On 13/05/22 09:02, Grant Taylor via bind-users wrote:
On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
This sounds like exactly the sort of use case for Response Policy Zones:
How are you going to have RPZ return different addresses for different
clients? Are you suggesting use different RPZs with different
contents for different clients?
Yes, although now that I think through the details it turns out to be
much messier than I first thought, because there doesn't seem to be a
way to specify "not" in the RPZ...
Also I should point out that I'm assuming that a PASSTHRU result in one
RPZ will still result in subsequent RPZs being processed. I haven't
actually tested this, so its possible I'm misunderstanding the
documentation?
Anyway in the interests of following this all the way though, let's
assume you had 3 clients and you wanted them to each receive a different
answer to the query "www.example.com":
Suppose their IP addresses are:
A = 192.0.2.10
B = 192.0.2.20
C = 192.0.2.30
Then, if I'm not mistaken, you could create 3 RPZ zones:
Zone file for "a.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients B & C
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.1
Zone file for "b.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients A & C
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.2
Zone file for "c.rpz.mylocaldomain.com" contains (in addition to SOA, etc):
; Don't overwrite the answer for queries received from clients A & B
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.
; Change the answer to the question www.example.com
www.example.com IN A 10.0.0.3
And then configure BIND to use all three RPZs:
response-policy {
zone "a.rpz.mylocaldomain.com";
zone "b.rpz.mylocaldomain.com";
zone "c.rpz.mylocaldomain.com";
};
Scalability is obviously a challenge with this particular solution! :-(
So on reflection, there are probably better solutions to the problem
that you are trying to solve. Although I don't personally have
experience with it, wonder if "dnsmasq" might do what you need?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
