Lookup answer depends on query source

Kevin Darcy kcd at chrysler.com
Tue Oct 14 05:27:25 UTC 2008 

Mr. Chow Wing Siu wrote:
> Dear all,
>
> I wanna setup as follows:
>
> Use-case ONE)
> Query source for xxxx.com from:		Lookup IP answer:	
> *.hk					111.111.111.111
> *.cn					111.111.111.112
> *.uk					111.111.111.113
>   
Use-case one is going to be very difficult and unreliable, since not all 
client addresses have reverse-resolution, and, even if they do, it might 
map back to a gTLD (e.g. .com) rather than a ccTLD. What do you do if 
the query-source maps back to a .com name?

Also, BIND has no provision for basing view matches on the 
reverse-lookup of the client's address. This is a potentially dangerous 
thing to do, since if you let arbitrary clients trigger your nameserver 
to perform reverse lookups, you're creating the  possibility of DoS or 
DoS-amplification attacks. At the very least, you might be introducing 
an unacceptable amount of delay into the name-resolution process, since 
the reverse namespace is, notoriously, even less well-maintained than 
the regular "forward" (name-to-address) namespace, and often subject to 
long lookup delays due to broken/stale delegations, etc.
> Use-case TWO)
> Query source for xxxx.com from:		Lookup IP answer:	
> 222.111.111.111 (from country A)	111.111.111.111
> 226.111.111.111 (from country A)	111.111.111.111
> 228.123.111.111 (from country A)	111.111.111.111
> 222.111.222.111 (from country B)	111.111.111.112
> 226.111.222.111 (from country B)	111.111.111.112
> 228.125.111.111 (from country B)	111.111.111.112
>
> Using BIND view to setup seems to be not so good.  Isn't it?
> Then, do anyone knows how to setup as above?
>   
Use-case two is perfectly doable using "match-clients" views in BIND. 
You'd have to constantly maintain the match-clients clauses, however, 
which would more likely be address *ranges*, as opposed to specific 
addresses (as you show above).

Be aware that with any view-based approach you have *multiple* copies of 
each zone in memory at any given time. So this may be considered a 
non-scalable solution.

Note that, with either use-case, if your goal is to perform 
network-level optimization, be aware that the identity of a client's 
*resolver* may not reflect the actual location of the client *itself*. A 
web browser in India, for instance, may be using a DNS resolver, over a 
fast internal corporate link, in the United States, so do you really 
want to "optimize" that by giving out U.S. addresses to an Indian client?

Ultimately, it would be nice if someone could come up with an 
"on-behalf-of" DNS extension, which would carry information about the 
actual *client's* address (as opposed to whatever resolver happens to be 
processing the client's request) so that an optimizing nameserver would 
know exactly what it's trying to optimize for. But, even if someone were 
to come up with such a thing, it would take probably a decade or more 
before it was actually deployed everywhere...

In the meantime, we have the "nifty tricks" of companies like Akamai to 
give us something that more-or-less meets these requirements. For a price.

                                                                         
                           - Kevin

More information about the bind-users mailing list