Re: Configuring CNAME for nosslsearch.google.com
Hi together, thanks for these many hints. Wow! So many mistakes in a few lines. Here ist now my config file: -%- @ IN SOA localhost. root.localhost. ( 2012050900 7200 1800 1209600 300 ) 1800IN NS localhost. 1800IN A 216.239.32.20 ;nosslsearch.google.com. -%- And here my dig answer: -%- root@tobias-xps:/home/tobias# dig @localhost www.google.com ; DiG 9.8.1-P1 @localhost www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51300 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.google.com.IN A ;; ANSWER SECTION: www.google.com. 1800IN A 216.239.32.20 ... -%- That looks good. Are there any more mistakes or hints not mentioned yet? Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
Hi Phil, 4. Create a zone for www.google.com and instead of CNAME, put an A record at the apex with the same IP as nosslsearch.google.com. Run a script FREQUENTLY to re-resolve the host, as Google do short-TTL DNS-based loadbalancing. For unbound has no solution Inow want to try your suggestion no. 4. My db file now looks like this: -%- @ IN SOA localhost root@localhost. ( 2012041100 7200 1800 1209600 300 ) IN A 216.239.32.20 #nosslsearch.google.com. -%- But this does not work. Can you tell me whats wrong? Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
Hi Jan-Piet, What's the hash doing there? ...^ That's not a comment. Thanks. I continue learning... Replace that whole line by nosslsearch.google.com. IN A 216.239.32.20 Zone is www.google.com. That won't work here Assuming you've configured the zone correctly, that ought to do the trick. (It has been pointed out to you previously, that this IP address is bound to change -- you should monitor the real domain name frequently and then update (dynamically?) your zone. Yes, Phil already told me. But first it has to work with an A record... Thanks Jan-Piet! Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
Hi all together, very interesting this discussion. For I am a newbie I understood only half. Thus I detected 2 ways to continue: I believe you can use response policy (RPZ) to achieve this. Or you can use just about any non-BIND resolver (e.g. unbound) to achieve this. 1. Don't use bind but e.g. unbound instead. 2. Ask Google. Any other ideas I missed? I will do so and in case of success, I'll post the link here. Thanks for your great help! Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
Hi Phil, 1. Don't use bind but e.g. unbound instead. First: here the link to follow on the unbound mailing list: http://unbound.nlnetlabs.nl/pipermail/unbound-users/2012-April/002329.html Any other ideas I missed? 3. Use RPZ, as per Chris' suggestion 4. Create a zone for www.google.com and instead of CNAME, put an A record at the apex with the same IP as nosslsearch.google.com. Run a script FREQUENTLY to re-resolve the host, as Google do short-TTL DNS-based loadbalancing. 5. Don't do this at all, since interfering with SSL is bad. Thanks for that hint. I'll give it a try if the unbound solution won't work. Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Configuring CNAME for nosslsearch.google.com
Hi together, I am a newbie to bind and wasted hours to create my first bind configuration. My target is simply creating a configuration with a CNAME for www.google.com to nosslsearch.google.com. First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a transparent proxy (Dansguardian + Squid) that I use for just this lonely copmuter. Now I read that I have to create a zone for google.com. Others said that it is OK to create a zone for www.google.com. But as far as I understand this won't be a great solution. Can you help me to create a zone for google.com that does only one thing: a CNAME for www.google.com to nosslsearch.google.com. It would be best, if all IP-addresses for other google.com subdomains like docs.google.com or even nosslsearch.google.com are taken from the normal nameserver, e.g. 8.8.8.8. Can anyone help me to create my /etc/bind/db.google.com file? Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
Hi Ben, hmm. How can I manage what google suggests: Information for school network administrators about the No-SSL option To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com. Source: http://support.google.com/websearch/bin/answer.py?hl=enhlrm=enanswer=186669. You can find this quite at the end of the document. How can I realize such a configuration in bind? Greetings, Tobias Am 16.04.2012 00:31, schrieb Ben Croswell: What you are asking for can't be done. If you load the google.com http://google.com zone everything you don't load in the zone will be black holed and not resolve. If you try to load WWW.Google.com http://WWW.Google.com you will not be able to make WWW a cname due to the no cname and other data rule. On Apr 15, 2012 5:39 PM, Tobias Krais tux-s...@design-to-use.de mailto:tux-s...@design-to-use.de wrote: Hi together, I am a newbie to bind and wasted hours to create my first bind configuration. My target is simply creating a configuration with a CNAME for www.google.com http://www.google.com to nosslsearch.google.com http://nosslsearch.google.com. First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a transparent proxy (Dansguardian + Squid) that I use for just this lonely copmuter. Now I read that I have to create a zone for google.com http://google.com. Others said that it is OK to create a zone for www.google.com http://www.google.com. But as far as I understand this won't be a great solution. Can you help me to create a zone for google.com http://google.com that does only one thing: a CNAME for www.google.com http://www.google.com to nosslsearch.google.com http://nosslsearch.google.com. It would be best, if all IP-addresses for other google.com http://google.com subdomains like docs.google.com http://docs.google.com or even nosslsearch.google.com http://nosslsearch.google.com are taken from the normal nameserver, e.g. 8.8.8.8. Can anyone help me to create my /etc/bind/db.google.com http://db.google.com file? Greetings, Tobias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users