Re: Forward zone inside a view

Tue, 12 Feb 2019 14:58:19 -0800 

On 02/07/2019 07:02 PM, Paul Kosinski wrote:
I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolved by your internal DNS to a specialized proxy server. 


It sounds like you might be talking about using a reverse proxy of sorts 
to translate internal requests for teamviewer.local to external requests 
for teamviewer.com.



Then set up this proxy server to forward those requests to 
"teamviewer.org", *not* its IP address (since that can, of course, 
change). This is likely the hard part, but the proxy can at least assume 
that it never gets HTTP(S) requests in general.



The internal (reverse) proxy can accept HTTPS protected requests for a 
domain that it has the certificate for, i.e. teamviewer.local, or 
possibly teamviewer.corpdomain.tld.  (The latter would allow for TLS 
certificates from 3rd parties like Let's Encrypt.)



In other words, move the mapping one level up in the protocol stack, 
from the DNS layer to the HTTP(S) layer.



The other advantage that this has is that recursion could remain 
disabled on the internal DNS servers.  All that would need to be done is 
to make the internal DNS server authoritative for teamviewer.local (et 
al) domain.



And, if the proxy can support the equivalent of name-based hosting, then 
it could support multiple local domain redirects, if needed in the future.


I've done this a number of times with Apache.


P.S. PRIVOXY is probably able at least to do the redirect for a single 
domain -- and it's lightweight.



I think Squid can do it.  I expect that other sufficiently capable proxy 
or web server can do it too.




--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
























					Reply via email to