split DNS for clients through a proxy

Kevin Darcy kcd at chrysler.com
Thu Jan 17 00:57:05 UTC 2008 

Humphrey wrote:
> Mark Andrews wrote:
>   
>>> Mark Andrews wrote:
>>>       
>>>>> I need to know if there is a way to create a split forwarding DNS server
>>>>> with BIND 9 such that two groups of client machines are being serviced
>>>>> indirectly by two different external DNS servers. The purpose for this
>>>>> is to use the adult content filtering functionality of OpenDNS for
>>>>> machines used by children and another non-filtering DNS for machines
>>>>> used by adults. Yes, I do understand this is easily done using BIND 9
>>>>> views, but that depends on knowing the client machine's IP address. So
>>>>> here comes the wrinkle... All client machines are configured such that
>>>>> their web browsers go through a Privoxy proxy which resides on the same
>>>>> machine as the forwarding DNS service. The result of this is that client
>>>>> machines do not actually make the DNS queries - Privoxy does this for
>>>>> them, which means the forwarding DNS server only ever sees the queries
>>>>> as coming from its own IP address. The question is whether anyone knows
>>>>> of a way of achieving the split-DNS effect in this scenario.
>>>>>
>>>>> H.
>>>>>           
>>>> 	Give the machines different proxies.
>>>>         
>
>   
>>> Adding a 
>>> second machine is something we'd very much like to avoid. Privoxy can 
>>> distinguish between clients, so an obvious question to ask is this: Is 
>>> there a way to tag a DNS query such that BIND can pick up that 
>>> additional information and select a view accordingly?
>>>       
>> 	You can also use TSIGs to select views.
>>     
>
> I see where one can assign TSIGs to instances of BIND, but how does one 
> cause some specific daemon (eg. Privoxy) to use a TSIG in its DNS queries?
>
>   
1. Define a new virtual interface on the box
2. Run a forwarding instance of named listening only on that interface, 
and configured to use TSIG when talking to its forwarder(s) (note: make 
sure all other named instances on the box *don't* try to listen on the 
same virtual interface)
3. Run Privoxy in a chroot environment, where the chroot'ed 
/etc/resolv.conf points to the "special" virtual interface address

                                                                         
                           - Kevin

More information about the bind-users mailing list