<div dir="auto">Hi Grant,<div dir="auto"><br></div><div dir="auto">I don't usually wade in on these but I also believe RPZ would be the simplest way to achieve this.</div><div dir="auto"><br></div><div dir="auto">You're close I think. Using Carl's information and what you've done there, add the following.</div><div dir="auto"><br></div><div dir="auto">In order to keep the same zone working with 10. Addressing for all other (not in bubble) clients, create CNAME records in your master internal.local zone for these two records you want to have a 192. Address for. On the same master, create a new zone where you will have the A record your CNAME will resolve to, a 10. Address. This will take care of all clients not in the bubble.</div><div dir="auto"><br></div><div dir="auto">On zurg, with your RPZ, have that configured for the same domain as the new domain you've created on the master.</div><div dir="auto"><br></div><div dir="auto">This should mean that, all queries are forwarded to your other boxes, except anything for that domain in the RPZ. The initial query for Andy or sid will be forwarded to the forwarding servers but will return a CNAME for the zurg recursor. Zurg should then go to resolve the cname but check its RPZ first, responding with the 192.x addressing you've got in the RPZ for each of the two hosts.</div><div dir="auto"><br></div><div dir="auto">It's not tidy, I'll give you that but, this is an interesting scenario for more than just this DNS, you're bridging 2 networks with multiple multi-homed machines. This is not recommended from a security perspective and should use a gateway/FW to perform this work, routing between the networks.</div><div dir="auto"><br></div><div dir="auto">All the best.</div><div dir="auto">Jon</div><br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Thu, 30 May 2019, 02:14 Carl Byington via bind-users, <<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
On Wed, 2019-05-29 at 09:05 -0400, David Bank wrote:<br>
> Re-reading the ARM, it seemed to me that I needed to add a<br>
<br>
After adding the zone and the response-policy statement to named.conf, I<br>
presume you did:<br>
<br>
rndc reconfig<br>
<br>
To test that you can:<br>
<br>
dig rpz.internal.local axfr @zurg<br>
<br>
That should dump the rpz zone, and verify that zurg is serving it. The<br>
response-policy should be in the global options.<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.14 (GNU/Linux)<br>
<br>
iEYEAREKAAYFAlzuk4QACgkQL6j7milTFsEtgQCaA2gk7mvDO9jWYlAGTm+soYty<br>
aEcAn1L7goSEfLdCIBIChF8wklA4MRFA<br>
=q+pb<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" rel="noreferrer noreferrer" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div>