DNS config help

Damien Fleuriot ml at my.gd
Thu Nov 3 10:00:26 UTC 2011

On 11/3/11 8:51 AM, Matthew Seaman wrote:
> On 02/11/2011 20:52, AN wrote:
>> I have a question about how to configure DNS.  My local network is 10.x,
>> and I sometimes need to connect to a remote VPN.  My question is how do
>> I configure BIND to forward queries to a different server only for a
>> specific domain.
> This sounds like a job for a static-stub domain.  That's a fairly new
> feature in BIND, so you may well need to install bind98 from ports.  See
> the documentation here:
> http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar

You can simply create a forward zone.

If this should only apply to your VPN clients, then create a view that
matches only their IP, for example:

acl trusted {; ::1;; };

view internal_in in {
	match-clients { trusted; };
	recursion yes;
	additional-from-auth yes;
	additional-from-cache yes;

	zone "." {
	        type hint;
	        file "named.root";

	zone "avocat-conseil.fr"
	  type forward;
	  forwarders {; };
	  forward only;

I have the exact one setup here, allow me to explain.

There's a server at my parents' office (wow this sounds so awkward, when
I re-read it) that handles:
- dhcp
- dns
- firewalling
- smb shares
- routing

There's also a small VPN box that's, so to speak, outside our perimeter
because it's an appliance and I have 0 level of control over it, it runs
at in its own separate VLAN and establishes a VPN with
some law organization thingy, using an IP range of 172.30.*

>From the server, I route 172.30.* to the VPN box, and I also make that
box authoritative for a few domains, including the one quoted above.

I'm not certain what you're trying to accomplish, but this works like a
charm here.

>> When I am connected to the VPN, vpn.example.com, I want queries for
>> anything going to example.com  to go a specific DNS, and everything else
>> on 10.x to go to my regular DNS.  Please let me know if I need to
>> provide more info.  Thanks in advance for any help.
> Hmmm.... I don't think you're going to have much fun at all if you try
> and modify your named configuration depending on whether your VPN is up
> or not.  DNS TTLs are generally of the order of days -- that should be
> taken as a measure of the minimum time that should go between restarts
> of a recursive DNS (ideally, and as a long term average).  Better to
> just fail the lookup when the VPN is down.

Actually, using a view that matches only the VPN's IP range would do the
trick easily and efficiently.

More information about the freebsd-questions mailing list