Force failed DNS lookup to search my local domain?

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Jan 24 23:14:56 UTC 2003 

> 
> > 	Firstly it is clients that decide whether to search or not.  You
> > 	obviously did lookups under different conditions.
> > 
> > 	Secondly it is usually a BAD idea to have a wildcard in a search
> > 	list.  It tends to have unexpected consequences.
> > 
> > 	Mark
> 
> Thank you, Mark, for your response.  I have done a ton of reading on
> this subject since my initial post.  I *thought* I knew what was going
> on before, but clearly I did not.  I now realize that you are (of
> course) correct, the suffix domain must be supplied by the client. 
> However, whether it is a bad idea or not, I would still like to force
> failed lookups to my local domain, even if the client does not supply
> a suffix domain.  Please allow me to explain my reasoning, maybe it is
> flawed to begin with and I am pursuing the wrong solution.
> 
> I want to redirect web browsers on my local network to my own caching
> squid proxy.  This presents no problems unless someone sits down with
> their browser already configured to use a proxy server which is not
> resolvable globally, i.e. proxy.somenetwork.net:8080, which resolves
> to something like 172.16.0.1 at this person's office, but doesn't
> resolve to anything otherwise.  I don't want them to have to change
> their browser settings to use my local network.  Instead, I would like
> DNS to attempt to look up proxy.somenetwork.net, and if it fails, look
> up myproxy.mydomain.net.mintypickle.homelinux.net, which can then be
> reached because of my evil wildcard entry.  Once the browser thinks it
> can reach the proxy server of its choice, the requests are happily
> forwarded to my proxy server by iptables, and everything works
> splendidly.
> 
> Using DHCP, I can easily supply this search suffix to the clients, and
> everything works as I intended.  However, some clients using my
> network have static IPs that they can't (or won't) change.  In these
> cases, I am creating routes and interface aliases on the fly so that
> they may still use my private network regardless of their network
> settings, but I have no control over the search domain that they
> supply.  Is there a way to automatically append this search domain?
> 
> I know that this is not the nameserver's job, and that it is also
> viewed as a bad idea by most people, but this is a totally private
> nameserver, intended to perform a very specific function, and it will
> not hurt anyone else if I do something that might induce insecure or
> unpredictable behavior.  Older versions of bind apparently used to
> allow you to specify a default domain via the named.boot file.  Is
> there some way to emulate this behavior in bind9?
> 

	Throw this in the bad idea file.

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list