In message <7bc44907-7c33-4f7c-9868-92798b7ef...@gmail.com>, Chris Buxton write
s:
> Can't be done with just BIND. You need some kind of solution to strip =
> out the private IPv4 address space before publishing data to the outside =
> world. (Are you sure your workstations really need to have their =
> routable addresses published to the outside world? Sounds dangerous to =
> me.)
>
> For example, you could write a script that would grab a copy of the =
> internal zone, strip out what you don't want, and republish on an =
> external-facing name server, and then run that script on a 5 minute cron =
> job.
Or use dig and ixfr to get the recent changes to the internal zone and
apply the ones that match your filter the external zones.
e.g.
% dig +noall +answer ixfr=2007104570 dv.isc.org | awk -f ixfr2nsupdate
update delete sapphire.dv.isc.org. 1200 IN A 192.168.1.2
update add sapphire.dv.isc.org. 1200 IN A 192.168.1.2
update delete sapphire.dv.isc.org. 1200 IN A 192.168.1.2
update add sapphire.dv.isc.org. 1200 IN A 192.168.1.5
%
ixfr2nsupdateupdate:
BEGIN { mode="none"; }
$4 == "SOA" {
if (mode == "none") { mode = "add"; }
else if (mode == "delete") { mode = "add" }
else { mode = "delete" };
next;
}
$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next }
{ print "update", mode, $0 }
Mark
> Chris Buxton
> BlueCat Networks
>
> On Jan 24, 2011, at 7:28 AM, Michael Himbeault wrote:
>
> > So I appear to have fallen into the cracks of "stuff the internet is =
> completely useless for looking up". I can't come up with any useful set =
> of keywords, so here I am.
> >=20
> > I'm attempting to configure DDNS between ISC DHCPD and BIND. I want =
> DDNS for both IPv4 and IPv6. I have this. Cool. Now, I want to publish =
> the IPv6 DDNS mappings out to the internet at large so every host can =
> have a publicly routable IP address and no one has to remember any 32 =
> character addresses. I would like this to be accomplished by everyone =
> hanging off of the domain.
> >=20
> > For example a computer (hostname: pinky) connects to the network, and =
> now everyone on the internal network can ping either pinky or =
> pinky.example.com. If they are IPv4 only, they will get pinky's IPv4 =
> leased address, and if they are dual-stack or IPv6 they will get pinky's =
> IPv6 address since pinky.riebart.ca will have both A and AAAA records. I =
> also want anyone on the internet at large to be able to ping =
> pinky.example.com and, if they are IPv6 enabled, will get replies since =
> pinky's IPv6 address is publicly routable. Attempts to get an A record =
> for pinky.example.com should fail.
> >=20
> > Problem is, how do I do this without polluting the internet with my =
> private IPv4 DDNS mappings and without requiring an extra subdomain? The =
> inside clients need to see both the IPv6 and IPv4 mappings, but the =
> external queries should never see the IPv4 mappings. I can't just =
> copy-past the zone files since they are both being dynamicly updated =
> through DDNS. Additionally, since the DHCP client support for DHCP =
> option 119 (DNS domain search list) is pretty abysmal I would really =
> like to not have to put ipv4 mappings onto <HOSTNAME>.ipv4.example.com.
> >=20
> > Any suggestions?
> >=20
> > Thanks,
> > Mike _______________________________________________
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --Apple-Mail-64--231457544
> Content-Transfer-Encoding: 7bit
> Content-Type: text/html;
> charset=us-ascii
>
> <html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: spa
> ce; -webkit-line-break: after-white-space; "><div>Can't be done with just BIN
> D. You need some kind of solution to strip out the private IPv4 address space
> before publishing data to the outside world. (Are you sure your workstations
> really need to have their routable addresses published to the outside world?
> Sounds dangerous to me.)</div><div><br></div><div>For example, you could wri
> te a script that would grab a copy of the internal zone, strip out what you d
> on't want, and republish on an external-facing name server, and then run that
> script on a 5 minute cron job.</div><div><br></div><div>Chris Buxton</div><d
> iv>BlueCat Networks</div><br><div><div>On Jan 24, 2011, at 7:28 AM, Michael H
> imbeault wrote:</div><br class="Apple-interchange-newline"><blockquote type="
> cite">So I appear to have fallen into the cracks of "stuff the internet is
> completely useless for looking up". I can't come up with any useful set
> of keywords, so here I am.<br>
> <br>
> I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS
> for both IPv4 and IPv6. I have this. Cool. Now, I want to publish the
> IPv6 DDNS mappings out to the internet at large so every host can have a publ
> icly routable IP
> address and no one has to remember any 32 character addresses. I would like t
> his to be accomplished by everyone hanging off
> of the domain.<br>
> <br>
> For example a computer (hostname: pinky) connects to the network, and
> now everyone on the internal network can ping either pinky or <a href="http:/
> /pinky.example.com/" target="_blank">pinky.example.com</a>. If they
> are IPv4 only, they will get pinky's IPv4 leased address, and if they
> are dual-stack or IPv6 they will get pinky's IPv6 address since <a href="http
> ://pinky.riebart.ca/">pinky.riebart.ca</a> will have both A and AAAA records.
> I also want
> anyone on the internet at large to be able to ping <a href="http://pinky.exam
> ple.com/" target="_blank">pinky.example.com</a>
> and, if they are IPv6 enabled, will get replies since pinky's IPv6
> address is publicly routable. Attempts to get an A record for <a href="http:/
> /pinky.example.com/">pinky.example.com</a> should fail.<br>
> <br>
> Problem is, how do I do this without polluting the internet with my
> private IPv4 DDNS mappings and without requiring an extra subdomain? The
> inside clients need to see both the IPv6 and IPv4 mappings, but the
> external queries should never see the IPv4 mappings. I can't just
> copy-past the zone files since they are both being dynamicly updated
> through DDNS. Additionally, since the DHCP client support for DHCP option 119
> (DNS domain search list) is pretty abysmal I would really like to not have t
> o put ipv4 mappings onto <HOSTNAME>.<a href="http://ipv4.example.com/";>
> ipv4.example.com</a>.<br>
>
>
> <br>Any suggestions?<br><br>Thanks,<br>Mike
> _______________________________________________<br>bind-users mailing list<br
> ><a href="mailto:bind-users@lists.isc.org";>bind-users@lists.isc.org</a><br>ht
> tps://lists.isc.org/mailman/listinfo/bind-users</blockquote></div><br></body>
> </html>
> --Apple-Mail-64--231457544--
>
> --===============0962283465469852765==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============0962283465469852765==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
