Resolving by requester address?

Kevin Darcy kcd at daimlerchrysler.com
Wed Apr 12 00:34:06 UTC 2000 

The "classical" paradigm of DNS is that it's all one big distributed
database and you should be able to get the same answer to the same question
no matter which nameserver you ask (ignoring for the moment nits like the
fact that not all nameservers provide recursive service, there may be data
propagation delays, etc.). Implementations tend to be built on this
paradigm, and I think it would be quite unusual to find one which allows
you to actually tailor the contents of a response to a particular client or
a client on a particular network -- heresy!

In many limited situations it is sufficient to simply associate multiple
addresses with a name and then *sort* the response depending on the source
of the query: this doesn't break the classical paradigm, it just bends it a
little bit. But when it comes to NAT and RFC 1918 addresses, you really
don't want to be polluting the Internet with private addresses, especially
since most nameservers caching the set will round-robin subsequent answers
they give out, meaning that whenever one of the private addresses is first
in the list, clients will either a) fail, if they're stupidly only looking
at the first entry in the list and they can't connect to it, b) succeed, if
they're smart enough to fail over, but only after wasting time and
resources, or c) connect to wrong machine (!), if the private address
happens to coincide with an address in use on their *own* intranet, Nasty
stuff.

A less palatable, but more practical solution right now is to run separate
nameserver instances, one "inside" instance and one "outside" instance. The
"same answer anywhere" paradigm is therefore obeyed, just in different,
segregated DNS "universes". If you don't want to run these instances on
separate boxes, you can run them on the same multi-homed box by using
different named.conf files, carefully configuring the listen-to, pid-file,
controls, directory parameters and whatnot so that they don't stomp on each
other. (Note to self: I really ought to write up a mini-HOWTO for this
sometime). This is how we run nameservices on some of our proxy firewalls
(i.e. the ones which provide DNS information externally; the others just
run "private" caching-only nameservers for their own consumption).


- Kevin

Carl wrote:

> I am familiar with the structure of public/private DNS servers
> (split-brain or split-horizon) to cope with DNS and NAT.
>
> I've got a situation where we've got DNS entries that need to be
> resolved internally as a private address but on the Internet as their
> NAT'd public address.
>
> I know that we should be able to set up a public and private DNS server,
> but I was wondering if there is any DNS software out there that can do
> it all on one box.
>
> Basically, I'd like a DNS server that will resolve a name based on the
> IP of the requestor.  So if someone wants to resolve www.webserver.com,
> it will return 192.168.1.10 (private) if the requesting machine is on
> the network 192.168.1.x.  But if the requesting IP is anything else, it
> will return a different, legal address.
>
> Is there anything out there that can do this?  I've looked but can't
> seem to find anything.
>
> Thank you very much!
>
> Carl
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.

More information about the bind-users mailing list