Doing single resolvings without implemeting a whole zone?
Stefan Gofferje
stefan at gofferje.homelinux.org
Mon Feb 14 00:15:20 UTC 2005
Hi Folks,
I have a rather tricky problem. I need to setup an intranet NS to answer
single host queries but not a whole zone. This is because I need to
"redirect" clients inside a firewall to an inside IP. I'm not pretty
sure how to explain what I need, so I give an example:
At my home lab, I have the following config:
INET --- PIX501 --- LAN
While LAN contains a webserver and some clients. the PIX firewall does
some NAT from inside to outside but also does PAT including port 80
(http). When an inside client wants to go to gofferje.homelinux.org, the
PIX first does NAT from inside to outside and then talks to itself on
the outside interface, attempting PAT... resulting in dropping the
request and warning about an ongoing "LAND attack".
So, as the webserver uses namebased virtual hosts, actually all I have
to do is letting gofferje.homelinux.org resolve to the RFC1918 IP of the
webserver - for the internal clients only. But I don't want to mirror
the complete homelinux.org zone on my local bind 9.
I thought about setting up a zone homelinux.org with one entry gofferje
and telling bind to try to resolve other homelinux.org-related queries
at the forwarders before answering NXDOMAIN.
Is there a way to get bind to do this?
There are no other options like changes in the topology. I also tried a
hosts-file but this is not reliable and it doesn't scale.
I might need this solution also for another project in the future.
Regards,
Stefan
--
(o_ Stefan Gofferje | Linux Systems Specialist
//\ Reg'd Linux User #247167 | Network Security Specialist
V_/_ Linux is like a Wigwam - No gates, no windows, Apache inside
More information about the bind-users
mailing list