Erich Eckner <b...@eckner.net> wrote: > > 1. Set a custom query-source (the one of the vpn interface) for that > second-level domain. (This would also be applied to all subdomains thereof, > right?) > > 2. Overwrite (by rpz?) the name-servers for that domain to the (somehow > obtained) internal nameservers (they differ from the external ones and have > adresses which are automatically routed through the vpn anyways).
RPZ rewrites responses as they are going out of your nameserver, so you can't use RPZ to change the way the nameserver's resolver works (because the resolver depends on incoming responses not outgoing responses). There are two ways to do what you want, depending on the DNS servers on the other end of the VPN: * If they are recursive, use a forward zone. This applies to all the subdomains as well, since the recursive server is expected to follow referrals/delegations itself as necessary. * If they are authoritative, use a static-stub zone. In this case your server will follow referrals/delegations from the remote zone, which will need to make sense wrt your split horizon network topology. If you need special source addresses as well as special target addresses, add server clauses for each of the target servers on the other end of the VPN to specify which query-source address to use for them. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Humber, Thames, Dover: North 3 or 4, veering northeast 4 or 5. Slight or moderate in Humber, otherwise slight, occasionally smooth. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
