On 5/5/2017 21:56, Dr. Rolf Jansen wrote: > Am 05.05.2017 um 21:14 schrieb Karl Denninger <k...@denninger.net>: >> On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >>> Am 05.05.2017 um 20:53 schrieb Karl Denninger <k...@denninger.net>: >>>> On 5/5/2017 14:33, Julian Elischer wrote: >>>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>>>> Resolving this with ipfw/NAT may easily become quite complicated, if >>>>>> not impossible if you want to run a stateful nat'ting firewall, which >>>>>> is usually the better choice. >>>>>> >>>>>> IMHO a DNS based solution is much more effective. >>>>>> >>>>>> On my gateway I have running the caching DNS resolver Unbound. Now >>>>>> let's assume, the second level domain name in question is >>>>>> example.com, and your web server would be accessed by >>>>>> www.example.com, while other services, e.g. mail are served from >>>>>> other sites on the internet. >>>>> I believe this is a much cleaner solution thanusing double NAT. >>>>> (see also my solution for if the server is also freebsd) >>>>> even though we have a nice set of new IPFW capabilities that can do >>>>> this, I still think double nat is an over complication of the system. >>>>> >>>> Well, the DNS answer is one that works IF you control the zone in >>>> question every time. ... >>> I do not understand "control the zone ... every time". >>> >>> I set up my transparent zones 5 years ago and never touched it again, and I >>> don't see any "illegal" packets on my network caused by this either. >>> >>> I understand that you actually didn't grasp the transparent zone technic. >>> >>> Happy double nat'ting :-D >> On the contrary I do understand it (and how to do it), along with how to >> throw "off-network" packets at the other host. Both ways work (unbound >> is arguably simpler than BIND, but it'll work in both cases) but the >> point is that you then must keep two things in sync rather than do one >> thing in one place. > With BIND you cannot setup a selectively transparent zone. You are talking > about split DNS, and that's a different animal. > Well, sort of you can.
Look at "response-policy" in the options section of named.conf.... It does basically the same sort of thing that you can do with unbound; it's been there for a while. -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
