[tclug-list] DNS on an isolated network

[Andrew Zbikowski]

I've got an isolated network for a mix of machines (Windows, embedded
who knows what network device, etc.) that whose purpose is to run
manufacturing equipment. The controllers need to access data files on
a file server. Two or three years ago this seemed simple enough, we
setup a 24 port switch and go all static IP addresses. It worked fine
until we until the computers were upgraded, then there was insanity..

So for take 2 I'm working on setting up a small device to manage the
isolated network. It's a Linksys NSLU2 running Debian off a small 1gb
flash drive. Right now it's doing almost everything that I could want.

I've got dnsmasq doing DHCP and DNS. It's working great exxcept for one thing...

This network is completely isolated, no access to the internet at all,
but I'd like to set things up so that any web requests (that aren't on
the local lan) get redirected to a webmpage on the NSLU2. THe webpage
informs the user that they are connected to the isolated network and
shows them their IP. A handy tool for the not totally network savvy
guys who are in charge of maintaining the lines.

So I've got the iptables rules setup just fine. www.google.com
redirects to the NSLU2, and the 404 page on the NSLU2's web server is
set to index.html (yeah I could have done mod_rewrite or something,
but this was easy.) This is all working just fine in my vmware test
environment.

Then I realized something...the vmware environment has an internet
connection with a DNS server that can resolve www.google.com, but in
my production environment there will be no DNS server that can resolve
www.google.com. So I disabled the internet interface in vmeware, and
as expected instead of redirecting to the NSLU2;s web server
www.google.com simply times out.

My first though was to somehow get dnsmasq to return the NSLU2's IP
address if it can't resolve a name, but I've only figured out how to
get it to always return the NSLU2's IP address. Not ideal as I do want
the local hostnames (client1.lan, client2.lan, clientX.lan, etc.) to
resolve properly.

So my next idea is to run two instances on dnsmasq. The first one
doing DHCP and DNS and listening to eth0, and the second one doing
only DNS, listening only to lo, and returning only the NSLU2's IP
address. The dnsmasq on eth0 would fall back to the dnsmasq on lo and
I'd get the behavior I want...

It just seems like there should be a simpler way of getting this
result, but I'm afraid I've been at this for too long and I'm not
seeing the simpler solution, but maybe someone on tclug will see it?

-- 
Andrew S. Zbikowski | http://andy.zibnet.us
SELECT * FROM users WHERE clue >0;
0 rows returned