Re: DNS config help
On 02/11/2011 20:52, AN wrote: I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. This sounds like a job for a static-stub domain. That's a fairly new feature in BIND, so you may well need to install bind98 from ports. See the documentation here: http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. Hmmm I don't think you're going to have much fun at all if you try and modify your named configuration depending on whether your VPN is up or not. DNS TTLs are generally of the order of days -- that should be taken as a measure of the minimum time that should go between restarts of a recursive DNS (ideally, and as a long term average). Better to just fail the lookup when the VPN is down. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS config help
On 11/3/11 8:51 AM, Matthew Seaman wrote:
On 02/11/2011 20:52, AN wrote:
I have a question about how to configure DNS. My local network is 10.x,
and I sometimes need to connect to a remote VPN. My question is how do
I configure BIND to forward queries to a different server only for a
specific domain.
This sounds like a job for a static-stub domain. That's a fairly new
feature in BIND, so you may well need to install bind98 from ports. See
the documentation here:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar
You can simply create a forward zone.
If this should only apply to your VPN clients, then create a view that
matches only their IP, for example:
acl trusted { 127.0.0.1; ::1; 192.168.0.0/24; };
view internal_in in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone . {
type hint;
file named.root;
};
zone avocat-conseil.fr
{
type forward;
forwarders { 192.168.252.252; };
forward only;
};
};
I have the exact one setup here, allow me to explain.
There's a server at my parents' office (wow this sounds so awkward, when
I re-read it) that handles:
- dhcp
- dns
- firewalling
- smb shares
- routing
There's also a small VPN box that's, so to speak, outside our perimeter
because it's an appliance and I have 0 level of control over it, it runs
at 192.168.252.252 in its own separate VLAN and establishes a VPN with
some law organization thingy, using an IP range of 172.30.*
From the server, I route 172.30.* to the VPN box, and I also make that
box authoritative for a few domains, including the one quoted above.
I'm not certain what you're trying to accomplish, but this works like a
charm here.
When I am connected to the VPN, vpn.example.com, I want queries for
anything going to example.com to go a specific DNS, and everything else
on 10.x to go to my regular DNS. Please let me know if I need to
provide more info. Thanks in advance for any help.
Hmmm I don't think you're going to have much fun at all if you try
and modify your named configuration depending on whether your VPN is up
or not. DNS TTLs are generally of the order of days -- that should be
taken as a measure of the minimum time that should go between restarts
of a recursive DNS (ideally, and as a long term average). Better to
just fail the lookup when the VPN is down.
Actually, using a view that matches only the VPN's IP range would do the
trick easily and efficiently.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS config help
On 03/11/2011 10:00, Damien Fleuriot wrote: You can simply create a forward zone. Actually, yes, that's a good idea too. Should have much the same effect and it's been available in BIND approximately forever. There's difference in the niggling details of how it all works, so worth experimenting with the different possibilities. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. Hmmm I don't think you're going to have much fun at all if you try and modify your named configuration depending on whether your VPN is up or not. DNS TTLs are generally of the order of days -- that should be taken as a measure of the minimum time that should go between restarts of a recursive DNS (ideally, and as a long term average). Better to just fail the lookup when the VPN is down. Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently. Views are a way of giving a different answer depending on who is asking the question -- how does that help the OP when he's always querying from within his 10.0.0.0/8 network? He's the client connecting to the VPN here. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS config help
On 11/3/11 11:35 AM, Matthew Seaman wrote: On 03/11/2011 10:00, Damien Fleuriot wrote: Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently. Views are a way of giving a different answer depending on who is asking the question -- how does that help the OP when he's always querying from within his 10.0.0.0/8 network? He's the client connecting to the VPN here. I didn't understand his problem like that, my bad. I remember hearing at work that dnsmasq could do that, perhaps with a little bit of scripting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DNS config help
I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS config help
It depends... some VPNs push routes, including default routes, and nameservers and search paths, but it's up to the client on how to handle it. Some of these will set /etc/resolv.conf, etc. What *kind* of VPN are you talking about? OpenVPN? PPTP? L2TP? I generally prefer dnscache to BIND, and the mechanism for selective resolution is straightforward. Some large companies, HP included, just publish internal (non-routable) addresses for hosts on their public servers, which solves the remote access DNS problem. - M On Wed, Nov 2, 2011 at 1:52 PM, AN a...@neu.net wrote: I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
