Hello all,
after reading some documentation on the NSD manpage and online, it
seems there's no support for views as offered with BIND. I've gathered
that the general suggestion is to run two separate instances (running
on 127.0.0.1, for example), and divert traffic from pf depending on
the connecting source-address.
I've successfully configured such a setup using two NSD servers,
listening on ports 53 and 8053, and using pf rdr-to and nat-to rules
to divert traffic. I tried to use divert-to instead, but for the life
of me I couldn't figure out why it wasn't working. This is what I'm
using right now:
pass in quick inet proto { tcp, udp } from { <internal_networks> } \
to any port domain rdr-to localhost port 53
pass out quick inet proto { tcp, udp } from { <internal_networks> } \
to any port domain nat-to self
pass in quick inet proto { tcp, udp } from any \
to any port domain rdr-to localhost port 8053
pass out quick inet proto { tcp, udp } from any \
to any port domain nat-to self
Management of this setup during boot is not so great, though. The
/etc/rc.d/nsd script more or less expects the configuration to reside
on /var/nsd/etc, so my best solution was to use nsd-control directly
from /etc/rc.local, which somewhat solves the problem (albeit not very
elegantly).
Perhaps someone has additional experiences to share on this kind of
setup. Is it possible to use divert-to on pf? What would be the
preferred method to manage two NSD daemons during boot?
