--- Begin Message ---
As others have noted, the source address of queries to your gslb nameservers
hosting the subzone gslb.example.br.com will be from the recursive resolver
used by clients - not the source address of server that owns parent
example.br.com (unless those nameservers are also functioning as recursive
resolver for your clients).
If the source addresses of the recursive resolvers do not suffice for the
policy on your gslb nameserver for identifying location of user, you may want
to explore use of EDNS Client Subnet (ECS). If the client resolvers support
ECS, they can/will include the subnet of the originating DNS request and pass
to your gslb nameservers as part of the request. This requires that the
resolvers used by clients and the authoritative gslb nameserver both support
ECS.
From: dns-operations <dns-operations-boun...@dns-oarc.net> on behalf of daniel
majela <dmaj...@gmail.com>
Date: Tuesday, February 27, 2024 at 07:27
To: Lyle Giese <l...@lcrcomputer.net>
Cc: dns-operations@lists.dns-oarc.net <dns-operations@lists.dns-oarc.net>
Subject: Re: [dns-operations] BIND9 and ADNS
Lyle. . . . Talvez colocar essa subzona em cada servidor DNS também possa
resolver. Eu vou tentar fazer isso. muito obrigado. Em seg. , 26 de fev. de
2024 às 20: 07, Lyle Giese <lyle@ lcrcomputer. net> escreveu: My understanding
of DNS protocols
ZjQcmQRYFpfptBannerStart
ZjQcmQRYFpfptBannerEnd
Lyle.... Talvez colocar essa subzona em cada servidor DNS também possa
resolver. Eu vou tentar fazer isso. muito obrigado.
Em seg., 26 de fev. de 2024 às 20:07, Lyle Giese
<l...@lcrcomputer.net<mailto:l...@lcrcomputer.net>> escreveu:
My understanding of DNS protocols and the end user's OS is that it is
programmed with 2 or 3(usually) recursive DNS servers to query for all of the
end user's needs. And that the recursive DNS follows the trail of DNS to find
the answer the end user needs. In which case the end users ip address is never
going to hit or ask your load balancer any questions.
The only way I can think of is to segregate those that need to query for that
sub-zone by the recursive DNS server they are allowed to use and give that
subset of recursive DNS servers that ability to query that sub-zone.
Lyle Giese
On 2/26/24 15:09, daniel majela wrote:
Hey guys. I have "n" DNS servers on the network. I would like to configure a
sub-zone that I will not publish on the network. Example would be:
example.com.br<https://urldefense.com/v3/__http:/example.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdWPjcbg8$>
and my subzone would be
gslb.exemplo.com.br<https://urldefense.com/v3/__http:/gslb.exemplo.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdmzYMq3M$>.
On the server that owns the
gslb.exemplo.com.br<https://urldefense.com/v3/__http:/gslb.exemplo.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdmzYMq3M$>
sub-zone, which is an ADNS balancer, I will add some targeting policies based
on the origin IP. The problem is that the IP address that calls gslb is the
server that owns the
example.com.br<https://urldefense.com/v3/__http:/example.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdWPjcbg8$>
zone and not the user's IP address and this way the policy will not work. I
need the IP of the user's revolver to reach my ADNS and not the IP of the
Resolver that owns
exemplification.com.br<https://urldefense.com/v3/__http:/exemplification.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdaFmF84c$>.
If anyone has a tip and if there is a solution, I would appreciate it.
--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774<https://urldefense.com/v3/__http:/br.linkedin.com/pub/daniel-souza/6/1b1/774__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdapJLTgs$>
(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net<mailto:dns-operations@lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6Kde-p27Kc$>
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net<mailto:dns-operations@lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6Kde-p27Kc$>
--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774<https://urldefense.com/v3/__http:/br.linkedin.com/pub/daniel-souza/6/1b1/774__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdapJLTgs$>
(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
