split DNS for clients through a proxy
Kevin Darcy
kcd at chrysler.com
Thu Jan 17 00:57:05 UTC 2008
Humphrey wrote:
> Mark Andrews wrote:
>
>>> Mark Andrews wrote:
>>>
>>>>> I need to know if there is a way to create a split forwarding DNS server
>>>>> with BIND 9 such that two groups of client machines are being serviced
>>>>> indirectly by two different external DNS servers. The purpose for this
>>>>> is to use the adult content filtering functionality of OpenDNS for
>>>>> machines used by children and another non-filtering DNS for machines
>>>>> used by adults. Yes, I do understand this is easily done using BIND 9
>>>>> views, but that depends on knowing the client machine's IP address. So
>>>>> here comes the wrinkle... All client machines are configured such that
>>>>> their web browsers go through a Privoxy proxy which resides on the same
>>>>> machine as the forwarding DNS service. The result of this is that client
>>>>> machines do not actually make the DNS queries - Privoxy does this for
>>>>> them, which means the forwarding DNS server only ever sees the queries
>>>>> as coming from its own IP address. The question is whether anyone knows
>>>>> of a way of achieving the split-DNS effect in this scenario.
>>>>>
>>>>> H.
>>>>>
>>>> Give the machines different proxies.
>>>>
>
>
>>> Adding a
>>> second machine is something we'd very much like to avoid. Privoxy can
>>> distinguish between clients, so an obvious question to ask is this: Is
>>> there a way to tag a DNS query such that BIND can pick up that
>>> additional information and select a view accordingly?
>>>
>> You can also use TSIGs to select views.
>>
>
> I see where one can assign TSIGs to instances of BIND, but how does one
> cause some specific daemon (eg. Privoxy) to use a TSIG in its DNS queries?
>
>
1. Define a new virtual interface on the box
2. Run a forwarding instance of named listening only on that interface,
and configured to use TSIG when talking to its forwarder(s) (note: make
sure all other named instances on the box *don't* try to listen on the
same virtual interface)
3. Run Privoxy in a chroot environment, where the chroot'ed
/etc/resolv.conf points to the "special" virtual interface address
- Kevin
More information about the bind-users
mailing list