Use “forward only:” for your local zones. -- Mark Andrews > El 13 sept 2025, a las 4:58, Jarrod Spencer Farrell <[email protected]> > escribió: > > I'm setting up a private VPN containing mobile devices and the home's LAN > through a firewall part of the VPN network, and I'd like to use the FQDN of a > LAN device and get the response from the home firewall. > > So on my phone—part of the VPN—I configured it to use the IP of the firewall, > then had a thought: it'd make more sense for the VPS to be the first to reply > if it can to avoid additional latency waiting for the firewall to reply. The > VPS is in a data center after all with faster links to public DNS servers > compared to trying to go down a residential link for every DNS query. > > So the plan is BIND on the VPS to use public resolvers, **except** when it's > being asked something under the home's domain (this example: my-home.net.lan) > where it should ask the home firewall for the IP. After some tries, this is > what I have: > > ```named.conf, generated by nix > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; > }; > > acl cachenetworks { 127.0.0.0/24; ::1/128; 10.0.10.0/24; }; > acl badnetworks { }; > > options { > listen-on { any; }; > listen-on-v6 { any; }; > allow-query-cache { cachenetworks; }; > blackhole { badnetworks; }; > forward first; > forwarders { 9.9.9.9; 149.112.112.112; 2620:fe::fe; 2620:fe::9; }; > directory "/run/named"; > pid-file "/run/named/named.pid"; > dnssec-must-be-secure xmit.net.lan no; > > }; > > zone "my-home.net.lan" { > type forward; > forwarders { 10.0.10.101; }; > }; > ``` > > And we try to resolve the home's firewall using it's FQDN from my phone over > cell, watching `tcpdump` at the VPS: > > ``` > IP 10.0.10.4.59410 > 10.0.10.100.domain: 51824+ A? firewall.my-home.net.lan. > (39) > IP 10.0.10.100.30301 > 10.0.10.101.domain: 684+% [1au] A? > firewall.my-home.net.lan. (62) > IP 10.0.10.101.domain > 10.0.10.100.30301: 684* 1/0/1 A 10.96.48.1 (66) > IP 10.0.10.100.domain > 10.0.10.4.59410: 51824 NXDomain 0/1/0 (114) > > ``` > > It's returning NXDomain, even though it just got a response from the > firewall. Other queries (google.com, etc) work fine by querying the public > DNS resolvers first like I want. What's going on? > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
