per record responses based on originating IP

Nick Tait nick at tait.net.nz
Sat May 14 00:34:36 UTC 2022 

On 13/05/22 09:02, Grant Taylor via bind-users wrote:
> On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
>> This sounds like exactly the sort of use case for Response Policy Zones:
>
> How are you going to have RPZ return different addresses for different 
> clients?  Are you suggesting use different RPZs with different 
> contents for different clients?

Yes, although now that I think through the details it turns out to be 
much messier than I first thought, because there doesn't seem to be a 
way to specify "not" in the RPZ...

Also I should point out that I'm assuming that a PASSTHRU result in one 
RPZ will still result in subsequent RPZs being processed. I haven't 
actually tested this, so its possible I'm misunderstanding the 
documentation?

Anyway in the interests of following this all the way though, let's 
assume you had 3 clients and you wanted them to each receive a different 
answer to the query "www.example.com":

Suppose their IP addresses are:

    A = 192.0.2.10
    B = 192.0.2.20
    C = 192.0.2.30

Then, if I'm not mistaken, you could create 3 RPZ zones:

Zone file for "a.rpz.mylocaldomain.com" contains (in addition to SOA, etc):

    ; Don't overwrite the answer for queries received from clients B & C
    32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
    32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.

    ; Change the answer to the question www.example.com
    www.example.com IN A 10.0.0.1

Zone file for "b.rpz.mylocaldomain.com" contains (in addition to SOA, etc):

    ; Don't overwrite the answer for queries received from clients A & C
    32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
    32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.

    ; Change the answer to the question www.example.com
    www.example.com IN A 10.0.0.2

Zone file for "c.rpz.mylocaldomain.com" contains (in addition to SOA, etc):

    ; Don't overwrite the answer for queries received from clients A & B
    32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
    32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.

    ; Change the answer to the question www.example.com
    www.example.com IN A 10.0.0.3

And then configure BIND to use all three RPZs:

    response-policy {
         zone "a.rpz.mylocaldomain.com";
         zone "b.rpz.mylocaldomain.com";
         zone "c.rpz.mylocaldomain.com";
    };

Scalability is obviously a challenge with this particular solution! :-(

So on reflection, there are probably better solutions to the problem 
that you are trying to solve. Although I don't personally have 
experience with it, wonder if "dnsmasq" might do what you need?

Thanks,

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220514/6f88455d/attachment.htm>

More information about the bind-users mailing list