[gentoo-user] Make BIND inject queries

[gentoo-user] Make BIND inject queries

[Pavel Volkov]

[-- Attachment #1: Type: text/plain, Size: 771 bytes --]

I have recently installed BIND as a recursive resolver for local network.

I'll explain my configuration. There's a network with hosts binded to
example.org domain, like host1.example.org, host2.example.org etc.
They make DNS query through recursive server A.
Authoritative server for example.org domain is server B and it's totally
unrelated.

Below is an example of what I'd like to accomplish.
1. When the outside make a DNS query for host1.example.org, it should only
receive its AAAA record 2001:db8:a::1.
2. When host2 queries server A for host1.example.com, server A should
return the same 2001:db8:a::1 AAAA record (resolved through authoritative
server) and also inject 192.168.1.100 A record into the reply.

How can I setup BIND on server A to make it happen?

[-- Attachment #2: Type: text/html, Size: 1635 bytes --]

Re: [gentoo-user] Make BIND inject queries

[staticsafe]

On Tue, Jul 23, 2013 at 11:40:28AM +0400, Pavel Volkov wrote:
> I have recently installed BIND as a recursive resolver for local network.
> 
> I'll explain my configuration. There's a network with hosts binded to
> example.org domain, like host1.example.org, host2.example.org etc.
> They make DNS query through recursive server A.
> Authoritative server for example.org domain is server B and it's totally
> unrelated.
> 
> Below is an example of what I'd like to accomplish.
> 1. When the outside make a DNS query for host1.example.org, it should only
> receive its AAAA record 2001:db8:a::1.
> 2. When host2 queries server A for host1.example.com, server A should
> return the same 2001:db8:a::1 AAAA record (resolved through authoritative
> server) and also inject 192.168.1.100 A record into the reply.
> 
> How can I setup BIND on server A to make it happen?

Sounds like you want the BIND views functionality:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409
-- 
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post.
Please don't CC! I'm subscribed to whatever list I just posted on.

Re: [gentoo-user] Make BIND inject queries

[Pavel Volkov]

[-- Attachment #1: Type: text/plain, Size: 636 bytes --]

On Tue, Jul 23, 2013 at 11:45 AM, staticsafe <me@staticsafe.ca> wrote:

> On Tue, Jul 23, 2013 at 11:40:28AM +0400, Pavel Volkov wrote:
>
Sounds like you want the BIND views functionality:
> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409


As I understand it, views functionality is for giving different answers for
different clients on a single server. It's not what I need.
Internal clients only make queries to server A.
External clients query server B (authoritative for the zone).
Server A adds example.com's zone part stored which is stored on server B to
its own answers.
I hope my explanation is clear.

[-- Attachment #2: Type: text/html, Size: 1391 bytes --]

Re: [gentoo-user] Make BIND inject queries

[Alan McKinnon]

On 23/07/2013 09:40, Pavel Volkov wrote:
> I have recently installed BIND as a recursive resolver for local network.
> 
> I'll explain my configuration. There's a network with hosts binded to
> example.org <http://example.org> domain, like host1.example.org
> <http://host1.example.org>, host2.example.org <http://host2.example.org>
> etc.
> They make DNS query through recursive server A.
> Authoritative server for example.org <http://example.org> domain is
> server B and it's totally unrelated.
> 
> Below is an example of what I'd like to accomplish.
> 1. When the outside make a DNS query for host1.example.org
> <http://host1.example.org>, it should only receive its AAAA
> record 2001:db8:a::1.
> 2. When host2 queries server A for host1.example.com
> <http://host1.example.com>, server A should return the
> same 2001:db8:a::1 AAAA record (resolved through authoritative server)
> and also inject 192.168.1.100 A record into the reply.
> 
> How can I setup BIND on server A to make it happen?


What you want to accomplish is cache-poisoning. There's a few ways to do
it, but it's not easy.

You can load the customized copy of the zone onto the cache that your
internal hosts use, or set up an authoritative internal-only server.

This stuff gets tricky, every time I have to investigate our setup that
does something similar, I need to work it out in my head all over again.

The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE
DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies
a whole lotta pain.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Make BIND inject queries

[Pavel Volkov]

On Tuesday 23 July 2013 10:25:51 Alan McKinnon wrote:
> What you want to accomplish is cache-poisoning. There's a few ways to do
> it, but it's not easy.
> 
> You can load the customized copy of the zone onto the cache that your
> internal hosts use, or set up an authoritative internal-only server.
> 
> This stuff gets tricky, every time I have to investigate our setup that
> does something similar, I need to work it out in my head all over again.
> 
> The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE
> DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies
> a whole lotta pain.

I see. This is a trivial feature in Dnsmasq (that's where I got the idea 
from), didn't except it to be this complicated in BIND.