On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote:
> Would a DNS view (bind) work?
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm
> Also, depending on what you are using for NAT, some devices will mangle the 
> reply payload of A record lookups as they traverse NAT to avoid haripinning 
> (a packet going out and then back in the same interface as it traverses NAT). 
>  This is known as DNS doctoring, at least in the world of Cisco.
> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
> Let me know if either of those will solve your problem.  If not, I might have 
> a misunderstanding of what you are asking.
> Dan
>> On Jul 17, 2016, at 3:36 PM, Brendan Kearney <bpk...@gmail.com> wrote:
>> i am looking to setup a VPN in order to access some resources, and want to 
>> point my clients at this resource via DNS.  the resource i am accessing is 
>> internet resolvable, but i am accessing it via the VPN, and using a NAT for 
>> the VPN (full 1-to-1 or static NAT).  i want to have a record in my DNS for 
>> this resource, using its proper name (which i am not authoritative for), but 
>> assign it the IP of my NAT.
>> say for example, host.domain-ext.tld is the resource i want to access, and 
>> it resolves externally to  my VPN NAT would be  i 
>> want internal resolution of DNS to point to so the network 
>> routing takes my internal clients to the VPN and not out to the internet.
>> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns.  
>> how do i setup the zone and record to accomplish this DNS trick?  i have 
>> talked with some DNS gurus and they indicate that i can do something with 
>> the "@" record.  it seems that the record i want, would be its own zone, and 
>> the @ record would point to the name, and the SOA would be the NAT IP.  i 
>> could be wrong about the details, but something like this is how to setup 
>> resolution the way i want.
>> any pointers would be greatly appreciated.

Background note:
All these DNS tricks are hacks to work around IP routing problem in
configuration you described.

If you really want to use DNS tricks, you can create a DNS zone with name
equal to the you want to override and will this zone with A/AAAA record at
zone apex (@).
The DNS approach has some inherent advantages:

1. All DNS names below the name you want to 'hijack' will not be resolvable in
your network. E.g. if the name is hijacked.example.com. then sub-domains like
anything.hijacked.example.com. will not be resolvable.

2. Your clients will go securely over VPN if and only if they use your local
DNS servers. Any client configured (even accidentally) to use some other DNS
server (e.g. public will get the 'public' address and do not tunnel
the traffic over VPN.

Secure and reliable solution is not to use DNS but solve things on IP layer:
On the network gateway, configure IPSec tunnel (or any other VPN) in a way
that *the original IP address* is routed over VPN.

This does not require any DNS tricks and thus will work regardless of client

I hope it helps.

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to