DNS config help
Damien Fleuriot
ml at my.gd
Thu Nov 3 10:00:26 UTC 2011
On 11/3/11 8:51 AM, Matthew Seaman wrote:
> On 02/11/2011 20:52, AN wrote:
>> I have a question about how to configure DNS. My local network is 10.x,
>> and I sometimes need to connect to a remote VPN. My question is how do
>> I configure BIND to forward queries to a different server only for a
>> specific domain.
>
> This sounds like a job for a static-stub domain. That's a fairly new
> feature in BIND, so you may well need to install bind98 from ports. See
> the documentation here:
>
> http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar
>
You can simply create a forward zone.
If this should only apply to your VPN clients, then create a view that
matches only their IP, for example:
acl trusted { 127.0.0.1; ::1; 192.168.0.0/24; };
view internal_in in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." {
type hint;
file "named.root";
};
zone "avocat-conseil.fr"
{
type forward;
forwarders { 192.168.252.252; };
forward only;
};
};
I have the exact one setup here, allow me to explain.
There's a server at my parents' office (wow this sounds so awkward, when
I re-read it) that handles:
- dhcp
- dns
- firewalling
- smb shares
- routing
There's also a small VPN box that's, so to speak, outside our perimeter
because it's an appliance and I have 0 level of control over it, it runs
at 192.168.252.252 in its own separate VLAN and establishes a VPN with
some law organization thingy, using an IP range of 172.30.*
>From the server, I route 172.30.* to the VPN box, and I also make that
box authoritative for a few domains, including the one quoted above.
I'm not certain what you're trying to accomplish, but this works like a
charm here.
>> When I am connected to the VPN, vpn.example.com, I want queries for
>> anything going to example.com to go a specific DNS, and everything else
>> on 10.x to go to my regular DNS. Please let me know if I need to
>> provide more info. Thanks in advance for any help.
>
> Hmmm.... I don't think you're going to have much fun at all if you try
> and modify your named configuration depending on whether your VPN is up
> or not. DNS TTLs are generally of the order of days -- that should be
> taken as a measure of the minimum time that should go between restarts
> of a recursive DNS (ideally, and as a long term average). Better to
> just fail the lookup when the VPN is down.
>
Actually, using a view that matches only the VPN's IP range would do the
trick easily and efficiently.
More information about the freebsd-questions
mailing list