1 |
On 23/07/2013 09:40, Pavel Volkov wrote: |
2 |
> I have recently installed BIND as a recursive resolver for local network. |
3 |
> |
4 |
> I'll explain my configuration. There's a network with hosts binded to |
5 |
> example.org <http://example.org> domain, like host1.example.org |
6 |
> <http://host1.example.org>, host2.example.org <http://host2.example.org> |
7 |
> etc. |
8 |
> They make DNS query through recursive server A. |
9 |
> Authoritative server for example.org <http://example.org> domain is |
10 |
> server B and it's totally unrelated. |
11 |
> |
12 |
> Below is an example of what I'd like to accomplish. |
13 |
> 1. When the outside make a DNS query for host1.example.org |
14 |
> <http://host1.example.org>, it should only receive its AAAA |
15 |
> record 2001:db8:a::1. |
16 |
> 2. When host2 queries server A for host1.example.com |
17 |
> <http://host1.example.com>, server A should return the |
18 |
> same 2001:db8:a::1 AAAA record (resolved through authoritative server) |
19 |
> and also inject 192.168.1.100 A record into the reply. |
20 |
> |
21 |
> How can I setup BIND on server A to make it happen? |
22 |
|
23 |
|
24 |
What you want to accomplish is cache-poisoning. There's a few ways to do |
25 |
it, but it's not easy. |
26 |
|
27 |
You can load the customized copy of the zone onto the cache that your |
28 |
internal hosts use, or set up an authoritative internal-only server. |
29 |
|
30 |
This stuff gets tricky, every time I have to investigate our setup that |
31 |
does something similar, I need to work it out in my head all over again. |
32 |
|
33 |
The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE |
34 |
DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies |
35 |
a whole lotta pain. |
36 |
|
37 |
-- |
38 |
Alan McKinnon |
39 |
alan.mckinnon@×××××.com |