| 1 |
On 23/07/2013 09:40, Pavel Volkov wrote: |
| 2 |
> I have recently installed BIND as a recursive resolver for local network. |
| 3 |
> |
| 4 |
> I'll explain my configuration. There's a network with hosts binded to |
| 5 |
> example.org <http://example.org> domain, like host1.example.org |
| 6 |
> <http://host1.example.org>, host2.example.org <http://host2.example.org> |
| 7 |
> etc. |
| 8 |
> They make DNS query through recursive server A. |
| 9 |
> Authoritative server for example.org <http://example.org> domain is |
| 10 |
> server B and it's totally unrelated. |
| 11 |
> |
| 12 |
> Below is an example of what I'd like to accomplish. |
| 13 |
> 1. When the outside make a DNS query for host1.example.org |
| 14 |
> <http://host1.example.org>, it should only receive its AAAA |
| 15 |
> record 2001:db8:a::1. |
| 16 |
> 2. When host2 queries server A for host1.example.com |
| 17 |
> <http://host1.example.com>, server A should return the |
| 18 |
> same 2001:db8:a::1 AAAA record (resolved through authoritative server) |
| 19 |
> and also inject 192.168.1.100 A record into the reply. |
| 20 |
> |
| 21 |
> How can I setup BIND on server A to make it happen? |
| 22 |
|
| 23 |
|
| 24 |
What you want to accomplish is cache-poisoning. There's a few ways to do |
| 25 |
it, but it's not easy. |
| 26 |
|
| 27 |
You can load the customized copy of the zone onto the cache that your |
| 28 |
internal hosts use, or set up an authoritative internal-only server. |
| 29 |
|
| 30 |
This stuff gets tricky, every time I have to investigate our setup that |
| 31 |
does something similar, I need to work it out in my head all over again. |
| 32 |
|
| 33 |
The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE |
| 34 |
DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies |
| 35 |
a whole lotta pain. |
| 36 |
|
| 37 |
-- |
| 38 |
Alan McKinnon |
| 39 |
alan.mckinnon@×××××.com |
Archives