split DNS for clients through a proxy

Mark Andrews Mark_Andrews at isc.org
Sun Jan 13 23:54:16 UTC 2008


> Mark Andrews wrote:
> >> I need to know if there is a way to create a split forwarding DNS server
> >> with BIND 9 such that two groups of client machines are being serviced
> >> indirectly by two different external DNS servers. The purpose for this
> >> is to use the adult content filtering functionality of OpenDNS for
> >> machines used by children and another non-filtering DNS for machines
> >> used by adults. Yes, I do understand this is easily done using BIND 9
> >> views, but that depends on knowing the client machine's IP address. So
> >> here comes the wrinkle... All client machines are configured such that
> >> their web browsers go through a Privoxy proxy which resides on the same
> >> machine as the forwarding DNS service. The result of this is that client
> >> machines do not actually make the DNS queries - Privoxy does this for
> >> them, which means the forwarding DNS server only ever sees the queries
> >> as coming from its own IP address. The question is whether anyone knows
> >> of a way of achieving the split-DNS effect in this scenario.
> >>
> >> H.
> > 
> > 	Give the machines different proxies.
> 
> Unless I'm overlooking something, two proxies running on the same server 
> wouldn't help as both would still be querying the DNS from the same IP 
> address (aka localhost) and are thus indistinguishable. True?

	No.  There are many ways to virtualise the service.
	On a Unix/Linux box chroot is one of the simpler ones.

> Adding a 
> second machine is something we'd very much like to avoid. Privoxy can 
> distinguish between clients, so an obvious question to ask is this: Is 
> there a way to tag a DNS query such that BIND can pick up that 
> additional information and select a view accordingly?

	Named can listen on multiple (virtual) interfaces.  It can
	select which view get the query based on which interface it
	is sent to.

	You can also use TSIGs to select views.
 
> FWIW, the server in question is running FreeBSD v5.3. In case it has not 
> become obvious yet, I'm a novice with DNS servers.
> 
> H.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list