On Sat, Sep 16, 2017 at 03:18:57AM -0700,
Omid Kosari via bind-users wrote:
> This is my first post to this mailing list .
And it's a classic example of "XY question": "I want to do X, and I
think Y will do it, so I ask how to do Y, although people more
familiar with the subject matter think that sounds like a very
strange thing to do."
> I have a caching bind dns server with forwarders like this .
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
Later in the thread we discovered that the ISP is redirecting all
queries on port 53 to their own nameservers which are broken in
various ways. I *think* they are hijacking NXDOMAIN responses,
returning their own ad server IP address for NXDOMAIN queries. But
you have failed (or refused) to provide this bit of information.
With redirected queries on port 53 TCP and UDP, the address of the
forwarder would not matter. It could be anything, as you showed
later in the thread.
> I want to use another forwarders if the response of the query is
> for example 1.2.3.4
And you munged the ISP's ad server, why, to protect their "privacy"?
Sadly, this protection possibly harms you, and possibly other users
who might otherwise be tempted to do business with that ISP. It
might make your quest more difficult, because if you had been open
about who/what you are dealing with, you might have found another
user who had come up with a different workaround for the problem.
No, this is not possible; named makes a query and cannot be
configured to redo the query based on its results. But you might be
interested in the deny-answer-* features of BIND. See the "Content
Filtering" section of ARM chapter 6 for your BIND version. This
content filtering would not repeat the queries, however.
See also dnsmasq(8) for a forwarding-only nameserver which
conditionally can ignore a certain result. As with named, it won't
repeat the query, however.
> I've found that rpz-ip is what i want
How so? Be more specific about the real problem and goal.
> but i was unable to create relation to forwarders .
Correct.
> //if response ip or rpz-ip = 1.2.3.4 then
> forwarders {
> 208.67.222.222 port 443;
> 208.67.220.220 port 443;
> };
So if you want to use opendns, why not just use those forwarders for
all queries? What benefit could there be in querying the ISP
nameservers first?
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
