Bind with publicly routable DDNS mappings for IPv6 but not IPv4

Mark Andrews marka at isc.org
Tue Jan 25 01:28:38 UTC 2011 

In message <7BC44907-7C33-4F7C-9868-92798B7EF6B8 at gmail.com>, Chris Buxton write
s:
> Can't be done with just BIND. You need some kind of solution to strip =
> out the private IPv4 address space before publishing data to the outside =
> world. (Are you sure your workstations really need to have their =
> routable addresses published to the outside world? Sounds dangerous to =
> me.)
> 
> For example, you could write a script that would grab a copy of the =
> internal zone, strip out what you don't want, and republish on an =
> external-facing name server, and then run that script on a 5 minute cron =
> job.

Or use dig and ixfr to get the recent changes to the internal zone and
apply the ones that match your filter the external zones.

e.g.
% dig +noall +answer ixfr=2007104570 dv.isc.org | awk -f ixfr2nsupdate
update delete sapphire.dv.isc.org.	1200	IN	A	192.168.1.2
update add sapphire.dv.isc.org.	1200	IN	A	192.168.1.2
update delete sapphire.dv.isc.org.	1200	IN	A	192.168.1.2
update add sapphire.dv.isc.org.	1200	IN	A	192.168.1.5
% 

ixfr2nsupdateupdate:
BEGIN { mode="none"; }
$4 == "SOA" {
        if (mode == "none") { mode = "add"; }
        else if (mode == "delete") { mode = "add" }
        else { mode = "delete" };
        next;
}
$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next }
{ print "update", mode, $0 }

Mark
 
> Chris Buxton
> BlueCat Networks
> 
> On Jan 24, 2011, at 7:28 AM, Michael Himbeault wrote:
> 
> > So I appear to have fallen into the cracks of "stuff the internet is =
> completely useless for looking up". I can't come up with any useful set =
> of keywords, so here I am.
> >=20
> > I'm attempting to configure DDNS between ISC DHCPD and BIND. I want =
> DDNS for both IPv4 and IPv6. I have this. Cool. Now, I want to publish =
> the IPv6 DDNS mappings out to the internet at large so every host can =
> have a publicly routable IP address and no one has to remember any 32 =
> character addresses. I would like this to be accomplished by everyone =
> hanging off of the domain.
> >=20
> > For example a computer (hostname: pinky) connects to the network, and =
> now everyone on the internal network can ping either pinky or =
> pinky.example.com. If they are IPv4 only, they will get pinky's IPv4 =
> leased address, and if they are dual-stack or IPv6 they will get pinky's =
> IPv6 address since pinky.riebart.ca will have both A and AAAA records. I =
> also want anyone on the internet at large to be able to ping =
> pinky.example.com and, if they are IPv6 enabled, will get replies since =
> pinky's IPv6 address is publicly routable. Attempts to get an A record =
> for pinky.example.com should fail.
> >=20
> > Problem is, how do I do this without polluting the internet with my =
> private IPv4 DDNS mappings and without requiring an extra subdomain? The =
> inside clients need to see both the IPv6 and IPv4 mappings, but the =
> external queries should never see the IPv4 mappings. I can't just =
> copy-past the zone files since they are both being dynamicly updated =
> through DDNS. Additionally, since the DHCP client support for DHCP =
> option 119 (DNS domain search list) is pretty abysmal I would really =
> like to not have to put ipv4 mappings onto <HOSTNAME>.ipv4.example.com.
> >=20
> > Any suggestions?
> >=20
> > Thanks,
> > Mike _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> --Apple-Mail-64--231457544
> Content-Transfer-Encoding: 7bit
> Content-Type: text/html;
> 	charset=us-ascii
> 
> <html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: spa
> ce; -webkit-line-break: after-white-space; "><div>Can't be done with just BIN
> D. You need some kind of solution to strip out the private IPv4 address space
>  before publishing data to the outside world. (Are you sure your workstations
>  really need to have their routable addresses published to the outside world?
>  Sounds dangerous to me.)</div><div><br></div><div>For example, you could wri
> te a script that would grab a copy of the internal zone, strip out what you d
> on't want, and republish on an external-facing name server, and then run that
>  script on a 5 minute cron job.</div><div><br></div><div>Chris Buxton</div><d
> iv>BlueCat Networks</div><br><div><div>On Jan 24, 2011, at 7:28 AM, Michael H
> imbeault wrote:</div><br class="Apple-interchange-newline"><blockquote type="
> cite">So I appear to have fallen into the cracks of "stuff the internet is 
> completely useless for looking up". I can't come up with any useful set 
> of keywords, so here I am.<br>
> <br>
> I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS
>  for both IPv4 and IPv6. I have this. Cool. Now, I want to publish the 
> IPv6 DDNS mappings out to the internet at large so every host can have a publ
> icly routable IP 
> address and no one has to remember any 32 character addresses. I would like t
> his to be accomplished by everyone hanging off 
> of the domain.<br>
> <br>
> For example a computer (hostname: pinky) connects to the network, and 
> now everyone on the internal network can ping either pinky or <a href="http:/
> /pinky.example.com/" target="_blank">pinky.example.com</a>. If they
>  are IPv4 only, they will get pinky's IPv4 leased address, and if they 
> are dual-stack or IPv6 they will get pinky's IPv6 address since <a href="http
> ://pinky.riebart.ca/">pinky.riebart.ca</a> will have both A and AAAA records.
>  I also want 
> anyone on the internet at large to be able to ping <a href="http://pinky.exam
> ple.com/" target="_blank">pinky.example.com</a> 
> and, if they are IPv6 enabled, will get replies since pinky's IPv6 
> address is publicly routable. Attempts to get an A record for <a href="http:/
> /pinky.example.com/">pinky.example.com</a> should fail.<br>
> <br>
> Problem is, how do I do this without polluting the internet with my 
> private IPv4 DDNS mappings and without requiring an extra subdomain? The 
> inside clients need to see both the IPv6 and IPv4 mappings, but the 
> external queries should never see the IPv4 mappings. I can't just 
> copy-past the zone files since they are both being dynamicly updated 
> through DDNS. Additionally, since the DHCP client support for DHCP option 119
>  (DNS domain search list) is pretty abysmal I would really like to not have t
> o put ipv4 mappings onto <HOSTNAME>.<a href="http://ipv4.example.com/">
> ipv4.example.com</a>.<br>
> 
> 
> <br>Any suggestions?<br><br>Thanks,<br>Mike
> _______________________________________________<br>bind-users mailing list<br
> ><a href="mailto:bind-users at lists.isc.org">bind-users at lists.isc.org</a><br>ht
> tps://lists.isc.org/mailman/listinfo/bind-users</blockquote></div><br></body>
> </html>
> --Apple-Mail-64--231457544--
> 
> --===============0962283465469852765==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============0962283465469852765==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list