How do I avoid "reply from unexpected source" message

[Kevin Darcy]

Eulogio Robles wrote:

>Our ISP is connecting our caching resolvers and primary/secondary severs
>(separate groups of servers) behind load balancers, using different VIP's
>for caching and primary. All servers are on the same LAN. Using different
>LAN's is not possible.
>
>Our problem is : when a caching resolver queries for a name whose NS is
>listed on the primary/secondary DNS VIP, there is no response, because the
>primary server sends the response back to the querying server, using its
>real IP, and the response is rejected with the error message "reply from
>unexpected source".
>
>One solution is to use forward-only zones, to make all queries for our local
>zone to be directed to he real IP's. But with ver 3000 primary local zones,
>it is diffcult to manage. Is there any way to make Bind to accept responses
>from certain IP's, even when he query was sent to a different IP?
>
No, but you can spoof the IP addresses associated with your own 
nameserver names by defining a master zone for each of those names, e.g. 
the world may know ns1.example.com as x.x.x.x (the VIP address) but your 
own nameservers could know it as y.y.y.y (because you have a 
"ns1.example.com" master zone with a y.y.y.y A record at its apex) thus 
bypassing the load-balancer and its troublesome NAT'ing behavior. It's a 
bit kludgey, but I haven't come up with anything better yet...

- Kevin