On 5/29/19 3:15 PM, Jon wrote:
Hi Grant,
Hi,
I don't usually wade in on these but I also believe RPZ would be the simplest way to achieve this.
I tend to agree. DNSSEC can complicate this a bit (requiring additional settings).
In order to keep the same zone working with 10. Addressing for all other (not in bubble) clients, create CNAME records in your master internal.local zone for these two records you want to have a 192. Address for. On the same master, create a new zone where you will have the A record your CNAME will resolve to, a 10. Address. This will take care of all clients not in the bubble.
I don't think that David has any influence on the "internal.local" zone on buzz and woody. As such, CNAMEing to alternate zones is not likely to happen.
On zurg, with your RPZ, have that configured for the same domain as the new domain you've created on the master.
Why use CNAMEs to a separate zone on woody & buzz but not use the same separate zones on zurg?
I'd think that you'd use separate zones everywhere (woody, buzz, and zurg) or nowhere.
Yes, RPZ can make it trivial to override the names in the bubble.
This should mean that, all queries are forwarded to your other boxes, except anything for that domain in the RPZ. The initial query for Andy or sid will be forwarded to the forwarding servers but will return a CNAME for the zurg recursor. Zurg should then go to resolve the cname but check its RPZ first, responding with the 192.x addressing you've got in the RPZ for each of the two hosts.
I'm not tracking what you're saying. (If we want to delve further into this, seeing as how David can't change the zone on woody or buzz.) Please outline what zones you would have on what server as well as where the CNAMEs would be and what they would refer to.
It's not tidy, I'll give you that but, this is an interesting scenario for more than just this DNS, you're bridging 2 networks with multiple multi-homed machines. This is not recommended from a security perspective and should use a gateway/FW to perform this work, routing between the networks.
I largely agree. However there is no reason that there can't also be DNS separation in addition to routing / firewall. Thus this scenario can exist even with routing and firewalls.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
