On 6/22/05, Tobias Weingartner <weingart@tepid.org> wrote:
> On Wednesday, June 22, aoteri@project-404.net wrote:
> > I've run into the issue where I am running named, pf, and dhcpd on the
> > same server. If I enable the few lines in the rc.conf file, pf=YES,
> > dhcpd="-q" and named="", timeouts occur when rebooting. The rc scripts
> > /etc/rc attempt to load pf, and dhcpd before launching named, and
> > therefore any dns lookups that come from /etc/pf.conf or /etc/dhcpd.conf
> > don't resolve

Looking at /etc/rc on 3.7, I see 'pf' is enabled early (line 16), followed by
'named' (line 258), and then 'dhcpd' (line 510). This appears optimal, IMHO.

If you have issues with failing lookups from 'dhcpd' (due to a race condition
with 'named' starting up in the background?), you might mitigate the issue
by inserting "nslookup 127.0.0.1" after line 509

I asked a couple of months back about using DNS names in pf.conf.
While deprecated, it is possible. If you absolutely must have DNS names
in a policy, you might want to have empty persistent tables in your pf.conf
and populate the tables from /etc/rc.local.


> And these names, do they need a network to resolve? Do you have this
> network up? Another interface? It seems like you are asking for trouble
> with not hardcoding such things...

While the most reliable and secure approach would be to hardcode the
IP address (directly or in /etc/hosts), sometimes that is not an option,
or would cause more trouble (politically and technically) than it's worth.

Kevin Kadow