[OpenAFS] Re: Question about DNS Names

Andrew Deason adeason@sinenomine.net
Mon, 15 Feb 2010 10:41:39 -0600

On Sun, 14 Feb 2010 17:17:08 +0100
Jörg Herzinger <joerg.herzinger@global2000.at> wrote:

> I am planning a small OpenAFS setup for an environmental care
> organization and I got some small questions about DNS names that
> should be used.

DNS doesn't much matter to AFS; it just deals with IP addresses. DNS is
generally just used for input and output to/from administrative commands
for convenience. (Not counting AFSDB/SRV records, since that's not what
you're talking about)

> Everything is behind a NAT Firewall and we got a local DNS Server
> that isnt caching. So I got my local ip 192.168.x.y with my local DNS
> name "afs" and the global ip "a.b.c.d" and "afs.mydomain.com". The
> local DNS has a custom suffix which i am planning to change to
> mydomain.at some time in the future but one step at a time.
> My question would be if it is possible to use the local DNS names for
> my AFS server and still connect from outside my firewall? What would
> be the correct CellServDB and NetInfo settings or do I need a NetInfo
> at all if I just use local IPs and DNS Names?

You can sort of do this, though it's probably a lot easier if you just
use the global IP everywhere. If you configure the fileserver to
advertise both the internal and external addresses, all of the clients
will try to contact the fileserver both via 192.168.x.y and a.b.c.d.
That means that even clients from outside the NAT may try to contact
192.168.x.y, which be a security issue in the worst case, since
192.168.x.y could be a different machine for clients outside your NAT.

It would be nice if we had the ability to provide a split-horizon VLDB,
so you could advertise the address a.b.c.d to clients outside the NAT,
and 192.168.x.y to those inside. But OpenAFS doesn't really currently
have the functionality to do that (it's on the wishlist as I recall),
though it could in theory be possible to hack something together to do

If you just make everything use a.b.c.d for fileserver access, it can
simplify things. In order to get the fileserver to advertise the a.b.c.d
address, you need to use a NetInfo file with the contents

f a.b.c.d

and if you also want to advertise the 192.168.x.y address, put that in
there too, on its own line (without the 'f').

For the ptserver/vlserver processes, if you only have one server, it's
fairly simple; just point the CellServDB entry at the global a.b.c.d
address. Of course, for any of this to work, you need to forward the
correct ports from a.b.c.d to the fileserver/dbserver inside the NAT.

> P.S.: Please give support for the Nokia N900. That would be the most
> awesome thing to think of. :D

Doesn't this exist? I thought Derrick and Jason got this working some
time ago.

Andrew Deason