Re: per-zone query-source on recursive resolver
Erich Eckner wrote: > > I'm undecided whether they're authoritative or not. On one hand, they are > distributed via DHCP as default DNS servers, speaking for "recursive", on > the other hand, they have matching SOA records (and I think, that means, > they're authoritative) - maybe they're both? If they are advertised via DHCP they have to be recursive, otherwise stub resolvers would not work :-) The key thing to look for is the RA bit (recursion available) in answers you get from the server. The servers can also be authoritative with AA=1 (authoritaive answer) for some zones, but that won't prevent you from using them as forwarders. For choosing between the alternatives I should have been more precise and said you have to use static-stub instead of forwarding if the target server is "authoritative-only" (i.e. RA=0). If you use static-stub the target server must be authoritative for the zone, regardless of whether it offers recursion. Tony. -- f.anthony.n.finchhttp://dotat.at/ a fair, free and open society ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: per-zone query-source on recursive resolver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Mon, 28 Oct 2019, Tony Finch wrote: Erich Eckner wrote: RPZ rewrites responses as they are going out of your nameserver, so you can't use RPZ to change the way the nameserver's resolver works (because the resolver depends on incoming responses not outgoing responses). Ah, right, the name should have turned me away from it (it's "*response* policy zone", not "*question* policy zone" :-D) There are two ways to do what you want, depending on the DNS servers on the other end of the VPN: * If they are recursive, use a forward zone. This applies to all the subdomains as well, since the recursive server is expected to follow referrals/delegations itself as necessary. I'm undecided whether they're authoritative or not. On one hand, they are distributed via DHCP as default DNS servers, speaking for "recursive", on the other hand, they have matching SOA records (and I think, that means, they're authoritative) - maybe they're both? * If they are authoritative, use a static-stub zone. In this case your server will follow referrals/delegations from the remote zone, which will need to make sense wrt your split horizon network topology. Due to the SOA, I took this path and it works like a charm :-) Googling the difference between forward and static-stub zones I found this: https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/ which made me understand it - I'll use static-stub, because I want to do the recursion myself (because I can and because it's slower :-D) If you need special source addresses as well as special target addresses, add server clauses for each of the target servers on the other end of the VPN to specify which query-source address to use for them. I tried without forcing the source address and it works out-of-the box. Most probably, some iptables-MASQUERADE action gets triggered (in the end, this box also *routes* network traffic through the vpn). Thanks! Cheers, Erich Tony. -- f.anthony.n.finchhttp://dotat.at/ Humber, Thames, Dover: North 3 or 4, veering northeast 4 or 5. Slight or moderate in Humber, otherwise slight, occasionally smooth. Showers. Good. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl23FjcACgkQCu7JB1Xa e1qceg//ZMavRLfEby1qXiBFCJxU8+dDFs3AyZd+k7XQec5K2BZgn+MaEOOBRiZ0 /WfSqe3pwTJ++SPNCPPGKEB2TH4JJV9R/tepMhI8t7x5ka91dGCW9uLWcfbaF2fo 2hewwMREFk6oUL59uqfEEvT5VZx8DCissjs4RpKuhX7NXCilnDM8upDnu41XK2gR JLlOoH6PwGXAgKajDS+JdGvSwr2vJVli+1PqKeJTg2BKzIhBoP7TzucAGy9Eb612 z17WV58KmnuFobURnghe2pgU9i/nfrXy0JcS72VcYZvsVDSTVBVyeE4Lh29ifxBR b/ivDu3P8VOCLW8tLB4ealTaCWqfYbdccRlr+XHG04a1KkEWRhAvLo+isosa/ION bRqrusn9I6dOsxQxAFPxdthIRB0yUoOi36PnjTrMnpjyXhyp0UKK011ZX93D3vuT hSk5luBD0ZFsF6D6NmSkVSilsrUV5AopmKc2wt6sj6pFFDfqYxuod2CAABJVQ0eC Kj7xA77XPqTXDCviVJs+0cRReQu7CILGOVFZkiXSep1cmtsICEWtLHaKjA3gMsMA idiVNcS6jEW9QEr0QrDMmdILyxC760GtwBg5L+1t+GnyWvN13TD5AbIqUAbb+1nL +xLNhCCWydJbILCDjsHyAdasfbYQFmQBCaE6n/50zOxZoTlU3tg= =ow+h -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: per-zone query-source on recursive resolver
Erich Eckner wrote: > > 1. Set a custom query-source (the one of the vpn interface) for that > second-level domain. (This would also be applied to all subdomains thereof, > right?) > > 2. Overwrite (by rpz?) the name-servers for that domain to the (somehow > obtained) internal nameservers (they differ from the external ones and have > adresses which are automatically routed through the vpn anyways). RPZ rewrites responses as they are going out of your nameserver, so you can't use RPZ to change the way the nameserver's resolver works (because the resolver depends on incoming responses not outgoing responses). There are two ways to do what you want, depending on the DNS servers on the other end of the VPN: * If they are recursive, use a forward zone. This applies to all the subdomains as well, since the recursive server is expected to follow referrals/delegations itself as necessary. * If they are authoritative, use a static-stub zone. In this case your server will follow referrals/delegations from the remote zone, which will need to make sense wrt your split horizon network topology. If you need special source addresses as well as special target addresses, add server clauses for each of the target servers on the other end of the VPN to specify which query-source address to use for them. Tony. -- f.anthony.n.finchhttp://dotat.at/ Humber, Thames, Dover: North 3 or 4, veering northeast 4 or 5. Slight or moderate in Humber, otherwise slight, occasionally smooth. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
per-zone query-source on recursive resolver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'm running bind as a recursive resolver. This box also has a vpn tunnel to another network (not mine) with split-horizon dns (internal clients see different NS entries than external clients; those in turn resolve different addresses). I would like to resolve the majority of requests directly (e.g. not through the vpn), but some requests (all below a certain second-level domain) through the vpn.[1] I had two ideas to accomplish that: 1. Set a custom query-source (the one of the vpn interface) for that second-level domain. (This would also be applied to all subdomains thereof, right?) 2. Overwrite (by rpz?) the name-servers for that domain to the (somehow obtained) internal nameservers (they differ from the external ones and have adresses which are automatically routed through the vpn anyways). Any idea which approach is the best and how I best accomplish that? (an even better third idea would be welcome, also) 1] sry for not handing out details about *which* second-level domain that is, but because you're not inside its network, most probably, you couldn't take a peek at the internal dns servers anyway. cheers, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl22k8MACgkQCu7JB1Xa e1pn4xAAoKHhd6shEJy2E5/nrZPQhQRQl+u9w8nyz5xPgmnJcs2JxgBf2jVMT4fl D6/xlTD2tlEgtpPRy+/I0VluSsRGut2HgizH9G12vbrqGS0FI4tBd+qiTB/UH1Xh 2mUbEykdjH8u9dUEARZPaM6ZvVauyQCpQybTRc1Y6HMbzv6jd6CalNDeeuVmIxTc KvfoVD2Ixk0jWL8Bel+ScW660sHK0NaG/RNg494/hXnITp+uR/NesHEGeUeEa9rJ 3egtzsdFuIANl9Y1UCnF51u1eZNPlCbYVfekyFopsHBAeQ1bnJn6STKnGpie9oSK wUL9D9W1LNOOz2ahpYgU3Vueh+T50OFjPmA6BF95qq/OfTk2Qi7syWz1ReYvvBH+ grpjbxAhrM/hK7aroepdvz2E5pCyZQ0IhzpPAxTccbzZAxzFgy0e5uR68R1OjoKn yQEw6pgj6NonIlPPqKeOXYzrQwfojwvU4MS3P29lwODH+NBbhEXegbGXn2XJrlZN n7kvZDFzqfwyTclEJjtJENk+hbUb2GoCty2xiNB7cFV0T0lTzUYTbMg/86hRtmVX pMfLk3RchEYuMSqTodfL6sQjXBEItPkCdwI/bleMRTo/NlQIEPa90cuameokHoII /2xFx8hGcs5KbyTnUhJj2ZCcZruDTtE68O+/S9dAOucS2Biy5tE= =Rdho -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users