From owner-freebsd-questions@FreeBSD.ORG Thu Nov 3 10:00:26 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A37351065676 for ; Thu, 3 Nov 2011 10:00:26 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 08F5B8FC0C for ; Thu, 3 Nov 2011 10:00:14 +0000 (UTC) Received: by wwp14 with SMTP id 14so1618958wwp.31 for ; Thu, 03 Nov 2011 03:00:14 -0700 (PDT) Received: by 10.216.187.212 with SMTP id y62mr7392346wem.8.1320314413967; Thu, 03 Nov 2011 03:00:13 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id ei16sm9143060wbb.21.2011.11.03.03.00.12 (version=SSLv3 cipher=OTHER); Thu, 03 Nov 2011 03:00:12 -0700 (PDT) Message-ID: <4EB2662A.2010609@my.gd> Date: Thu, 03 Nov 2011 11:00:10 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4EB247E7.1010708@infracaninophile.co.uk> In-Reply-To: <4EB247E7.1010708@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: DNS config help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2011 10:00:26 -0000 On 11/3/11 8:51 AM, Matthew Seaman wrote: > On 02/11/2011 20:52, AN wrote: >> I have a question about how to configure DNS. My local network is 10.x, >> and I sometimes need to connect to a remote VPN. My question is how do >> I configure BIND to forward queries to a different server only for a >> specific domain. > > This sounds like a job for a static-stub domain. That's a fairly new > feature in BIND, so you may well need to install bind98 from ports. See > the documentation here: > > http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar > You can simply create a forward zone. If this should only apply to your VPN clients, then create a view that matches only their IP, for example: acl trusted { 127.0.0.1; ::1; 192.168.0.0/24; }; view internal_in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone "." { type hint; file "named.root"; }; zone "avocat-conseil.fr" { type forward; forwarders { 192.168.252.252; }; forward only; }; }; I have the exact one setup here, allow me to explain. There's a server at my parents' office (wow this sounds so awkward, when I re-read it) that handles: - dhcp - dns - firewalling - smb shares - routing There's also a small VPN box that's, so to speak, outside our perimeter because it's an appliance and I have 0 level of control over it, it runs at 192.168.252.252 in its own separate VLAN and establishes a VPN with some law organization thingy, using an IP range of 172.30.* >From the server, I route 172.30.* to the VPN box, and I also make that box authoritative for a few domains, including the one quoted above. I'm not certain what you're trying to accomplish, but this works like a charm here. >> When I am connected to the VPN, vpn.example.com, I want queries for >> anything going to example.com to go a specific DNS, and everything else >> on 10.x to go to my regular DNS. Please let me know if I need to >> provide more info. Thanks in advance for any help. > > Hmmm.... I don't think you're going to have much fun at all if you try > and modify your named configuration depending on whether your VPN is up > or not. DNS TTLs are generally of the order of days -- that should be > taken as a measure of the minimum time that should go between restarts > of a recursive DNS (ideally, and as a long term average). Better to > just fail the lookup when the VPN is down. > Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently.