Doing single resolvings without implemeting a whole zone?

Stefan Gofferje stefan at gofferje.homelinux.org
Mon Feb 14 00:15:20 UTC 2005


Hi Folks,

I have a rather tricky problem. I need to setup an intranet NS to answer 
single host queries but not a whole zone. This is because I need to 
"redirect" clients inside a firewall to an inside IP. I'm not pretty 
sure how to explain what I need, so I give an example:

At my home lab, I have the following config:

INET --- PIX501 --- LAN

While LAN contains a webserver and some clients. the PIX firewall does 
some NAT from inside to outside but also does PAT including port 80 
(http). When an inside client wants to go to gofferje.homelinux.org, the 
PIX first does NAT from inside to outside and then talks to itself on 
the outside interface, attempting PAT... resulting in dropping the 
request and warning about an ongoing "LAND attack".
So, as the webserver uses namebased virtual hosts, actually all I have 
to do is letting gofferje.homelinux.org resolve to the RFC1918 IP of the 
webserver - for the internal clients only. But I don't want to mirror 
the complete homelinux.org zone on my local bind 9.

I thought about setting up a zone homelinux.org with one entry gofferje 
and telling bind to try to resolve other homelinux.org-related queries 
at the forwarders before answering NXDOMAIN.
Is there a way to get bind to do this?

There are no other options like changes in the topology. I also tried a 
hosts-file but this is not reliable and it doesn't scale.
I might need this solution also for another project in the future.

Regards,
   Stefan

-- 
  (o_   Stefan Gofferje          | Linux Systems Specialist
  //\   Reg'd Linux User #247167 | Network Security Specialist
  V_/_  Linux is like a Wigwam - No gates, no windows, Apache inside



More information about the bind-users mailing list