per-zone query-source on recursive resolver
Erich Eckner
bind at eckner.net
Mon Oct 28 07:07:45 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'm running bind as a recursive resolver. This box also has a vpn tunnel
to another network (not mine) with split-horizon dns (internal clients see
different NS entries than external clients; those in turn resolve
different addresses). I would like to resolve the majority of requests
directly (e.g. not through the vpn), but some requests (all below a
certain second-level domain) through the vpn.[1]
I had two ideas to accomplish that:
1. Set a custom query-source (the one of the vpn interface) for that
second-level domain. (This would also be applied to all subdomains
thereof, right?)
2. Overwrite (by rpz?) the name-servers for that domain to the (somehow
obtained) internal nameservers (they differ from the external ones and
have adresses which are automatically routed through the vpn anyways).
Any idea which approach is the best and how I best accomplish that? (an
even better third idea would be welcome, also)
1] sry for not handing out details about *which* second-level domain that
is, but because you're not inside its network, most probably, you couldn't
take a peek at the internal dns servers anyway.
cheers,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl22k8MACgkQCu7JB1Xa
e1pn4xAAoKHhd6shEJy2E5/nrZPQhQRQl+u9w8nyz5xPgmnJcs2JxgBf2jVMT4fl
D6/xlTD2tlEgtpPRy+/I0VluSsRGut2HgizH9G12vbrqGS0FI4tBd+qiTB/UH1Xh
2mUbEykdjH8u9dUEARZPaM6ZvVauyQCpQybTRc1Y6HMbzv6jd6CalNDeeuVmIxTc
KvfoVD2Ixk0jWL8Bel+ScW660sHK0NaG/RNg494/hXnITp+uR/NesHEGeUeEa9rJ
3egtzsdFuIANl9Y1UCnF51u1eZNPlCbYVfekyFopsHBAeQ1bnJn6STKnGpie9oSK
wUL9D9W1LNOOz2ahpYgU3Vueh+T50OFjPmA6BF95qq/OfTk2Qi7syWz1ReYvvBH+
grpjbxAhrM/hK7aroepdvz2E5pCyZQ0IhzpPAxTccbzZAxzFgy0e5uR68R1OjoKn
yQEw6pgj6NonIlPPqKeOXYzrQwfojwvU4MS3P29lwODH+NBbhEXegbGXn2XJrlZN
n7kvZDFzqfwyTclEJjtJENk+hbUb2GoCty2xiNB7cFV0T0lTzUYTbMg/86hRtmVX
pMfLk3RchEYuMSqTodfL6sQjXBEItPkCdwI/bleMRTo/NlQIEPa90cuameokHoII
/2xFx8hGcs5KbyTnUhJj2ZCcZruDTtE68O+/S9dAOucS2Biy5tE=
=Rdho
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list