Make BIND inject queries

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Make BIND inject queries

Pavel Volkov
I have recently installed BIND as a recursive resolver for local network.

I'll explain my configuration. There's a network with hosts binded to example.org domain, like host1.example.org, host2.example.org etc.
They make DNS query through recursive server A.
Authoritative server for example.org domain is server B and it's totally unrelated.

Below is an example of what I'd like to accomplish.
1. When the outside make a DNS query for host1.example.org, it should only receive its AAAA record 2001:db8:a::1.
2. When host2 queries server A for host1.example.com, server A should return the same 2001:db8:a::1 AAAA record (resolved through authoritative server) and also inject 192.168.1.100 A record into the reply.

How can I setup BIND on server A to make it happen?
Reply | Threaded
Open this post in threaded view
|

Re: Make BIND inject queries

staticsafe
On Tue, Jul 23, 2013 at 11:40:28AM +0400, Pavel Volkov wrote:

> I have recently installed BIND as a recursive resolver for local network.
>
> I'll explain my configuration. There's a network with hosts binded to
> example.org domain, like host1.example.org, host2.example.org etc.
> They make DNS query through recursive server A.
> Authoritative server for example.org domain is server B and it's totally
> unrelated.
>
> Below is an example of what I'd like to accomplish.
> 1. When the outside make a DNS query for host1.example.org, it should only
> receive its AAAA record 2001:db8:a::1.
> 2. When host2 queries server A for host1.example.com, server A should
> return the same 2001:db8:a::1 AAAA record (resolved through authoritative
> server) and also inject 192.168.1.100 A record into the reply.
>
> How can I setup BIND on server A to make it happen?

Sounds like you want the BIND views functionality:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409
--
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post.
Please don't CC! I'm subscribed to whatever list I just posted on.

Reply | Threaded
Open this post in threaded view
|

Re: Make BIND inject queries

Pavel Volkov
On Tue, Jul 23, 2013 at 11:45 AM, staticsafe <[hidden email]> wrote:
On Tue, Jul 23, 2013 at 11:40:28AM +0400, Pavel Volkov wrote:
Sounds like you want the BIND views functionality:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409

As I understand it, views functionality is for giving different answers for different clients on a single server. It's not what I need.
Internal clients only make queries to server A.
External clients query server B (authoritative for the zone). 
Server A adds example.com's zone part stored which is stored on server B to its own answers.
I hope my explanation is clear.
Reply | Threaded
Open this post in threaded view
|

Re: Make BIND inject queries

Alan McKinnon-2
In reply to this post by Pavel Volkov
On 23/07/2013 09:40, Pavel Volkov wrote:

> I have recently installed BIND as a recursive resolver for local network.
>
> I'll explain my configuration. There's a network with hosts binded to
> example.org <http://example.org> domain, like host1.example.org
> <http://host1.example.org>, host2.example.org <http://host2.example.org>
> etc.
> They make DNS query through recursive server A.
> Authoritative server for example.org <http://example.org> domain is
> server B and it's totally unrelated.
>
> Below is an example of what I'd like to accomplish.
> 1. When the outside make a DNS query for host1.example.org
> <http://host1.example.org>, it should only receive its AAAA
> record 2001:db8:a::1.
> 2. When host2 queries server A for host1.example.com
> <http://host1.example.com>, server A should return the
> same 2001:db8:a::1 AAAA record (resolved through authoritative server)
> and also inject 192.168.1.100 A record into the reply.
>
> How can I setup BIND on server A to make it happen?


What you want to accomplish is cache-poisoning. There's a few ways to do
it, but it's not easy.

You can load the customized copy of the zone onto the cache that your
internal hosts use, or set up an authoritative internal-only server.

This stuff gets tricky, every time I have to investigate our setup that
does something similar, I need to work it out in my head all over again.

The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE
DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies
a whole lotta pain.

--
Alan McKinnon
[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Make BIND inject queries

Pavel Volkov
On Tuesday 23 July 2013 10:25:51 Alan McKinnon wrote:

> What you want to accomplish is cache-poisoning. There's a few ways to do
> it, but it's not easy.
>
> You can load the customized copy of the zone onto the cache that your
> internal hosts use, or set up an authoritative internal-only server.
>
> This stuff gets tricky, every time I have to investigate our setup that
> does something similar, I need to work it out in my head all over again.
>
> The best advice I can give is DO NOT TRY AND ACCOMPLISH THIS WITH ONE
> DNS AUTH SERVER THAT SERVES INTERNAL AND EXTERNAL CLIENT. That way lies
> a whole lotta pain.

I see. This is a trivial feature in Dnsmasq (that's where I got the idea
from), didn't except it to be this complicated in BIND.