Matthias,
This is what I did to force my resolver bind instance to lookup my
internal domain directly on my authoritative bind instance without
asking any other servers (would have failed anyway as it is a fake
domain "mylocal"):
// on resolver (or caching name server)
zone "mylocal" {
type forward;
forwarders {
192.168.40.142; // authoritative server 1
192.168.40.182; // authoritative server 2
};
forward only; // don't ask any other server
};
Not sure if that will break dnssec for you. There are probably other
way(s) to accomplish this, especially for a real domain on real IP
address(s). But maybe its somewhere to start.
-Darren
On Sun, Feb 5, 2023 at 1:21 AM Matthias Fechner <ide...@fechner.net> wrote:
>
> Dear all,
>
> I have a question regarding a setup I use at home.
> It is for domain idefix.fechner.net.
>
> I have at home a small server running with some services at it. As I do
> not have a public IP, I tunnel traffic using pf on FreeBSD and openvpn
> to route a public IP to my server at home.
> This works nice but if I now access idefix.fechner.net it will always go
> outside to the internet and then back through the tunnel to my local
> server which is a real performance problem, as the internet connection
> here is really slow.
>
> The complete domain is dnssec signed using the following configuration:
> zone "fechner.net" {
> type master;
> file "../master/fechner.net/fechner.net";
> dnssec-policy "one-year-zsk";
> inline-signing yes;
> };
>
> Now I want to make sure if I access idefix.fechner.net that it does not
> use the tunnel but access it directly using the local address.
>
> So the idea was to configure my named running at home to resolve some
> host names differently.
>
> What is here recommended best practice doing it?
>
> Just added a new domain fechner.net and overwrite some A records? I
> think that will break dnssec or?
>
> Thanks for any pointer into the right direction.
>
> Gruß
> Matthias
>
> --
>
> "Programming today is a race between software engineers striving to
> build bigger and better idiot-proof programs, and the universe trying to
> produce bigger and better idiots. So far, the universe is winning." --
> Rich Cook
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
