Hi Grant, I don't usually wade in on these but I also believe RPZ would be the simplest way to achieve this.
You're close I think. Using Carl's information and what you've done there, add the following. In order to keep the same zone working with 10. Addressing for all other (not in bubble) clients, create CNAME records in your master internal.local zone for these two records you want to have a 192. Address for. On the same master, create a new zone where you will have the A record your CNAME will resolve to, a 10. Address. This will take care of all clients not in the bubble. On zurg, with your RPZ, have that configured for the same domain as the new domain you've created on the master. This should mean that, all queries are forwarded to your other boxes, except anything for that domain in the RPZ. The initial query for Andy or sid will be forwarded to the forwarding servers but will return a CNAME for the zurg recursor. Zurg should then go to resolve the cname but check its RPZ first, responding with the 192.x addressing you've got in the RPZ for each of the two hosts. It's not tidy, I'll give you that but, this is an interesting scenario for more than just this DNS, you're bridging 2 networks with multiple multi-homed machines. This is not recommended from a security perspective and should use a gateway/FW to perform this work, routing between the networks. All the best. Jon On Thu, 30 May 2019, 02:14 Carl Byington via bind-users, < bind-users@lists.isc.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Wed, 2019-05-29 at 09:05 -0400, David Bank wrote: > > Re-reading the ARM, it seemed to me that I needed to add a > > After adding the zone and the response-policy statement to named.conf, I > presume you did: > > rndc reconfig > > To test that you can: > > dig rpz.internal.local axfr @zurg > > That should dump the rpz zone, and verify that zurg is serving it. The > response-policy should be in the global options. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlzuk4QACgkQL6j7milTFsEtgQCaA2gk7mvDO9jWYlAGTm+soYty > aEcAn1L7goSEfLdCIBIChF8wklA4MRFA > =q+pb > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
