Question that has dogged me for a while.

[Dr. Rolf Jansen]

Am 05.05.2017 um 21:14 schrieb Karl Denninger <karl at denninger.net>:
> On 5/5/2017 19:08, Dr. Rolf Jansen wrote:
>> Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl at denninger.net>:
>>> On 5/5/2017 14:33, Julian Elischer wrote:
>>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote:
>>>>> Resolving this with ipfw/NAT may easily become quite complicated, if
>>>>> not impossible if you want to run a stateful nat'ting firewall, which
>>>>> is usually the better choice.
>>>>> 
>>>>> IMHO a DNS based solution is much more effective.
>>>>> 
>>>>> On my gateway I have running the caching DNS resolver Unbound. Now
>>>>> let's assume, the second level domain name in question is
>>>>> example.com, and your web server would be accessed by
>>>>> www.example.com, while other services, e.g. mail are served from
>>>>> other sites on the internet.
>>>> I believe this is a much cleaner solution thanusing double NAT.
>>>> (see also my solution for if the server is also freebsd)
>>>> even though we have a nice set of new IPFW capabilities that can do
>>>> this, I still think double nat is an over complication of the system.
>>>> 
>>> Well, the DNS answer is one that works IF you control the zone in
>>> question every time. ...
>> I do not understand "control the zone ... every time".
>> 
>> I set up my transparent zones 5 years ago and never touched it again, and I don't see any "illegal" packets on my network caused by this either.
>> 
>> I understand that you actually didn't grasp the transparent zone technic.
>> 
>> Happy double nat'ting :-D
> On the contrary I do understand it (and how to do it), along with how to
> throw "off-network" packets at the other host.  Both ways work (unbound
> is arguably simpler than BIND, but it'll work in both cases) but the
> point is that you then must keep two things in sync rather than do one
> thing in one place.

With BIND you cannot setup a selectively transparent zone. You are talking about split DNS, and that's a different animal.