bind as "reverse-proxy"

Wed Feb 26 17:04:47 UTC 2020

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 26 Feb 2020, Matus UHLAR - fantomas wrote:

> On 26.02.20 15:28, Erich Eckner wrote:
>> is it possible to set up a zone in bind similar to a http(s) reverse proxy:
>
> No. DNS is very far from proxying.
>
>> 1. The server appears authoritative to clients (the consulted server is 
>> indeed authoritative).
>> 
>> 2. Each request is passed on to the other server (or served from cache), 
>> but the information is *not* obtained by zone transfers (because the other 
>> server does not have/allow this).
>
> For records that are managed locally, BIND is authoritative.
> For records that are stored elsewhere, BIND is NOT authoritative.
>
> So, either you have authoritative server, or you have not.
>
> What is the point of your request?

The point is, that I have two authoritative dns servers running on the
same machine which I would like to "merge". The problem there is, that one
of them runs some special software, which does not "speak too much dns"
(it is not broken as far as I can tell, but it is also not that versatily
configurable as bind is).

A is a normal bind installation and B is the "custom made" dns server.
Unfortunately, B does not allow zone transfers and (though it allows
forwarding queries for "foreign" domains to a separate name server (A) in
principle) it does not forward AXFR/IXFR which breaks slave duplication of
A's master zone. So I cannot place B in front (which I would like to avoid
anyways, as bind is waaayyy more mature than B). So my question was,
whether I could place A in front of B - which currently works, besides
that my server now looks non-authoritative to clients.

But maybe my whole train of thought is backwards: The problem, I'm
currently experiencing, is, that the nameserver setup for B's subdomain
(i.eckner.net) looks all-right when querying A (or the nameserver of the
parent domain) directly, but not, if I traverse from the root zone.

Maybe I missed to set up some cross-reference and A not appearing
authoritative is not a problem for the name resolution?

@Tony: dnsdist looks interesting. At first glance, it looks, like it can 
do what I need: send queries to different servers depending on the queried 
domain. I'll take a closer look at it.

regards,
Erich

> -- 
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "Where do you want to go to die?" [Microsoft]
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl5WpTEACgkQCu7JB1Xa
e1qOSxAAqoAQeCkPrqXGVlgvcQA7WfFVfmQTaVLk8p7qVz5JwoK+UCZzUINIDlhP
Og/Ca13lPG9+G2RamLDk9OKSZW+UBIb/AipHTndGz8EHjHOWbmHYP90aeJZ4nJzZ
c4gweD9/kCOXTrWkzTkpGChxPSb+CiiiVW2TW4DKwGTniEMJ0yhX+35vobaP17eI
1A4Sg/asZsNS287K3WUxGR/R69u6SQTtcL07zgtYx0n45bCd80OCedwhdKTvSTBr
PmpRxPdY4ePy6/6dtq1aGI9eb7OrAAhHw5ign3SWj12xDLJUZQDxewpdK3gqdGFc
5Cv78xHTJ1SiZSYAugGWbRSuEdTFVCCKAIqk/310Y3HeBBKd8JCc2l9jcC0VhHDe
GsRv8XMC4oEVt3aFIe3HFACnkBAc8sp7+CLXHzsbPa+fZIQPse9hiEjXpTz3iaVu
GmJb0dMQ3zO3oI+ziC2qc3zEpmhTD10EiF7FTbWkt3yxt9Q7/rlOff3banokKRpo
/qmO34agDTf9Ao3q9LdtDkPff5jiqdKNcYDXneQnXuyHH9MEKbIm+F418R/MUFK3
z+OSuXPOhNeKfxOKwFIpzic3KM13Odaxsep4c7KNQBeKp2566iAVbPszVkpumZd5
HX89VK//kKYWrImc1smvBZkohKtu0v96QFJ+YACk1oozjzN0OSM=
=20jI
-----END PGP SIGNATURE-----