On Tue June 23 2009 12:36:19 Victor Duchovni wrote:
> > The clean way is to configure your resolver to look at your own DNS
> > first, before external queries, then do away with transport_maps
> > altogether:
> >
> > example.com. MX 10 primary.mda.your.domain.
> > example.com. MX 20 secondary.mda.your.domain.
> > example.net. MX 10 primary.mda.your.domain.
> > example.net. MX 20 secondary.mda.your.domain.
>
> With BIND at least, it is not possible to place out-of-scope records
> in a zone file. One needs to claim the whole zone, which masks other
> records in the entire tree below that domain.
Indeed. A good tool for this job is dnsmasq(8). I run dnsmasq as the
nameserver for clients, and it uses a recursive-only BIND named(8) as
its backend. This way, it's very simple to override any specific RR
name in the global DNS.
Where I have dnsmasq and Postfix on the same box, resolv.conf points to
dnsmasq on 127.0.0.1, and dnsmasq in turn uses named on an alternate
port:
dnsmasq.conf excerpt:
server=127.0.0.1#1053
cache-size=0 # no point in dual caching of results
named.conf excerpt:
options {
listen-on port 1053 { 127.0.0.1; };
// other options as desired, mine only sets directory
}
In my config, both named and dnsmasq run as non-root easily. Of course
dnsmasq requires root to start and bind ports 53 tcp & udp, but it
drops privilege after that.
When I first came up with this scheme I thought it was rather ugly, but
I am now pleased with it. :) dnsmasq is a DHCP server, so it replaces
ISC dhcpd(8) here, and it provides the separation of recursion from
authoritative NS that the BIND gurus recommend.
http://www.thekelleys.org.uk/dnsmasq/doc.html for those who might not
know this piece of software.
> This is not generally a good idea.
In BIND named, I would agree. You *can* make a zone for a specific RR
name, but this tends not to scale as well nor as easily as dnsmasq.
> I recommend using the "localhost"
> zone (or the "invalid" zone) for custom MX records. As in the
> "your.domain" example, but with "localhost" for "your.domain".
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
