Zone-based DNS forwarders question
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Apr 15 19:56:38 UTC 2002
Shawn Barnhart <swb+news at cmenoc.campbell-mithun.com> wrote:
> Am I reading the docs correctly? Is it possible to do zone-based
> forwarding?
Yes, bind-9 and recent bind-8 hast the "forward-zone" capability.
In essence you define a zone:
zone "somewhere.se" {
type forward;
forwarders { whatever;};
.
.
> A business partner with a number of applications we need to access has an
> internal/external DNS setup. The external DNS that our clients ultimately
> query when they make DNS queries returns a real, non-RFC1918 address, but
> the applications can't use these addresses -- traffic goes to them over the
> internet and doesn't reach the hosts the applications are on.
> When clients make a DNS query that gets resolved by the business partner's
> internal DNS, a different non-RFC1918 address gets returned -- this one
> represents the server's "actual" IP address, and traffic flows over our
> defined private link.
> we've kludged a solution to this problem in the office affected by it by
> giving out the business partner's internal DNS as our client's DNS server
> address. A more optimal solution (or a better kludge, depending on your
> perspective) would be using a forwarder zone for the domain(s) that
> dependent applications use.
See the bind-9 documentation, it's welldocumented there :
"http://www.ipsec.nu/dns/bind9/Bv9ARM.ch06.html#zone_statement_grammar"
> Is it possible to do this on a semi-atomic level, though? Can I define a
> zone with some static entries and have the rest be forwarded?
Nope. You could however transfer the zone , massage it with perl to
change contents, and then present it as a master for said zone. Nothing
to recommend but i have seen it done.
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list