per-zone query-source on recursive resolver
Tony Finch
dot at dotat.at
Mon Oct 28 11:52:42 UTC 2019
Erich Eckner <bind at eckner.net> wrote:
>
> 1. Set a custom query-source (the one of the vpn interface) for that
> second-level domain. (This would also be applied to all subdomains thereof,
> right?)
>
> 2. Overwrite (by rpz?) the name-servers for that domain to the (somehow
> obtained) internal nameservers (they differ from the external ones and have
> adresses which are automatically routed through the vpn anyways).
RPZ rewrites responses as they are going out of your nameserver, so you
can't use RPZ to change the way the nameserver's resolver works (because
the resolver depends on incoming responses not outgoing responses).
There are two ways to do what you want, depending on the DNS servers on
the other end of the VPN:
* If they are recursive, use a forward zone. This applies to all the
subdomains as well, since the recursive server is expected to follow
referrals/delegations itself as necessary.
* If they are authoritative, use a static-stub zone. In this case your
server will follow referrals/delegations from the remote zone, which
will need to make sense wrt your split horizon network topology.
If you need special source addresses as well as special target addresses,
add server clauses for each of the target servers on the other end of the
VPN to specify which query-source address to use for them.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Humber, Thames, Dover: North 3 or 4, veering northeast 4 or 5. Slight or
moderate in Humber, otherwise slight, occasionally smooth. Showers. Good.
More information about the bind-users
mailing list