Selective resolution in a corporate environment
funky monkey
wongsky.monkey at gmail.com
Tue Feb 5 15:52:51 UTC 2013
> From: Phil Mayers p.mayers at imperial.ac.uk
> To: bind-users at lists.isc.org,
> Date: 05/02/2013 15:44
> Subject: Re: Selective resolution in a corporate environment
>
> On 05/02/13 15:36, funky monkey wrote:
>
> > Could you sandwich that in a forwarding chain - say have a bind
> > 9.<compliant version> in between your normal forwarders to internet, and
> > does it just look fo rthe entries you've specified as either alternate
> > data or does not exist, but otherwise, carries on to forward to an
> > authoritative (or cached, I suppose) version of the domain in question?
>
> Not entirely sure what you're asking, but I don't see any reason you
> couldn't use "forwarders { ... };" to point to an RPZ-enabled server,
> which would be handy to retrofit into bind < 9.8 installations.
Sorry, should have probably explained my scenario better... my internal
nameservers have a sort of top level (placeholder domain) that are Windows
DNS servers, that forward out internet DNS servers for public DNS and
anything not resolved internally (by means of either conditional
forwarding, or stub zones). All other DNS environments in the organisation
(be the BIND or Windows DNS, forward to these 2 "top level" (internal) DNS
servers, and only they talk DNS through the firewall to internet DNS.
So what I meant was for these 2 DNS servers that go on to forward to the
internet, rather than directly forwarding to the internet, forwarding to
one (or more) RPZ enabled BIND 9.x servers, which in turn forward on to the
internet for anything not specified locally. So say I wanted to resolve
fred.domain.com. from something internal, and only www.domain.dom. was
specified (kind of as subversion) on these RPZ servers, that not finding a
match, they would carry on to attempt to resolve fred.domain.com. from the
authoriative domain.com. nameservers (or the first intermediate DNS server
that happens to be caching).
Hope I've asked that in a bit of a clearer manner!
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130205/d791d04b/attachment.html>
More information about the bind-users
mailing list