Dns doctoring/dnsmasq -V on bind?

someone someone at jvales.net
Mon Jan 17 00:23:39 UTC 2011


After googeling a lot I kinda gave up and ended here.

Im running a bind server, where we have out .loc zone on and also use it for
We have our domains hosted @ our ISP's DNS-Servers.
Now recently management decided to migrate from cisco to
Now as you might know, there is a dns-doctoring feature on cisco devices,
that will rewrite ip addresses in dns-query-responses.

I found a nice non-cisco explanation by someone who had my problem some
years ago:

> My dns server sits outside my firewall on the internet and answers queries
for both my internal network and the world. Of course it only contains real
world ips.
> The pix has an option (called alias) that doctors dns request from my
internal lan so that the reply packet contains the internal ip address
instead of the public address given out by my dns server. 
> This lets the internal machines access internal hosts via dns without
having to run two dns servers.  For example with following command:
> alias (inside)
> all dns queries passing through the pix containing the address
are re-written to contain

He obviously didnt get an answer from the netfilter dudes...

Well dnsMasq seems to have the -V option which seems to work like dns
doctoring on cisco devices.
Im curious if there is an equivalent function on bind servers.
I do not want to have dhcpd + bind + dnsmasq on one machine and use some
hacks (loopback interfaces + iptables redirects) to achieve dnsdoctoring
with dnsmasq - if possible.
Also creating zones for all domains and subdomains that are hosted on the
remote nameservers is not an option either.

If you have any ideas how to do dns doctoring with bind9 (or netfilter)
please give me some hints ;)


More information about the bind-users mailing list