DNS passthrough on no explicit result?

Carl Byington carl at byington.org
Fri Jan 31 17:08:22 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 2014-01-31 at 11:10 -0500, Steve Presser wrote:
> I'm trying to figure out how to do some sort of pass through
> arrangement, where the internal BIND server will first attempt to do
> the lookup with local records. If it has no local record, it will then
> fall back to the answer returned by the external (zoneedit) server.

You can do this by (ab)using the RPZ functionality.

Assuming your internal bind server is only used/accessible by your
internal machines, and that all of those internal machines only use your
internal BIND server(s), you can:

in named.conf:

response-policy { zone "rpz.example.com"; };
zone "rpz.example.com" {type master; file "named.rpz.example.com";};

in named.rpz.example.com:

internalhost1.example.com  A 10.11.12.13


Names like mail.example.com get resolved via your external public name
server. However, internalhost1.example.com, which would return nxdomain
from the external name server, now returns 10.11.12.13 from your
internal server.


The advantage here is that you only need to maintain the public data in
one place, and the internal overrides in one place.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlLr2GYACgkQL6j7milTFsHF4wCfTv2raVzz0rXTuqgCFKS+qigA
0z4Anjvo52lGLo0Do6sasQAdm+PSR9sn
=NWZn
-----END PGP SIGNATURE-----




More information about the bind-users mailing list