Force failed DNS lookup to search my local domain?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Jan 24 23:14:56 UTC 2003
>
> > Firstly it is clients that decide whether to search or not. You
> > obviously did lookups under different conditions.
> >
> > Secondly it is usually a BAD idea to have a wildcard in a search
> > list. It tends to have unexpected consequences.
> >
> > Mark
>
> Thank you, Mark, for your response. I have done a ton of reading on
> this subject since my initial post. I *thought* I knew what was going
> on before, but clearly I did not. I now realize that you are (of
> course) correct, the suffix domain must be supplied by the client.
> However, whether it is a bad idea or not, I would still like to force
> failed lookups to my local domain, even if the client does not supply
> a suffix domain. Please allow me to explain my reasoning, maybe it is
> flawed to begin with and I am pursuing the wrong solution.
>
> I want to redirect web browsers on my local network to my own caching
> squid proxy. This presents no problems unless someone sits down with
> their browser already configured to use a proxy server which is not
> resolvable globally, i.e. proxy.somenetwork.net:8080, which resolves
> to something like 172.16.0.1 at this person's office, but doesn't
> resolve to anything otherwise. I don't want them to have to change
> their browser settings to use my local network. Instead, I would like
> DNS to attempt to look up proxy.somenetwork.net, and if it fails, look
> up myproxy.mydomain.net.mintypickle.homelinux.net, which can then be
> reached because of my evil wildcard entry. Once the browser thinks it
> can reach the proxy server of its choice, the requests are happily
> forwarded to my proxy server by iptables, and everything works
> splendidly.
>
> Using DHCP, I can easily supply this search suffix to the clients, and
> everything works as I intended. However, some clients using my
> network have static IPs that they can't (or won't) change. In these
> cases, I am creating routes and interface aliases on the fly so that
> they may still use my private network regardless of their network
> settings, but I have no control over the search domain that they
> supply. Is there a way to automatically append this search domain?
>
> I know that this is not the nameserver's job, and that it is also
> viewed as a bad idea by most people, but this is a totally private
> nameserver, intended to perform a very specific function, and it will
> not hurt anyone else if I do something that might induce insecure or
> unpredictable behavior. Older versions of bind apparently used to
> allow you to specify a default domain via the named.boot file. Is
> there some way to emulate this behavior in bind9?
>
Throw this in the bad idea file.
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list