanny Marcus spake the following:
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > When you set up your connection to your provider, do you have a static > address > or dynamic?
Dynamic IP
If static, you had to set your next step resolver in the config. If you are dynamic, you get what your provider sends with the dhcp request. Since you said you have an ipcop box for your router you should be able to ssh into it and run setup and change your nameserver setting to 127.0.0.1 and your ipcop should be a caching nameserver. If you have another address there it will query to that server.
I never tried to SSH into the IPCop box before. I've always connected to it via the web interface. I tried to SSH into it, but apparently I have that Blocked, in the IPCop configuration settings.
[root@dell2400 ~]# ssh ipcop.homelan ssh: connect to host ipcop.homelan port 22: Connection refused [root@dell2400 ~]#
Obviously, I need to change that, so I can run Setup from a terminal window, run the dig + trace command as you did from one of your IPCop boxes, etc. I just turned on SSH access in IPCop. It says it uses Port 222 which is non standard for SSH....
I am looking at it from the web interface. Under DHCP, for the Green Interface, for Primary DNS, it shows 192.168.10.1 If I change that to 127.0.0.1 I'm done? Other than possibly needing to change a configuration setting in the ADSL Modem, regarding DNS? Thanks much!
No !!! Don't change it there. That is the IP address sent to your dhcp clients for them to use for dns. If you set that to 127.0.0.1, no one will find anything. You need to run setup either from a terminal window on the ipcop box or by ssh. About halfway down is "Networking" which you select, and in that menu is "Dns and Gateway Settings".
You would set the primary dns to 127.0.0.1 and if you want set the secondary dns to what your primary dns was set at. You might have to play with the options to have dhcp assigned red and still be able to set your nameserver settings. The ipcop boxes I have are all on static ip's, on either T1's or business class DSL, so the settings are a little different.
Whatever you do, write down the original settings of anything you change so you can restore it if it horribly breaks.
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
I am looking at it from the web interface. Under DHCP, for the Green Interface, for Primary DNS, it shows 192.168.10.1 If I change that to 127.0.0.1 I'm done? Other than possibly needing to change a configuration setting in the ADSL Modem, regarding DNS? Thanks much!
No !!! Don't change it there. That is the IP address sent to your dhcp clients for them to use for dns. If you set that to 127.0.0.1, no one will find anything. You need to run setup either from a terminal window on the ipcop box or by ssh. About halfway down is "Networking" which you select, and in that menu is "Dns and Gateway Settings".
You would set the primary dns to 127.0.0.1 and if you want set the secondary dns to what your primary dns was set at. You might have to play with the options to have dhcp assigned red and still be able to set your nameserver settings. The ipcop boxes I have are all on static ip's, on either T1's or business class DSL, so the settings are a little different.
Scott: Thank you, for the above explanation! I was able to SSH into the IPCop box on Port 222, very early this morning (with the syntax correct, that was easy) and I saw the Setup menu.
Whatever you do, write down the original settings of anything you change so you can restore it if it horribly breaks.
Amen. I will write down the original settings, before I change them. In a tiny way, the IPCop box is a "Production" Server in our house. I have two (2) very demanding users: a wife and a 7 year old daughter and I don't want them mad.... :-) Something like not wanting your boss at work mad at you....
I am going to be working on this, when they are not using their Desktop boxes and I am going to do this on our Backup IPCop box, which actually has much better HW than the one we normally use for IPCop. If I can't get this to work on IPCop, that is the one I will install SME Server or the CentOS 4.4 Server CD on. It sounds like this is going to work on IPCop, which will be much easier and much faster for me to get up and running properly.
Question: Awhile ago, I got into the configuration settings for our ZTE ADSL Modem. For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
When I think I am ready to test the change I make to IPCop setting(s), should I set those to 0.0.0.0. so I can use my own DNS Server ? Or. leave those spaces blank? Or, leave them as they are now? Thank you, very much, for your time and help, which are greatly appreciated! Lanny
on 7-11-2008 1:48 PM Lanny Marcus spake the following:
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> >> I am looking at it from the web interface. Under DHCP, for the Green >> Interface, for Primary DNS, it shows 192.168.10.1 If I change that >> to 127.0.0.1 I'm done? Other than possibly needing to change a >> configuration setting in the ADSL Modem, regarding DNS? Thanks much! > No !!! Don't change it there. That is the IP address sent to your dhcp > clients > for them to use for dns. If you set that to 127.0.0.1, no one will find > anything. > You need to run setup either from a terminal window on the ipcop box or by > ssh. > About halfway down is "Networking" which you select, and in that menu is > "Dns > and Gateway Settings". > > You would set the primary dns to 127.0.0.1 and if you want set the secondary > dns to what your primary dns was set at. You might have to play with the > options to have dhcp assigned red and still be able to set your nameserver > settings. > The ipcop boxes I have are all on static ip's, on either T1's or business > class DSL, so the settings are a little different.
Scott: Thank you, for the above explanation! I was able to SSH into the IPCop box on Port 222, very early this morning (with the syntax correct, that was easy) and I saw the Setup menu.
Whatever you do, write down the original settings of anything you change so you can restore it if it horribly breaks.
Amen. I will write down the original settings, before I change them. In a tiny way, the IPCop box is a "Production" Server in our house. I have two (2) very demanding users: a wife and a 7 year old daughter and I don't want them mad.... :-) Something like not wanting your boss at work mad at you....
I am going to be working on this, when they are not using their Desktop boxes and I am going to do this on our Backup IPCop box, which actually has much better HW than the one we normally use for IPCop. If I can't get this to work on IPCop, that is the one I will install SME Server or the CentOS 4.4 Server CD on. It sounds like this is going to work on IPCop, which will be much easier and much faster for me to get up and running properly.
Question: Awhile ago, I got into the configuration settings for our ZTE ADSL Modem. For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
When I think I am ready to test the change I make to IPCop setting(s), should I set those to 0.0.0.0. so I can use my own DNS Server ? Or. leave those spaces blank? Or, leave them as they are now? Thank you, very much, for your time and help, which are greatly appreciated! Lanny
It looks as if your ADSL modem is in NAT mode, so it is acting like a very simple router already. What settings does it actually have?
I think you can leave those settings alone, as they only will be used if you point DNS settings at the modems ip address. If you set your IPcop box at 127.0.0.1 it should seek out to the root servers by itself.
As I posted earlier, you will have to poke around in the ipcop setup menu to get dhcp and custom DNS settings both working.
I just played with one of my test vmware ipcop images and set it to dhcp on our internal network (which should simulate your natted connection through your adsl modem) for the red interface and I was able to dig +trace google.com with proper answers. So it is possible to get it working unless your ISP blocks DNS queries to anywhere else but their own servers.
Scott Silva wrote:
You would set the primary dns to 127.0.0.1 and if you want set the secondary dns to what your primary dns was set at. You might have to play with the options to have dhcp assigned red and still be able to set your nameserver settings. The ipcop boxes I have are all on static ip's, on either T1's or business class DSL, so the settings are a little different.
For what it is worth, my IPCop box has the DNS values supplied by my ISP entered here instead of 127.0.0.1. My dig +trace tests are all running fine.
Scott: Thank you, for the above explanation! I was able to SSH into the IPCop box on Port 222, very early this morning (with the syntax correct, that was easy) and I saw the Setup menu.
Whatever you do, write down the original settings of anything you change so you can restore it if it horribly breaks.
You can also create a backup using the web-interface. The backup will be saved on your local machine and you can restore it from there if needed.
Amen. I will write down the original settings, before I change them. In a tiny way, the IPCop box is a "Production" Server in our house. I have two (2) very demanding users: a wife and a 7 year old daughter and I don't want them mad.... :-) Something like not wanting your boss at work mad at you....
I am going to be working on this, when they are not using their Desktop boxes and I am going to do this on our Backup IPCop box, which actually has much better HW than the one we normally use for IPCop. If I can't get this to work on IPCop, that is the one I will install SME Server or the CentOS 4.4 Server CD on. It sounds like this is going to work on IPCop, which will be much easier and much faster for me to get up and running properly.
Question: Awhile ago, I got into the configuration settings for our ZTE ADSL Modem. For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
These are the number I would enter into the IPCop setup screen for DNS and Gateway. My gateway value is the IP address of my ADSL modem.
Ian
On Sat, 2008-07-12 at 09:05 +0930, Ian Blackwell wrote:
Scott Silva wrote:
<snip>
Question: Awhile ago, I got into the configuration settings for our ZTE ADSL Modem. For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
These are the number I would enter into the IPCop setup screen for DNS and Gateway. My gateway value is the IP address of my ADSL modem.
Unless your IPCop box is assigned a dynamic IP address? In that case, IIUC the DHCP server from the ISP/modem setup will provide the primary and secondary servers. I know they can be overridden if you massage the files though. But then if the ISP reassigns the servers' IP addresses you'll have to massage again - after the angst of it not working and you having to figure out that's what happened.
Ian
<snip sig stuff>
On 7/11/08, William L. Maltby CentOS4Bill@triad.rr.com wrote: <snip>
Unless your IPCop box is assigned a dynamic IP address?
No. It has a Static IP address.
In that case, IIUC the DHCP server from the ISP/modem setup will provide the primary and secondary servers. I know they can be overridden if you massage the files though. But then if the ISP reassigns the servers' IP addresses you'll have to massage again - after the angst of it not working and you having to figure out that's what happened.
On 7/11/08, Ian Blackwell ian@ikel.id.au wrote:
Scott Silva wrote:
You would set the primary dns to 127.0.0.1 and if you want set the secondary dns to what your primary dns was set at. You might have to play with the options to have dhcp assigned red and still be able to set your nameserver settings. The ipcop boxes I have are all on static ip's, on either T1's or business class DSL, so the settings are a little different.
For what it is worth, my IPCop box has the DNS values supplied by my ISP entered here instead of 127.0.0.1. My dig +trace tests are all running fine.
You entered them there and you can dig +trace from there. That's interesting. I would like to discontinue using the DNS Servers at my ISP, because: (a ) frequently slow (b) sometimes no DNS (c) the recent problem where I get to opendns.com
You can also create a backup using the web-interface. The backup will be saved on your local machine and you can restore it from there if needed.
Thank you for reminding me about that! The IPCop box I am using now, I backed up on 23 February. The Backup IPCop box, which I am going to use to test this, will need to be updated and then I will backup, before I try these changes.
<snip>
For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
These are the number I would enter into the IPCop setup screen for DNS and Gateway. My gateway value is the IP address of my ADSL modem.
Ian: Thank you for the information! Lanny
Lanny Marcus wrote:
You entered them there and you can dig +trace from there. That's interesting. I would like to discontinue using the DNS Servers at my ISP, because: (a ) frequently slow (b) sometimes no DNS (c) the recent problem where I get to opendns.com
Generally your ISP's DNS should be quickest because they are closest. If you're not happy with them, google for "public DNS" and you'll find a plethora of publicly accessible DNS systems.
You can also create a backup using the web-interface. The backup will be saved on your local machine and you can restore it from there if needed.
Thank you for reminding me about that! The IPCop box I am using now, I backed up on 23 February. The Backup IPCop box, which I am going to use to test this, will need to be updated and then I will backup, before I try these changes.
Don't forget to save the backup to your local system in case your IPCop box gets totally hosed. You can then rebuild the IPCop system and restore the backup from your desktop.
<snip>
Ian: Thank you for the information! Lanny
You're welcome.
Ian
On 7/12/08, Ian Blackwell ian@ikel.id.au wrote:
Lanny Marcus wrote:
You entered them there and you can dig +trace from there. That's interesting. I would like to discontinue using the DNS Servers at my ISP, because: (a ) frequently slow (b) sometimes no DNS (c) the recent problem where I get to opendns.com
Generally your ISP's DNS should be quickest because they are closest. If you're not happy with them, google for "public DNS" and you'll find a plethora of publicly accessible DNS systems.
We have been having problems with the DNS Servers at our ISP (the phone company) for some time. Frequently, slow DNS or no DNS. I didn't call them, until about 10 days ago, after I tried to get to a secure server at irs.gov and I got a warning from Firefox, that the SSL certificate belonged to opendns.com
I am going to look at opendns.com first for "public DNS".
You can also create a backup using the web-interface. The backup will be saved on your local machine and you can restore it from there if needed.
I will update the Backup IPCop box, and then backup, before I start playing with the settings.
Don't forget to save the backup to your local system in case your IPCop box gets totally hosed. You can then rebuild the IPCop system and restore the backup from your desktop.
I will backup to floppy (it's an old box with a floppy drive) and also to my Desktop.
<snip>
Hopefully, this will be a very quick and simple change and be up and running.
Good morning to you! It is 647 Saturday night here in Colombia.
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
Question: Awhile ago, I got into the configuration settings for our ZTE ADSL Modem. For the change to me having my own Caching DNS Server, in the settings for the ADSL modem at this time, using the DNS servers at our ISP: Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
When I think I am ready to test the change I make to IPCop setting(s), should I set those to 0.0.0.0. so I can use my own DNS Server ? Or. leave those spaces blank? Or, leave them as they are now? Thank you, very much, for your time and help, which are greatly appreciated!
It looks as if your ADSL modem is in NAT mode, so it is acting like a very simple router already. What settings does it actually have?
Scott: Which settings in the ADSL Modem are you interested in? There are quite a few settings available in the web interface. If you tell me which settings are of interest, I'll get them for you.
ADSL Port Enable Downstream Line Rate 2047 Upstream Line Rate 507 LAN IP Address 192.168.1.1 Default Gateway 190.1.216.1 Primary DNS Server 200.29.104.22 Secondary DNS Server 200.29.96.22
ADSL line status
Current adsl line status is as the below.
Line Mode ADSL2+ Line State Show Time Line Up Time Duration 00:05:28:31 System Up Time 00:05:28:39 Line Downstream Rate 2047 Line Upstream Rate 507 Latency Type Fast Line Coding Trellis On Noise Margin 31.6 Line Attenuation 19.5 Output power 22.0 Attainable Line Rate 17628 Line Up Count 1 Status No Defect
If you note any problems in the quality of the line, the phone company people were working in our subdivision a few weeks ago and they detected a problem, with a long cable we have, underground, about 100 (?) meters in the street to their box. Apparently, 2 cables are touching. They mentioned running a new cable in the air, instead of underground. I was surprised that they found this problem, because at the same time, on speedtest.net I got a Download speed of 1780 from a server in Orlando and our contract with our ISP is for 550, so I was happy with the speed they were providing to us.
I think you can leave those settings alone, as they only will be used if you point DNS settings at the modems ip address. If you set your IPcop box at 127.0.0.1 it should seek out to the root servers by itself.
Cool. It sounds like all I need to do is change the one setting in the IPCop box and if all goes well, my Caching DNS Server is up and running. I will try it, ASAP, on our backup IPCop box. If I get up *early* Sunday morning, I will try it then.
As I posted earlier, you will have to poke around in the ipcop setup menu to get dhcp and custom DNS settings both working.
That's why I want to do it on the backup IPCop box. If it stops working, my VIP users can continue using the IPCop box that works and I don't have irate users. :-) The IPCop box is our "Production" server. :-)
I just played with one of my test vmware ipcop images and set it to dhcp on our internal network (which should simulate your natted connection through your adsl modem) for the red interface and I was able to dig +trace google.com with proper answers. So it is possible to get it working unless your ISP blocks DNS queries to anywhere else but their own servers.
Hoping they are not blocking those DNS queries or any other traffic.
I just SSH'd into the IPCop box:
root@ipcop:~ # dig gmail.com
; <<>> DiG 9.4.0 <<>> gmail.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29247 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 11
;; QUESTION SECTION: ;gmail.com. IN A
;; ANSWER SECTION: gmail.com. 27 IN A 64.233.161.83 gmail.com. 27 IN A 209.85.171.83 gmail.com. 27 IN A 64.233.171.83
;; AUTHORITY SECTION: com. 152960 IN NS a.gtld-servers.net. com. 152960 IN NS f.gtld-servers.net. com. 152960 IN NS m.gtld-servers.net. com. 152960 IN NS b.gtld-servers.net. com. 152960 IN NS j.gtld-servers.net. com. 152960 IN NS g.gtld-servers.net. com. 152960 IN NS l.gtld-servers.net. com. 152960 IN NS i.gtld-servers.net. com. 152960 IN NS c.gtld-servers.net. com. 152960 IN NS e.gtld-servers.net. com. 152960 IN NS k.gtld-servers.net. com. 152960 IN NS h.gtld-servers.net. com. 152960 IN NS d.gtld-servers.net.
;; ADDITIONAL SECTION: j.gtld-servers.net. 172736 IN A 192.48.79.30 b.gtld-servers.net. 172737 IN A 192.33.14.30 b.gtld-servers.net. 172737 IN AAAA 2001:503:231d::2:30 i.gtld-servers.net. 172737 IN A 192.43.172.30 l.gtld-servers.net. 172736 IN A 192.41.162.30 d.gtld-servers.net. 172736 IN A 192.31.80.30 c.gtld-servers.net. 172791 IN A 192.26.92.30 g.gtld-servers.net. 172736 IN A 192.42.93.30 h.gtld-servers.net. 172737 IN A 192.54.112.30 k.gtld-servers.net. 172736 IN A 192.52.178.30 a.gtld-servers.net. 172736 IN A 192.5.6.30
;; Query time: 35 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Jul 12 17:52:10 2008 ;; MSG SIZE rcvd: 487
root@ipcop:~ #
root@ipcop:~ # dig +trace gmail.com
; <<>> DiG 9.4.0 <<>> +trace gmail.com ;; global options: printcmd ;; connection timed out; no servers could be reached root@ipcop:~ #
Possibly after I have the DNS Caching working, dig +trace will work.
Thanks much! Lanny
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
I just played with one of my test vmware ipcop images and set it to dhcp on our internal network (which should simulate your natted connection through your adsl modem) for the red interface and I was able to dig +trace google.com with proper answers. So it is possible to get it working unless your ISP blocks DNS queries to anywhere else but their own servers.
Scott: There are probably one or two configuration settings that I do not have correct at this time. That is why I am testing this on our Backup IPCop box.
You got this to work, so it will work for me, if & when I get the configuration settings correct. Question: Do I need to put something in the hosts file? At the moment, I cannot use that IPCop box to surf, because there is no name resolution. TIA! Lanny
on 7-13-2008 10:06 AM Lanny Marcus spake the following:
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > I just played with one of my test vmware ipcop images and set it to dhcp on > our internal network (which should simulate your natted connection through > your adsl modem) for the red interface and I was able to dig +trace > google.com > with proper answers. So it is possible to get it working unless your ISP > blocks DNS queries to anywhere else but their own servers.
Scott: There are probably one or two configuration settings that I do not have correct at this time. That is why I am testing this on our Backup IPCop box.
You got this to work, so it will work for me, if & when I get the configuration settings correct. Question: Do I need to put something in the hosts file? At the moment, I cannot use that IPCop box to surf, because there is no name resolution. TIA! Lanny
The hosts file "should" only require the basics like the FQDN of the ipcop box mapped to its green address and 127.0.0.1 mapped to localhost.localdomain.
I'll poke at a virtual ipcop box again this afternoon. My boss is out of town for the week, so my load has doubled.
on 7-13-2008 10:06 AM Lanny Marcus spake the following:
On 7/11/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > I just played with one of my test vmware ipcop images and set it to dhcp on > our internal network (which should simulate your natted connection through > your adsl modem) for the red interface and I was able to dig +trace > google.com > with proper answers. So it is possible to get it working unless your ISP > blocks DNS queries to anywhere else but their own servers.
Scott: There are probably one or two configuration settings that I do not have correct at this time. That is why I am testing this on our Backup IPCop box.
You got this to work, so it will work for me, if & when I get the configuration settings correct. Question: Do I need to put something in the hosts file? At the moment, I cannot use that IPCop box to surf, because there is no name resolution. TIA! Lanny
Just played with the vmware box again. It won't resolve to itself, so forget putting the localhost address in the dns servers box. The other box I played with had a secondary address as a fallback and that is why it was working.
I think for the dig +trace to work for you you need a box that will do full recursion as your upstream DNS server. I had mine pointed to our caching resolver and I saw the queries log there.
I would forget about setting nameservers in your adsl modem as I doubt it has a very large cache so it will expire entries quickly. If you point your ipcop's dns entries to opendns or another free resolver you should be good to go.
On Mon, Jul 14, 2008 at 12:19 PM, Scott Silva ssilva@sgvwater.com wrote:
I just played with one of my test vmware ipcop images and set it to dhcp on our internal network (which should simulate your natted connection through your adsl modem) for the red interface and I was able to dig +trace google.com with proper answers. So it is possible to get it working unless your ISP blocks DNS queries to anywhere else but their own servers.
<snip>
Just played with the vmware box again. It won't resolve to itself, so forget putting the localhost address in the dns servers box. The other box I played with had a secondary address as a fallback and that is why it was working.
I think for the dig +trace to work for you you need a box that will do full recursion as your upstream DNS server. I had mine pointed to our caching resolver and I saw the queries log there.
I would forget about setting nameservers in your adsl modem as I doubt it has a very large cache so it will expire entries quickly. If you point your ipcop's dns entries to opendns or another free resolver you should be good to go.
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box. Yesterday, I installed a different HD, ran Diagnostics on that, ran Memtest 86 and then did a clean install of IPCop 1.4.16 from the CD I made last year. Last night, with some difficulty, I was able to connect to the IPCop box with the web browser, change the settings for SSH in it, but I could not browse. There was no resolution. This morning, I noticed when it booted there was a message, "Bad Default Gateway". Previously, "Default Gateway" was blank. In the IPCop box, where it has "DNS & Gateway" settings, I have the 2 IP addresses to access the opendns.com DNS service (they have DNS servers in 4 U.S. cities and in London as I recall) and after I changed "Default Gateway" to 192.168.1.1 (the ADSL modem) I was online. :-)
Not sure why I am not able to get to it via the web browser on my Desktop. Also, last night, when I was able to access the IPCop box with the web browser, I noticed that it is on IPCop v.1.4.16, but it said that there are no updates available. I know there are two (2) updates available, to bring it up to 1.4.18.
So, with your help and the help of others, all greatly appreciated, I have a Caching DNS Server working on my IPCop box and I have also discontinued using the problematic DNS Servers at my ISP. :-) Thanks much, to everyone who provided ideas. and guidance!
It's running Headless now and I think the HW in that box is OK, with the probable exception of the Floppy Drive. Once I can get to it via the web browser, I can backup to my Desktop. dig +trace does not work the same for me as it does for you, per your explanation.
root@ipcop500:~ # dig +trace gmail.com
; <<>> DiG 9.4.0 <<>> +trace gmail.com ;; global options: printcmd ;; Received 17 bytes from 127.0.0.1#53(127.0.0.1) in 118 ms
root@ipcop500:~ #
root@ipcop500:~ # dig gmail.com
; <<>> DiG 9.4.0 <<>> gmail.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;gmail.com. IN A
;; ANSWER SECTION: gmail.com. 30 IN A 209.85.171.83 gmail.com. 30 IN A 64.233.171.83 gmail.com. 30 IN A 64.233.161.83
;; Query time: 170 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 15 07:34:22 2008 ;; MSG SIZE rcvd: 75
root@ipcop500:~ #
On Tue, 2008-07-15 at 07:41 -0500, Lanny Marcus wrote:
<snip>
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box.
Did you remember to use the alternate port? E.g on my local net
https://homegroanfirewall:445/cgi-bin/index.cgi
I think the cgi... stuff is not needed, but that's where I bookmarked at for fast access.
<snip>
William L. Maltby wrote:
On Tue, 2008-07-15 at 07:41 -0500, Lanny Marcus wrote:
<snip>
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box.
Did you remember to use the alternate port? E.g on my local net
https://homegroanfirewall:445/cgi-bin/index.cgi
I think the cgi... stuff is not needed, but that's where I bookmarked at for fast access.
Also, on most ipcop setups, port 81 redirects to the ssh port as well:
http://<name>:81/
On Tue, Jul 15, 2008 at 8:24 AM, Johnny Hughes johnny@centos.org wrote:
William L. Maltby wrote:
On Tue, 2008-07-15 at 07:41 -0500, Lanny Marcus wrote:
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box.
Did you remember to use the alternate port? E.g on my local net
https://homegroanfirewall:445/cgi-bin/index.cgi
I think the cgi... stuff is not needed, but that's where I bookmarked at for fast access.
Also, on most ipcop setups, port 81 redirects to the ssh port as well:
http://<name>:81/
Thanks Johnny.. I just got into it, on Port 445 and am connected to the web interface now.
Question: Did you find that X crashed, in RHEL 5.2, on that SME Server documentation page, as it does in CentOS 5.2? Lanny
On Tue, Jul 15, 2008 at 8:49 AM, Lanny Marcus lmmailinglists@gmail.com wrote:
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box.
It's working fine now! :-) I have the 2 updates installed and I backed it up to my Desktop. Trying to backup to a different floppy disk at this time. The floppy drive is probably sick. Otherwise, it is up and running! :-)
I will make the changes to our other (older) IPCop box, in a day or two. Running memtest86 on that one now.
On Tue, Jul 15, 2008 at 8:08 AM, William L. Maltby CentOS4Bill@triad.rr.com wrote:
On Tue, 2008-07-15 at 07:41 -0500, Lanny Marcus wrote:
<snip>
I have it working, with one glitch (cannot get to the IPCop web interface from my Desktop) in the Backup IPCop box.
Did you remember to use the alternate port? E.g on my local net
https://homegroanfirewall:445/cgi-bin/index.cgi
I think the cgi... stuff is not needed, but that's where I bookmarked at for fast access.
Yes, I have been using it with Port 445 and couldn't get into it. But, after reading your post, I tried it again and I am connected to the new IPCop box. :-) It may be an intermittent problem.
On Fri, Jul 11, 2008 at 12:36 PM, Scott Silva ssilva@sgvwater.com wrote:
<snip> > On 7/10/08, Scott Silva <ssilva@sgvwater.com> wrote: No !!! Don't change it there. That is the IP address sent to your dhcp clients for them to use for dns. If you set that to 127.0.0.1, no one will find anything. You need to run setup either from a terminal window on the ipcop box or by ssh. About halfway down is "Networking" which you select, and in that menu is "Dns and Gateway Settings".
You would set the primary dns to 127.0.0.1 and if you want set the secondary dns to what your primary dns was set at. You might have to play with the options to have dhcp assigned red and still be able to set your nameserver settings. The ipcop boxes I have are all on static ip's, on either T1's or business class DSL, so the settings are a little different.
Whatever you do, write down the original settings of anything you change so you can restore it if it horribly breaks.
Progress this morning! On our backup IPCop box (the one with much better HW) I updated IPCop and the Snort definitions and backed up that IPCop box to the HD on my Desktop. Then, I had a problem, when I tried to SSH into it. I got an Error, because the /root/.ssh/Known Hosts has the RSA Key for the IPCop box we normally use. I made a backup of that file and put the RSA Key for the Backup IPCop box there and then I was able to SSH into it. I put 127.0.0.1 for the Primary DNS and also for the Secondary DNS and tried to surf the web. No go.
Playing with the IPCop options you suggested might be something I need to do. In DHCP Server configuration, the Primary DNS was set to 192.168.10.1 I tried changing that to 127.0.0.1 but I had the same problem. When I tried to ping one of my web sites by the domain name, it came back ping: unknown host
I am up and running on our normal IPCop box again. Last night, I changed the DNS Settings in the ADSL Modem, from using the DNS Servers at our local ISP, to those of opendns.com and that probably will help a lot, until I can get IPCop configured properly for the Caching DNS Server.
Lanny Marcus wrote:
I am up and running on our normal IPCop box again. Last night, I changed the DNS Settings in the ADSL Modem, from using the DNS Servers at our local ISP, to those of opendns.com http://opendns.com and that probably will help a lot, until I can get IPCop configured properly for the Caching DNS Server.
My understanding is that IPCop provides a Caching DNS *Proxy*, not a Caching Name Server. Being a proxy means it forwards any queries that it can't answer from it's own cache to full DNS Servers (caching or not). Once it knows the answer it will cache it locally and return that answer to local users without contacting the DNS server again - as long as it is valid to do so based on the cache time set for that particular domain. For exmaple, my domain's cache time is short because my server lives on a dynamic IP address, but google's cache time is long because their servers are on static IP addresses and caching for a long time is safe for the DNS client to do (no need to query often because the servers aren't moving).
If your ADSL modem can act as a DNS server, then you can point IPCop to that for DNS, but you can't point IPCop to itself (127.0.0.1) because it is only a proxy - not a full DNS server. In my view, for DNS your IPCop box should be directed to:- 1) your ISP's DNS servers; or 2) public DNS servers; or 3) your ADSL modem which is using either of the above.
As I've already mentioned in other replies on this topic, my IPCop server uses my ISP for DNS requests. This means my ADSL modem is bypassed for DNS queries, but I'm not even sure if it could respond to DNS queries. Even if it could, since the IPCop is a caching proxy, it will keep the query results as long as it is entitled to before re-querying the real DNS server again. Using the ADSL modem won't help here because it can't cache any longer than the IPCop box can, so it will have to query the real DNS server in this situation. My view is you might as well make the IPCop do that in one step - why involve the modem?
Regards,
Ian
On Sun, Jul 13, 2008 at 6:11 PM, Ian Blackwell ian@ikel.id.au wrote:
Lanny Marcus wrote: I am up and running on our normal IPCop box again. Last night, I changed the DNS Settings in the ADSL Modem, from using the DNS Servers at our local ISP, to those of opendns.com and that probably will help a lot, until I can get IPCop configured properly for the Caching DNS Server.
My understanding is that IPCop provides a Caching DNS Proxy, not a Caching Name Server.
You may be correct about that. Scott Silva tried this using IPCop on a VM and it did work for him. I googled for: IPCop+Caching+DNS and these are the first responses I got:
5. Services Menu As well as caching DNS information from the Internet, the DNS proxy on IPCop allows you to manually enter hosts whose address you want to maintain locally. ... www.ipcop.org/1.4.0/en/admin/html/services.html - 51k - Cached - Similar pages IPCop History :: IPCop.org :: The bad packets stop here! Digital Alpha (preliminary) - yes, IPCop runs on Alpha systems as well as Intel ... Caching DNS; TCP/UDP Port Forwarding; External Service Access Control ... www.ipcop.org/index.php?module=pnWikka&tag=IPCopHistory - 26k - Cached - Similar pages More results from www.ipcop.org » IPCop: An Overview IPCop is a cut-down Linux distribution that is intended to operate as a ... Caching DNS; TCP/UDP port forwarding; Intrusion detection system (Snort) ... www.securityfocus.com/infocus/1556 - 38k - Cached - Similar pages [Technic] IPCOP Now, if you use Morenet's DNS system.. consider changing your DHCP to pass out the IPCOP's caching DNS server instead(but set ipcop itself to use morenet's ... lists.more.net/archives/technic/2005-July/009873.html - 10k - Cached - Similar pages 'Re: [IPCop-devel] Regarding local (green) DNS and global (red ... I flushed >the local DNS cache and restarted IPCop before testing in each mode. I got >identical results in all modes - the DNS lookup would be sucessfully ... marc.info/?l=ipcop-devel&m=105698912708708&w=2 - 10k - Cached - Similar pages z o r g . o r g - IPCop Firewall Review IPCop offers an IPChains based firewall with DHCP server, caching DNS, the Squid web proxy, Snort intrusion detection system, port forwarding, ... www.zorg.org/linux/ipcop.php - 25k - Cached - Similar pages
Being a proxy means it forwards any queries that it can't answer from it's own cache to full DNS Servers (caching or not). Once it knows the answer it will cache it locally and return that answer to local users without contacting the DNS server again - as long as it is valid to do so based on the cache time set for that particular domain. For exmaple, my domain's cache time is short because my server lives on a dynamic IP address, but google's cache time is long because their servers are on static IP addresses and caching for a long time is safe for the DNS client to do (no need to query often because the servers aren't moving).
If your ADSL modem can act as a DNS server,
I don't think so, but I will log onto it and see if I can find anything about it being able to do that.
then you can point IPCop to that for DNS, but you can't point IPCop to itself (127.0.0.1) because it is only a proxy - not a full DNS server. In my view, for DNS your IPCop box should be directed to:-
- your ISP's DNS servers; or
We stopped using the DNS Servers at my ISP last night. I switched the settings in the ADSL Modem to use the DNS at opendns.com and that will eliminate the DNS problems we had, when using the DNS Servers at our ISP.
- public DNS servers; or
Now using opendns.com as I mentioned above.
- your ADSL modem which is using either of the above.
On this URL: https://www.opendns.com/start?device=ipcop They have the below informaion:
Enable OpenDNS: Unix/Linux IPCop firewall
Get Started > Change DNS on your server > Instructions Overview
1. Log in as root and run setup. 2. Select the Networking option and select OK. 3. In Network configuration menu, select DNS and Gateway settings and select OK. 4. In the DNS and Gateway settings screen, enter the OpenDNS nameserver addresses. Leave the Gateway value alone. Select OK. 5. Back on the Network Configuration menu, select Done. 6. Watch the Pushing Network down... message. 7. Watch the Pulling Network up... message. 8. At the Selection menu, press Quit to exit the setup program.
They have information for bind dnscache and IPCop I think my next attempt will be to follow the above instructions and see if I then have DNS!
As I've already mentioned in other replies on this topic, my IPCop server uses my ISP for DNS requests. This means my ADSL modem is bypassed for DNS queries, but I'm not even sure if it could respond to DNS queries. Even if it could, since the IPCop is a caching proxy, it will keep the query results as long as it is entitled to before re-querying the real DNS server again. Using the ADSL modem won't help here because it can't cache any longer than the IPCop box can, so it will have to query the real DNS server in this situation. My view is you might as well make the IPCop do that in one step
- why involve the modem?
Thanks again. I am probably very close to getting this working on that IPCop box.
On Sun, Jul 13, 2008 at 6:11 PM, Ian Blackwell ian@ikel.id.au wrote: <snip>
My understanding is that IPCop provides a Caching DNS Proxy, not a Caching Name Server. Being a proxy means it forwards any queries that it can't answer from it's own cache to full DNS Servers (caching or not).
I suspect you are correct, that it is a DNS Proxy and not a DNS Server. I googled site:ipcop.org caching+DNS+server and I see things that refer to DNS Server and also things that refer to DNS Proxy.
In the IPCop Administrative Manual, it says, "As well as Caching DNS information from the Internet, the DNS proxy on IPCop........."
As I wrote a few minutes ago, the next time I hook up that IPCop box, I will follow the instructions on opendns.com and see what happens.
On Sun, Jul 13, 2008 at 6:11 PM, Ian Blackwell ian@ikel.id.au wrote: <snip>
If your ADSL modem can act as a DNS server, then you can point IPCop to that for DNS, but you can't point IPCop to itself (127.0.0.1) because it is only a proxy - not a full DNS server. In my view, for DNS your IPCop box should be directed to:-
- your ISP's DNS servers; or
- public DNS servers; or
- your ADSL modem which is using either of the above.
As I've already mentioned in other replies on this topic, my IPCop server uses my ISP for DNS requests. This means my ADSL modem is bypassed for DNS queries, but I'm not even sure if it could respond to DNS queries.
Ian: This is from the web interface of our ZTE ADSL Modem:
DNS Server Configuration
If Enable Automatic Assigned DNS checkbox is selected, this router will accept the first received DNS assignment from the PPPoA, PPPoE or MER/DHCP enabled PVC(s) during the connection establishment. If the checkbox is not selected, enter the primary and optional secondary DNS server IP addresses. Click "Apply" to save it. NOTE: If changing from unselected Automatic Assigned DNS to selected Automatic Assigned DNS, you must reboot the router to get the automatic assigned DNS addresses.
Enable Automatic Assigned DNS
Primary DNS server:
Last night, I put the IP addresses for the 2 DNS Servers at opendns.com there.
Question: The next time I connect our Backup IPCop box, should I put the 2 IP addresses for opendns.com there, or, the IP of our ADSL Modem? Which will be faster? If I understand, you have the IP addresses in your IPCop box and that bypasses your ADSL Modem. TIA, Lanny
Lanny Marcus wrote:
Question: The next time I connect our Backup IPCop box, should I put the 2 IP addresses for opendns.com there, or, the IP of our ADSL Modem? Which will be faster? If I understand, you have the IP addresses in your IPCop box and that bypasses your ADSL Modem. TIA, Lanny
My advice is to forget DNS on the modem because it won't be more up-to-date than the cache on the IPCop server, so it won't serve any useful function. Set the IPCop box to use the IP addresses provided by opendns.com. It will cache DNS query results and contact the opendns servers when it needs to refresh expired data or get new data not already in the IPCop cache. The modem can't help in this scenario, so leave it alone and bypass it by telling IPCop to go directly to opendns for DNS queries.
Cheers,
Ian
On Sun, Jul 13, 2008 at 8:24 PM, Ian Blackwell ian@ikel.id.au wrote:
Lanny Marcus wrote:
Question: The next time I connect our Backup IPCop box, should I put the 2 IP addresses for opendns.com there, or, the IP of our ADSL Modem? Which will be faster? If I understand, you have the IP addresses in your IPCop box and that bypasses your ADSL Modem. TIA, Lanny
My advice is to forget DNS on the modem because it won't be more up-to-date than the cache on the IPCop server, so it won't serve any useful function. Set the IPCop box to use the IP addresses provided by opendns.com. It will cache DNS query results and contact the opendns servers when it needs to refresh expired data or get new data not already in the IPCop cache. The modem can't help in this scenario, so leave it alone and bypass it by telling IPCop to go directly to opendns for DNS queries.
That is what I thought, from reading what you'd written previously, but I wanted to confirm that with you. I will try that, on our Backup IPCop box, when the other users are not online. Thanks!
On 7/10/08, Rob Townley rob.townley@gmail.com wrote:
why not use the dig command to query your isp dns system to see if they forward requests to opendns. By the way, OpenDNS is a great way to help prevent phishing attacks.
Lastly, you should use this opp to create a opendns signon, this will give you control over your dns request options. You could block any domain via dns quikly.
Rob, I will go to opendns.com and see what I need to do, to use their DNS Servers for web browsing, etc., temporarily, until I get Caching DNS up and running. If my ISP is using them upstream, for their DNS Service, it would be very easy for me to change the settings in my ADSL modem, from the 2 DNS Servers at my ISP, to servers at opendns.com and eliminate the delay at my local ISP. I'd never heard of opendns.com until I tried to connect to a secure server at irs.gov about 10 days ago and got an SSL warning from Firefox, that the cert belonged to opendns.com Another idea. Thanks! Lanny
On 7/10/08, Rob Townley rob.townley@gmail.com wrote: <snip>
Lastly, you should use this opp to create a opendns signon, this will give you control over your dns request options. You could block any domain via dns quikly.
Rob: I just changed the DNS settings in the ADSL Modem to use the DNS servers at opendns.com and not the DNS servers at our ISP in Cali. The opendns.com servers will probably work a lot better. I still want to get DNS Caching locally and with luck, possibly I will have that running tomorrow. This should speed up our surfing, a lot. Lanny
On 7/12/08, Lanny Marcus lmmailinglists@gmail.com wrote:
On 7/10/08, Rob Townley rob.townley@gmail.com wrote:
<snip> > Lastly, you should use this opp to create a opendns signon, this will > give you control over your dns request options. You could block any > domain via dns quikly.
Rob: I just changed the DNS settings in the ADSL Modem to use the DNS servers at opendns.com and not the DNS servers at our ISP in Cali. The opendns.com servers will probably work a lot better. I still want to get DNS Caching locally and with luck, possibly I will have that running tomorrow. This should speed up our surfing, a lot. Lanny
Either our ISP (EMCALI) is using opendns.com intentionally, or, their DNS servers have been corrupted. Probably, they are using it intentionally and their Customer Support is not aware of that. In the past 10 days, frequently, I ended up at the Open DNS Guide, when DNS wasn't resolving.
Make life easier for you and your users. OpenDNS Guide
The OpenDNS Guide is the page your users see when they go to a website that doesn't exist or isn't resolving. We provide search results and offer suggestions to help your users get back on their way. This includes the use of our industry-leading domain spellchecking service to save them time and make them more productive.
2008/7/9 Lanny Marcus lmmailinglists@gmail.com:
I believe this is completely OT, but I want to be positive. I have a fully up to date CentOS 5.2 box. During the past week, when surfing with Firefox (and today, while testing with Konqueror), frequently, especially when DNS is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get to. My ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS servers. I haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
Could it be that some server you connect to uses opendns' servers for their own DNS service? Which web sites are you trying to surf to when you reach OpenDNS?
--Amos
On Wed, Jul 9, 2008 at 4:03 AM, Amos Shapira amos.shapira@gmail.com wrote:
2008/7/9 Lanny Marcus lmmailinglists@gmail.com:
I believe this is completely OT, but I want to be positive. I have a
fully
up to date CentOS 5.2 box. During the past week, when surfing with
Firefox
(and today, while testing with Konqueror), frequently, especially when
DNS
is slow, I am seeing references to opendns.com At times, I end up on opendns.com web pages, instead of at the web site I'm trying to get to.
My
ISP, the phone company, claims this is not coming from their end and that they are not using opendns.com. I was told they have two (2) DNS
servers. I
haven't changed anything in my IPCop Firewall/Router box and my belief is that this is coming from my ISP or upstream from there. . If using opendns.com is something new in CentOS 5.2, please let me know. TIA.
Could it be that some server you connect to uses opendns' servers for their own DNS service? Which web sites are you trying to surf to when you reach OpenDNS?
Amos: This is an intermittent problem and I believe it began one week ago. The first time it happened, I was trying to connect to a Secure (https) web site at irs.gov and I got a warning message from Firefox that the SSL certificate belonged to opendns.com which was very troubling.... That is the first time I called my ISP about opendns.com I have also seen references to opendns.com while trying to connect to other web sites. I suspect that my ISP (the phone company) is using opendns.com but the Supervisor in support that I spoke with does not think that is true. Of course, she is not the Network person in charge of their 2 DNS servers, so she may be unaware of what happens upstream.
Since then, when the DNS is slow, I have seen references to opendns.com at the lower left hand corner of Firefox, where it shows what sites it is trying to connect to, transferring from, etc. For example, yesterday, in that area, I saw "guide.opendns.com Waiting for reply"
I am beginning to look into the idea of having my own Caching DNS Server, as was suggested in this thread last night. I took a *very* quick look at IPCop (which is my current Firewall/Router box) and I think it has provisions for Dynamic DNS built in, but not Caching DNS. I also took a very quick look at the SME Server documentation, which I was able to get last night after I switched to KDE and I think it also has provisions for Dynamic DNS but not DNS Caching. When I have more time available, I will read more about dnscache part of djbdns, which was suggested earlier in this thread, as an option to BIND. Lanny
Pfsense could do the job also, if you install tinyDNS and increase the cache limit which is 1Mb by default to perhaps 100mb. I'm giving a try right now because my ISP here in mexico city is so damn slow to resolve domains outside the america continent.
cheers.
On 7/9/08, Victor Padro vpadro@gmail.com wrote:
Pfsense could do the job also, if you install tinyDNS and increase the cache limit which is 1Mb by default to perhaps 100mb. I'm giving a try right now because my ISP here in mexico city is so damn slow to resolve domains outside the america continent.
Hola Victor: Gracias. I will add Pfsense and tinyDNS to the list of things I need to read up on. Having my own Caching DNS Server, in my Firewall/Router box, is probably the best way to eliminate these problems. If I can do that on CentOS that would be great, and I'm sure that just about anything can be done on CentOS, but I am going to look into doing it with my IPCop box or on SME Server, first, which would probably be much easier for me to get up and running properly. I have a backup IPCop box, that I probably can do this on. It has a P3 500MHz CPU and 384 MB of RAM. I don't think CentOS 5.2 will run on that, but maybe CentOS 4.6 will run OK on it. Until WiMax or TelMex become available in our rural subdivision (in Colombia) at this time, ADSL is our best option for connectivity, but probably it would be nice, only to use them for connectivity and not for DNS. Lanny
Hi there again... I just found this on my quest of DNS caching... http://isc.sans.org/diary.html?storyid=4687
Lanny: I think you can install CentOS 3.x, 4.x, and remotely perhaps CentOS 5.0 on a P3 like yours, I have a couple of Dells P3 running CentOS 3.9 server edition and CentOS 5.0 (not connected to the outside world thought) which serves web sites locally and its been working without a hassle.
Telmex here is not very bad service...it's awful. :) But Internet via cablemodem it's worse...
On 7/10/08, Victor Padro vpadro@gmail.com wrote:
Hi there again... I just found this on my quest of DNS caching... http://isc.sans.org/diary.html?storyid=4687
Victor: I read that page and I sent the URL to the Supervisor in Support at our ISP, hoping she will pass it along, to whoever is in charge of their DNS Servers.
Lanny: I think you can install CentOS 3.x, 4.x, and remotely perhaps CentOS 5.0 on a P3 like yours, I have a couple of Dells P3 running CentOS 3.9 server edition and CentOS 5.0 (not connected to the outside world thought) which serves web sites locally and its been working without a hassle.
I'm a Desktop user and Linux newbie. If I could use CentOS (which can do almost anything, if one knows how to do it), to replace our IPCop box, all I need it to do is: (a) Router, between the ADSL Modem and our Network Switch) (b) Masquerading, so we can share the Internet connection (we get a Dynamic IP address from our ISP) and (c) Caching DNS Server, so we can discontinue using the DNS Servers at our ISP. If I knew how to configure that, properly, in CentOS 3.x or 4.x, that would be my preferred choice. But, if it is much easier to add a Caching DNS Server to my IPCop box, or add a Caching DNS Server to SME Server (based on CentOS), or, some other OS, that would be better for me, a novice, to get up and running.
If I can get this running properly, I will add it to my resume! :-)
Telmex here is not very bad service...it's awful. :)
A man who works in my daughters school switched to TelMex (in Cali) a few months ago. He got a package, for TV, phone, and Internet, and it is saving him $. I think he was happy with it, at that time.
But Internet via cablemodem it's worse...
We had Cable Modem Service, in Cali, for about 4 years, before we built our new house. I remember 2 or 3 times, we were without Cable TV and Internet, or without Internet, for about 2 weeks, each time. Our current ISP, the major Cali phone company, with ADSL, is probably the best ISP we have ever had, with the exception of this DNS problem. My wife is in here now and she is *complaining* about the SLOW DNS and I told her I am going to ask on this mailing list, for the easiest thing I can implement, so we have our own Caching DNS Server and only use the ISP for connectivity. We live in a rural subdivsion and I don't think there are enough people living here yet to make it profitable for them to install Cable TV here. Maybe in the future, or when TelMex comes to our town. TelMex has lots of $ and they can do it, if they want to do it.
Awhile ago, I tried to connect to another Secure (SSL, https://) Server and I ended up again, with a warning, that the SSL Certificate belonged to opendns.com The first time that happend, last week, it was at irs.gov this time it was somewhere else.
I think I saw a reference, in a thread yesterday, about not having a package with "caching" in it's name, if one also has BIND installed. I am going to try to locate that thread and find out about that package. Possibly it can do what I need to do.
Thanks much! Lanny
On 7/10/08, Lanny Marcus lmmailinglists@gmail.com wrote: <snip>
I think I saw a reference, in a thread yesterday, about not having a package with "caching" in it's name, if one also has BIND installed. I am going to try to locate that thread and find out about that package. Possibly it can do what I need to do.
OK. I found it. Tru wrote this, in a thread yesterday:
If you have the caching-nameserver package, it's the expected behaviour: /etc/named.conf is "owned" and labelled as "config file" for
caching-nameserver.
The regular bind/bind-chroot don't provide named.conf. You should not install the caching-nameserver package if you are indeed providing DNS services with bind...
I'm wondering if caching-nameserver will do the Caching DNS for me, if I use CentOS 3.x or 4.x. Also need the box to do Routing and Masquerading. Would that be done by IPTables? Or, if I shoud use dnscache, which is apparently much more secure than BIND, or something else, that is easier for a newbie to get configured properly. TIA! Lanny
on 7-10-2008 2:04 PM Lanny Marcus spake the following:
On 7/10/08, Lanny Marcus lmmailinglists-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
<snip> > I think I saw a reference, in a thread yesterday, about not having a > package with "caching" in it's name, if one also has BIND installed. I > am going to try to locate that thread and find out about that package. > Possibly it can do what I need to do.
OK. I found it. Tru wrote this, in a thread yesterday:
If you have the caching-nameserver package, it's the expected behaviour: /etc/named.conf is "owned" and labelled as "config file" for
caching-nameserver.
The regular bind/bind-chroot don't provide named.conf. You should not install the caching-nameserver package if you are indeed providing DNS services with bind...
I'm wondering if caching-nameserver will do the Caching DNS for me, if I use CentOS 3.x or 4.x. Also need the box to do Routing and Masquerading. Would that be done by IPTables? Or, if I shoud use dnscache, which is apparently much more secure than BIND, or something else, that is easier for a newbie to get configured properly. TIA! Lanny
Bind as a caching nameserver is dead easy to install. Just run "yum install caching-nameserver" and it will pull everything in. Then "chkconfig named on & service named start"
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote: <snip>
Bind as a caching nameserver is dead easy to install. Just run "yum install caching-nameserver" and it will pull everything in. Then "chkconfig named on & service named start"
Scott: Thanks! I just began a text file: "Caching DNS Server" and copied the above into it. Questions: (a) Is caching-nameserver completely standalone or do I need anything else with it? (Sound like yum will install everything it needs) (b) How to configure it? (c) Easier for me to get that configured properly than dnscache from djbdns? (d) If I do a minimal CentOS 3.x or 4.x install, would I do the Routing & Masquerading with IPTables or something else? If I can get this to work, on a CentOS box, that would be great. Lots of questions! Your time and help is much appreciated! Lanny
On Thu, Jul 10, 2008, Lanny Marcus wrote:
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > Bind as a caching nameserver is dead easy to install. > Just run "yum install caching-nameserver" and it will pull everything in. > Then "chkconfig named on & service named start"
Scott: Thanks! I just began a text file: "Caching DNS Server" and copied the above into it. Questions: (a) Is caching-nameserver completely standalone or do I need anything else with it? (Sound like yum will install everything it needs) (b) How to configure it? (c) Easier for me to get that configured properly than dnscache from djbdns? (d) If I do a minimal CentOS 3.x or 4.x install, would I do the Routing & Masquerading with IPTables or something else? If I can get this to work, on a CentOS box, that would be great. Lots of questions! Your time and help is much appreciated! Lanny
If you configure BIND so it only listens on 127.0.0.1, it should be fairly secure.
Bill
on 7-10-2008 2:50 PM Lanny Marcus spake the following:
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
<snip> > Bind as a caching nameserver is dead easy to install. > Just run "yum install caching-nameserver" and it will pull everything in. > Then "chkconfig named on & service named start"
Scott: Thanks! I just began a text file: "Caching DNS Server" and copied the above into it. Questions: (a) Is caching-nameserver completely standalone or do I need anything else with it? (Sound like yum will install everything it needs) (b) How to configure it? (c) Easier for me to get that configured properly than dnscache from djbdns? (d) If I do a minimal CentOS 3.x or 4.x install, would I do the Routing & Masquerading with IPTables or something else? If I can get this to work, on a CentOS box, that would be great. Lots of questions! Your time and help is much appreciated! Lanny
Do you want to install a complete router using CentOS? Is your ipcop box not adequate for your needs?
On 7/10/08, Scott Silva ssilva@sgvwater.com wrote:
Do you want to install a complete router using CentOS? Is your ipcop box not adequate for your needs?
From what you wrote to me in another reply, ipcop will do the job, as
soon as I can get into it and get it configured the way you said. That will be MUCH easier and MUCH faster than me trying to set up a CentOS box to do this.
On Thu, 2008-07-10 at 15:39 -0500, Lanny Marcus wrote:
On 7/10/08, Victor Padro vpadro@gmail.com wrote:
<snip>
I'm a Desktop user and Linux newbie. If I could use CentOS (which can do almost anything, if one knows how to do it), to replace our IPCop box, all I need it to do is: (a) Router, between the ADSL Modem and our Network Switch) (b) Masquerading, so we can share the Internet connection (we get a Dynamic IP address from our ISP) and (c) Caching DNS Server, so we can discontinue using the DNS Servers at our ISP.
MY IPCop does all that. Dead easy to setup and configure. Just read the docs (might have to go to the website and downlod, I can't recall now).
I've been running it several years. I also have it do my time sync.
If you are a newbie, I would suggest first getting the IPCop fully enabled to do the masquerading, DHCP service, NAT, time service et al. Then if you still want to do a CentOS-based firewall, you'll have a known good, tested and reliable firewal working while you make your mistakes and test.
Another POV: why reinvent the wheel?
If I knew how to configure that, properly, in CentOS 3.x or 4.x, that would be my preferred choice. But, if it is much easier to add a Caching DNS Server to my IPCop box, or add a Caching DNS Server to SME Server (based on CentOS), or, some other OS, that would be better for me, a novice, to get up and running.
If I can get this running properly, I will add it to my resume! :-)
<snip>
IPCOP here. Use it for Masq, dhcp, NAT, time, Transparent Webfiltering via URLFilter plugin (and automatic blacklist downloads) and banned internal MAC addresses (our inside machines) via advancedproxy plugin, and more..... It's on our public access wifi network with a dedicated DSL connection. Been up for 2 years. It's on an old IBM Netvista SFF Celeron 900 with 512M of ram. I'm gonna build one at home, cause my kids are getting to the age.... Dennis
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of William L. Maltby Sent: Thursday, July 10, 2008 3:49 PM To: CentOS mailing list Subject: Re: [CentOS] OT: anything in CentOS 5.2 that uses opendns.com whenbrowsing web?
On Thu, 2008-07-10 at 15:39 -0500, Lanny Marcus wrote:
On 7/10/08, Victor Padro vpadro@gmail.com wrote:
<snip>
I'm a Desktop user and Linux newbie. If I could use CentOS
(which can
do almost anything, if one knows how to do it), to replace
our IPCop
box, all I need it to do is: (a) Router, between the ADSL Modem and our Network Switch) (b) Masquerading, so we can share the Internet connection (we get a Dynamic IP address from our ISP) and
(c) Caching
DNS Server, so we can discontinue using the DNS Servers at our ISP.
MY IPCop does all that. Dead easy to setup and configure. Just read the docs (might have to go to the website and downlod, I can't recall now).
I've been running it several years. I also have it do my time sync.
If you are a newbie, I would suggest first getting the IPCop fully enabled to do the masquerading, DHCP service, NAT, time service et al. Then if you still want to do a CentOS-based firewall, you'll have a known good, tested and reliable firewal working while you make your mistakes and test.
Another POV: why reinvent the wheel?
If I knew how to configure that, properly, in CentOS 3.x or
4.x, that
would be my preferred choice. But, if it is much easier to add a Caching DNS Server to my IPCop box, or add a Caching DNS
Server to SME
Server (based on CentOS), or, some other OS, that would be
better for
me, a novice, to get up and running.
If I can get this running properly, I will add it to my
resume! :-)
<snip>
-- Bill
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 7/10/08, Dennis McLeod dmcleod@foranyauto.com wrote:
IPCOP here. Use it for Masq, dhcp, NAT, time, Transparent Webfiltering via URLFilter plugin (and automatic blacklist downloads) and banned internal MAC addresses (our inside machines) via advancedproxy plugin, and more..... It's on our public access wifi network with a dedicated DSL connection. Been up for 2 years. It's on an old IBM Netvista SFF Celeron 900 with 512M of ram. I'm gonna build one at home, cause my kids are getting to the age.... Dennis
Great. I have IPCop running on a Pentium 233 MMX box with 64 MB of RAM. It's our oldest box and it does the job for our house. :-)
Lanny Marcus wrote:
On 7/10/08, Dennis McLeod dmcleod@foranyauto.com wrote:
IPCOP here. Use it for Masq, dhcp, NAT, time, Transparent Webfiltering via URLFilter plugin (and automatic blacklist downloads) and banned internal MAC addresses (our inside machines) via advancedproxy plugin, and more..... It's on our public access wifi network with a dedicated DSL connection. Been up for 2 years. It's on an old IBM Netvista SFF Celeron 900 with 512M of ram. I'm gonna build one at home, cause my kids are getting to the age.... Dennis
Great. I have IPCop running on a Pentium 233 MMX box with 64 MB of RAM. It's our oldest box and it does the job for our house. :-)
IPCop here too - since 2004 - with a full Blue, Orange, Green and Red configuration (CentOS in Orange for email/web etc). I too used a really old P200 with about 96Mb RAM. It will work OK on that hardware - as it does on yours - but you just can't get it to do the extra stuff - e.g. CopFilter, Snort, etc. I've just updated to an AMD Athlon XP 1700+ with 512Mb of RAM and I can now run all the cool add-ons I couldn't before.
Ian