Re: bind as "reverse-proxy"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 26 Feb 2020, Matus UHLAR - fantomas wrote: On 26.02.20 15:28, Erich Eckner wrote: is it possible to set up a zone in bind similar to a http(s) reverse proxy: No. DNS is very far from proxying. 1. The server appears authoritative to clients (the consulted server is indeed authoritative). 2. Each request is passed on to the other server (or served from cache), but the information is *not* obtained by zone transfers (because the other server does not have/allow this). For records that are managed locally, BIND is authoritative. For records that are stored elsewhere, BIND is NOT authoritative. So, either you have authoritative server, or you have not. What is the point of your request? The point is, that I have two authoritative dns servers running on the same machine which I would like to "merge". The problem there is, that one of them runs some special software, which does not "speak too much dns" (it is not broken as far as I can tell, but it is also not that versatily configurable as bind is). A is a normal bind installation and B is the "custom made" dns server. Unfortunately, B does not allow zone transfers and (though it allows forwarding queries for "foreign" domains to a separate name server (A) in principle) it does not forward AXFR/IXFR which breaks slave duplication of A's master zone. So I cannot place B in front (which I would like to avoid anyways, as bind is waaayyy more mature than B). So my question was, whether I could place A in front of B - which currently works, besides that my server now looks non-authoritative to clients. But maybe my whole train of thought is backwards: The problem, I'm currently experiencing, is, that the nameserver setup for B's subdomain (i.eckner.net) looks all-right when querying A (or the nameserver of the parent domain) directly, but not, if I traverse from the root zone. Maybe I missed to set up some cross-reference and A not appearing authoritative is not a problem for the name resolution? @Tony: dnsdist looks interesting. At first glance, it looks, like it can do what I need: send queries to different servers depending on the queried domain. I'll take a closer look at it. regards, Erich -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl5WpTEACgkQCu7JB1Xa e1qOSxAAqoAQeCkPrqXGVlgvcQA7WfFVfmQTaVLk8p7qVz5JwoK+UCZzUINIDlhP Og/Ca13lPG9+G2RamLDk9OKSZW+UBIb/AipHTndGz8EHjHOWbmHYP90aeJZ4nJzZ c4gweD9/kCOXTrWkzTkpGChxPSb+CiiiVW2TW4DKwGTniEMJ0yhX+35vobaP17eI 1A4Sg/asZsNS287K3WUxGR/R69u6SQTtcL07zgtYx0n45bCd80OCedwhdKTvSTBr PmpRxPdY4ePy6/6dtq1aGI9eb7OrAAhHw5ign3SWj12xDLJUZQDxewpdK3gqdGFc 5Cv78xHTJ1SiZSYAugGWbRSuEdTFVCCKAIqk/310Y3HeBBKd8JCc2l9jcC0VhHDe GsRv8XMC4oEVt3aFIe3HFACnkBAc8sp7+CLXHzsbPa+fZIQPse9hiEjXpTz3iaVu GmJb0dMQ3zO3oI+ziC2qc3zEpmhTD10EiF7FTbWkt3yxt9Q7/rlOff3banokKRpo /qmO34agDTf9Ao3q9LdtDkPff5jiqdKNcYDXneQnXuyHH9MEKbIm+F418R/MUFK3 z+OSuXPOhNeKfxOKwFIpzic3KM13Odaxsep4c7KNQBeKp2566iAVbPszVkpumZd5 HX89VK//kKYWrImc1smvBZkohKtu0v96QFJ+YACk1oozjzN0OSM= =20jI -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as "reverse-proxy"
Erich Eckner wrote: > > is it possible to set up a zone in bind similar to a http(s) reverse > proxy: You're looking for dnsdist https://dnsdist.org/ Tony. -- f.anthony.n.finchhttp://dotat.at/ Fitzroy: West 5, increasing 6 to gale 8. Rough or very rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as "reverse-proxy"
On 26.02.20 15:28, Erich Eckner wrote: is it possible to set up a zone in bind similar to a http(s) reverse proxy: No. DNS is very far from proxying. 1. The server appears authoritative to clients (the consulted server is indeed authoritative). 2. Each request is passed on to the other server (or served from cache), but the information is *not* obtained by zone transfers (because the other server does not have/allow this). For records that are managed locally, BIND is authoritative. For records that are stored elsewhere, BIND is NOT authoritative. So, either you have authoritative server, or you have not. What is the point of your request? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind as "reverse-proxy"
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
is it possible to set up a zone in bind similar to a http(s) reverse
proxy:
1. The server appears authoritative to clients (the consulted server is
indeed authoritative).
2. Each request is passed on to the other server (or served from cache),
but the information is *not* obtained by zone transfers (because the other
server does not have/allow this).
So far, I had used a forward zone (to assure condition 2), but it violates
condition 1:
directly queried:
# dig @127.0.0.1 -p 5353 ns.i.eckner.net
; <<>> DiG 9.16.0 <<>> @127.0.0.1 -p 5353 ns.i.eckner.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61359
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns.i.eckner.net. IN A
;; ANSWER SECTION:
ns.i.eckner.net.3600IN A 193.30.121.109
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Feb 26 15:09:45 CET 2020
;; MSG SIZE rcvd: 49
querying the "reverse-proxy":
# dig @127.0.0.1 -p 53 ns.i.eckner.net
; <<>> DiG 9.16.0 <<>> @127.0.0.1 -p 53 ns.i.eckner.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: de8d1f39eca0150901005e567c38203e4e1025c43f9d (good)
;; QUESTION SECTION:
;ns.i.eckner.net. IN A
;; ANSWER SECTION:
ns.i.eckner.net.3600IN A 193.30.121.109
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 26 15:10:00 CET 2020
;; MSG SIZE rcvd: 88
This is the relevant part of my config (so far):
zone "i.eckner.net" IN {
type forward;
forwarders {
127.0.0.1 port 5353;
};
forward only;
};
Is it possible to fake/force the authoritative-bit in the answer for
queries below "i.eckner.net"?
regards,
Erich
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl5WgIEACgkQCu7JB1Xa
e1oOlg/+Or2ffpo0YM3po5zv3VZK0q+AAOBqG5MKVvsnJPhoyfZmwmAd0B3ri3j3
105cJP0Y2sKLEWmHgUms28yws7VyTljFik8hJfncOlb3PUS4LTJeI00YjqWTgvKN
i7WgaD/l+DnJD1Hp8PRa1ddHoDqDDqVs2mZcTzr5pVmx1xb9kgsvzu6N+qph+Joj
4zhVZc3hhyTA9RpMcQbX2+uHY67j+p3q4rwHCZkCCs6JF5Y1S/BZSyne+OEOjUUz
giZNHl5Bjld6mAwUNneVFBF6VmbrTAt1W0IKpNwlDcSTX58wDEWZLY4vR1DNDFh3
BTWLqM0rM4yc9VRHdf2gkKCMFKcOtKne0/T+Pi9j2QSBRKrnvg2wwHfCfT4+0zb0
YTiiJV2gsaChXiIf7CIpNa7Uvx0bngOt8xgsY3CrRVyEY6KqnFCSXtcAIQtuoTv4
JMJoBeZLOkWM21AE5W4v4u5xJ4e88ji5T6t+s2G7lHgpjpxdl8fLMdqEGv7JThTR
vd0mlWHztl/0XfjAtEG0uCWCzYkX2F5n/PVAj+a+IiKNB70h7gFyQ9Cz/Z2tUjwG
B+2Gx4W4tev6oTej9ELyMY/6UOlxgw2yh7kKW5/BR9nYTwDgySmXzDb9uOf3N5/i
6EgceIWHDzPd6Z2PnIeCEcmR3IYIXIJSbbT6wKzv0+BGuN1dUF8=
=A0Mn
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
