Host-level forwarding override

Kevin Darcy kcd at
Fri Oct 13 19:12:22 UTC 2006

Jan Ceuleers wrote:
> First of all, I apologise if this is a FAQ. I have googled, 
> google-grouped and read the ISC BIND FAQ before coming here.
> I work for a company (let's say that it's called foo) and have a 
> foo-issued and managed laptop. What I'd like to be able to do is connect 
> this laptop either directly to the company network, or to the internet, 
> or to the company VPN, without changing its configuration. (Note that 
> none of this is contrary to company policy).
> The specific problem that I have is that both the browser's proxy 
> servers and the VPN servers are in zone foo.tld. However, since the 
> proxy servers are on the intranet they are not resolvable from the Internet.
> I had begun tackling this problem by creating a master zone on my home 
> DNS server for foo.tld, containing only the proxy servers (and in fact 
> with the same IP addresses as on the intranet; I simply configured my 
> firewall to reroute traffic to my own proxy server). The problem is that 
> with this setup my DNS server authoritatively states that the VPN 
> servers (or any other addresses in foo.tld) don't exist.
> I cannot request a zone transfer and simply edit that, because (1) zone 
> transfers are not allowed by the foo.tld name servers, and (2) I don't 
> want to have to keep doing this for ever more.
> My question therefore: Can I cause bind to first consult a local zone 
> file for a domain, and if a query cannot be resolved by doing that 
> forward the query to another name server?
No, there is no "failover fowarding" in BIND. Maybe some other DNS 
implementation supports this.

Why don't you just reconfigure your browser to access your proxy 
directly, *without* using the foo.tld name? Seems to me your proxy could 
then be smart enough to route things appropriately, according to what 
network connectivity you happen to have at any particular point in time.

                              - Kevin

More information about the bind-users mailing list