Matthias, This is what I did to force my resolver bind instance to lookup my internal domain directly on my authoritative bind instance without asking any other servers (would have failed anyway as it is a fake domain "mylocal"):
// on resolver (or caching name server) zone "mylocal" { type forward; forwarders { 192.168.40.142; // authoritative server 1 192.168.40.182; // authoritative server 2 }; forward only; // don't ask any other server }; Not sure if that will break dnssec for you. There are probably other way(s) to accomplish this, especially for a real domain on real IP address(s). But maybe its somewhere to start. -Darren On Sun, Feb 5, 2023 at 1:21 AM Matthias Fechner <ide...@fechner.net> wrote: > > Dear all, > > I have a question regarding a setup I use at home. > It is for domain idefix.fechner.net. > > I have at home a small server running with some services at it. As I do > not have a public IP, I tunnel traffic using pf on FreeBSD and openvpn > to route a public IP to my server at home. > This works nice but if I now access idefix.fechner.net it will always go > outside to the internet and then back through the tunnel to my local > server which is a real performance problem, as the internet connection > here is really slow. > > The complete domain is dnssec signed using the following configuration: > zone "fechner.net" { > type master; > file "../master/fechner.net/fechner.net"; > dnssec-policy "one-year-zsk"; > inline-signing yes; > }; > > Now I want to make sure if I access idefix.fechner.net that it does not > use the tunnel but access it directly using the local address. > > So the idea was to configure my named running at home to resolve some > host names differently. > > What is here recommended best practice doing it? > > Just added a new domain fechner.net and overwrite some A records? I > think that will break dnssec or? > > Thanks for any pointer into the right direction. > > Gruß > Matthias > > -- > > "Programming today is a race between software engineers striving to > build bigger and better idiot-proof programs, and the universe trying to > produce bigger and better idiots. So far, the universe is winning." -- > Rich Cook > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users