Request assistance configuring RPZ

Tue May 28 16:16:27 UTC 2019

Hello to the list. Long-time BIND user here - a big "Thank You!" to ISC 
for all they do.

I'm finding myself out past the limits of my knowledge, and I'm asking for 
help. My environment is BIND 9.11.2, on SLES 12 SP4.

I'm thinking of using the Response Policy Zones feature to solve a 
problem, but I have no experience with the configuration. The online 
examples and discussions I've found are geared more towards DNS firewalls, 
which is not really what I'm trying to do.

Consider the Zone 'internal.local'. It has 2 DNS servers, 
buzz.internal.local and woody.internal.local; they both are authoritative 
(forward and reverse) for the Zone. They serve all of the clients in 
internal.local, and all hosts have IP addresses 10.AAA.BBB.CCC

I've created a special network "bubble", where the IP addressing is 
192.168.XXX.YYY, and in which selected hosts will briefly live before they 
are moved to the 10.AAA.BBB.CCC network. While in this bubble, they 
self-identify as hosts in the internal.local Domain; however, they have no 
direct connectivity to buzz or woody; instead, via DHCP, they are told to 
use zurg.internal.local for DNS. zurg is on a host that has IPs in both 
the 10. and 192.168. networks (but zurg's DNS server only listens on the 
192.168. network, and is the only DNS server in that network)

I want to configure zurg so that it will refer ALL requests to buzz or 
woody; however, when a request is made to resolve andy.internal.local or 
sid.internal.local, then zurg rewrites those IPs from the 10. addresses 
that buzz and woody know about to 192.168. addresses that only zurg knows. 
andy and sid also have addresses in both networks.

Reverse lookups shouldn't be an issue - hosts won't live in this bubble 
long enough to care

To recap what I'm attempting to create: a host in the 10. network knows to 
ask buzz or woody for DNS resolution, and if such a host wants to resolve 
andy.internal.local, it gets (for example) 10.0.2.4 (moreover, the host 
can't even reach the DNS server on zurg). This part already exists.

However, a host in the 192.168. network has been told to use zurg, and if 
it asks to resolve andy.internal.local, I want it to get 192.168.8.9 (even 
though when zurg forwarded the request to buzz, the response was 10.0.2.4)

When zurg takes a request from a host in the 192.168. network to resolve 
anything EXCEPT andy or sid, then the request is processed normally, and 
zurg returns whatever reply was given by buzz or woody

Is such a configuration possible, and how do I do it?

BTW, right now, zurg is up and running - I understand his configuration 
will have to radically change. Currently, he considers himself as 
authoritative for internal.local, but he only knows of 2 hosts (andy and 
sid); he does not forward and does not contain the full Zone information 
for internal.local

Please let me know if additional information is needed.