per record responses based on originating IP
Nick Tait
nick at tait.net.nz
Sat May 14 00:34:36 UTC 2022
On 13/05/22 09:02, Grant Taylor via bind-users wrote:
> On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
>> This sounds like exactly the sort of use case for Response Policy Zones:
>
> How are you going to have RPZ return different addresses for different
> clients? Are you suggesting use different RPZs with different
> contents for different clients?
Yes, although now that I think through the details it turns out to be
much messier than I first thought, because there doesn't seem to be a
way to specify "not" in the RPZ...
Also I should point out that I'm assuming that a PASSTHRU result in one
RPZ will still result in subsequent RPZs being processed. I haven't
actually tested this, so its possible I'm misunderstanding the
documentation?
Anyway in the interests of following this all the way though, let's
assume you had 3 clients and you wanted them to each receive a different
answer to the query "www.example.com":
Suppose their IP addresses are:
A = 192.0.2.10
B = 192.0.2.20
C = 192.0.2.30
Then, if I'm not mistaken, you could create 3 RPZ zones:
Zone file for "a.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients B & C
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.1
Zone file for "b.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients A & C
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.2
Zone file for "c.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients A & B
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.3
And then configure BIND to use all three RPZs:
response-policy {
zone "a.rpz.mylocaldomain.com";
zone "b.rpz.mylocaldomain.com";
zone "c.rpz.mylocaldomain.com";
};
Scalability is obviously a challenge with this particular solution! :-(
So on reflection, there are probably better solutions to the problem
that you are trying to solve. Although I don't personally have
experience with it, wonder if "dnsmasq" might do what you need?
Thanks,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220514/6f88455d/attachment.htm>
More information about the bind-users
mailing list