On Mon, 16 Jan 2017, Nick Holland wrote:
So. You can run a recursive resolver, an authoritative server, and a few
(or a lot) selectively poisoned forwarding resolvers (for DNS
filtering), each on their own 127/8 address, and use PF or unbound to
select which one a particular user gets access to.
# ifconfig lo0 alias 127.0.0.2 netmask 255.255.255.255
$ ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xffffffff
NSD/UNBOUND require rethinking a lot of wrong-ideas that BIND permitted
and encouraged for years.
Agreed. I think Peter Phillips alluded to much the same.
As I noted previously in my reply to Stuuart Henderson, I listing on 'lo0'
without the alias, i.e. 127.0.0.1. It works. External DNS queries should
work because I redirect DNS using 'rdr-to lo0 port NSD-listening=-port'.
Unfortunately, the ISP is blocking port 53, hence my need to debug the
problem.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer