per-zone query-source on recursive resolver

Erich Eckner bind at eckner.net
Mon Oct 28 16:24:21 UTC 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On Mon, 28 Oct 2019, Tony Finch wrote:

> Erich Eckner <bind at eckner.net> wrote:
>>
> RPZ rewrites responses as they are going out of your nameserver, so you
> can't use RPZ to change the way the nameserver's resolver works (because
> the resolver depends on incoming responses not outgoing responses).

Ah, right, the name should have turned me away from it (it's 
"*response* policy zone", not "*question* policy zone" :-D)

>
> There are two ways to do what you want, depending on the DNS servers on
> the other end of the VPN:
>
> * If they are recursive, use a forward zone. This applies to all the
>  subdomains as well, since the recursive server is expected to follow
>  referrals/delegations itself as necessary.

I'm undecided whether they're authoritative or not. On one hand, they are 
distributed via DHCP as default DNS servers, speaking for "recursive", on 
the other hand, they have matching SOA records (and I think, that means, 
they're authoritative) - maybe they're both?

> * If they are authoritative, use a static-stub zone. In this case your
>  server will follow referrals/delegations from the remote zone, which
>  will need to make sense wrt your split horizon network topology.

Due to the SOA, I took this path and it works like a charm :-)

Googling the difference between forward and static-stub zones I found 
this:

https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/

which made me understand it - I'll use static-stub, because I want to do 
the recursion myself (because I can and because it's slower :-D)

>
> If you need special source addresses as well as special target addresses,
> add server clauses for each of the target servers on the other end of the
> VPN to specify which query-source address to use for them.

I tried without forcing the source address and it works out-of-the box. 
Most probably, some iptables-MASQUERADE action gets triggered (in the end, 
this box also *routes* network traffic through the vpn).

Thanks!

Cheers,
Erich

>
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Humber, Thames, Dover: North 3 or 4, veering northeast 4 or 5. Slight or
> moderate in Humber, otherwise slight, occasionally smooth. Showers. Good.
>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl23FjcACgkQCu7JB1Xa
e1qceg//ZMavRLfEby1qXiBFCJxU8+dDFs3AyZd+k7XQec5K2BZgn+MaEOOBRiZ0
/WfSqe3pwTJ++SPNCPPGKEB2TH4JJV9R/tepMhI8t7x5ka91dGCW9uLWcfbaF2fo
2hewwMREFk6oUL59uqfEEvT5VZx8DCissjs4RpKuhX7NXCilnDM8upDnu41XK2gR
JLlOoH6PwGXAgKajDS+JdGvSwr2vJVli+1PqKeJTg2BKzIhBoP7TzucAGy9Eb612
z17WV58KmnuFobURnghe2pgU9i/nfrXy0JcS72VcYZvsVDSTVBVyeE4Lh29ifxBR
b/ivDu3P8VOCLW8tLB4ealTaCWqfYbdccRlr+XHG04a1KkEWRhAvLo+isosa/ION
bRqrusn9I6dOsxQxAFPxdthIRB0yUoOi36PnjTrMnpjyXhyp0UKK011ZX93D3vuT
hSk5luBD0ZFsF6D6NmSkVSilsrUV5AopmKc2wt6sj6pFFDfqYxuod2CAABJVQ0eC
Kj7xA77XPqTXDCviVJs+0cRReQu7CILGOVFZkiXSep1cmtsICEWtLHaKjA3gMsMA
idiVNcS6jEW9QEr0QrDMmdILyxC760GtwBg5L+1t+GnyWvN13TD5AbIqUAbb+1nL
+xLNhCCWydJbILCDjsHyAdasfbYQFmQBCaE6n/50zOxZoTlU3tg=
=ow+h
-----END PGP SIGNATURE-----

More information about the bind-users mailing list