Re: DNS resolution based on source network
On 27.09.10 19:38, Kevin Darcy wrote: > Under certain limited circumstances, it might make more sense to put > both/all addresses under the same name, and then use the "sortlist" > mechanism to present those addresses in an order which is suitable for > particular clients. certain? I'd say under most. It's always better to get rrset soertd in network topological order, but when any of servers fails, it's good to have backup. If all servers are reachable, simple sortlist statement will be enough. If they are not, you need different zones in different views. > Among other things, this requires that all resolver/nameserver configs > be configured with the same sortlist configs, that there is no local > randomization or re-sorting of the address list, I've had such problem some time ago (addresses were re-sorted in numeric order), the suspect was libc or nss_lwres. > that there are no negative consequences for the client or the client > software to connect to the "wrong" address if the preferred one happens to > be unavailable. if there are negative cinsequencies of something like that, you/we need load balancing, failover switching etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network
Under certain limited circumstances, it might make more sense to put both/all addresses under the same name, and then use the "sortlist" mechanism to present those addresses in an order which is suitable for particular clients. Among other things, this requires that all resolver/nameserver configs be configured with the same sortlist configs, that there is no local randomization or re-sorting of the address list, and that there are no negative consequences for the client or the client software to connect to the "wrong" address if the preferred one happens to be unavailable. "View"s are fine, but historically they're a fairly heavyweight solution for this class of requirement, because all relevant zones need to be defined multiply and this is difficult to maintain and consumes extra memory/CPU resources. The new (9.7.x?) "attach-cache" feature addresses the resource issue somewhat, but still doesn't obviate parallel/overlapping zone definitions and associated setup/maintenance. With sortlisting, all your zone definitions stay the same, you just need to create the round-robin entries and define the appropriate address ranges in your "sortlist" and/or "acl"s clauses. - Kevin On 9/27/2010 9:00 AM, Thomas Elsgaard wrote: Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.2 A machine in network 10.5.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.5 Thomas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network
On Sep 27, 2010, at 9:00 AM, Thomas Elsgaard wrote: Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.2 A machine in network 10.5.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.5 Yup, one use of this is geolocation / GSLB / "stupid DNS tricks": http://backreference.org/2010/02/01/geolocation-aware-dns-with-bind/ http://www.ip2location.com/ip2location-bind-dns.aspx and a whole heap more... W Thomas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Consider orang-utans. In all the worlds graced by their presence, it is suspected that they can talk but choose not to do so in case humans put them to work, possibly in the television industry. In fact they can talk. It's just that they talk in Orang-utan. Humans are only capable of listening in Bewilderment. -- Terry Practhett ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network - SOLVED
> Yes, by using "view". I do it so all my internal machines are > XXX.maplepark.com, using the private network addresses while the external > world gets my public addresses. The internal machines are still able to get > the external addresses by specifying the server address to be the external > IP (via host or dig). Most don't need them though. It does require > separate zone files though. I don't mind sharing my .conf file - just email > me. > > Dave Thanks eveybody, "views" was the magic word, i will look into it.. Thomas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network - SOLVED
> Yes, by using "view". I do it so all my internal machines are > XXX.maplepark.com, using the private network addresses while the external > world gets my public addresses. The internal machines are still able to get > the external addresses by specifying the server address to be the external > IP (via host or dig). Most don't need them though. It does require > separate zone files though. I don't mind sharing my .conf file - just email > me. > > Dave Thanks eveybody, "views" was the magic word, i will look into it.. Thomas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS resolution based on source network
On Mon, 27 Sep 2010, Thomas Elsgaard wrote: Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.2 A machine in network 10.5.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.5 Thomas Yes, by using "view". I do it so all my internal machines are XXX.maplepark.com, using the private network addresses while the external world gets my public addresses. The internal machines are still able to get the external addresses by specifying the server address to be the external IP (via host or dig). Most don't need them though. It does require separate zone files though. I don't mind sharing my .conf file - just email me. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS resolution based on source network
Yes - It's called "views". There are many good examples of BIND Views on the internet and in the documentation. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Thomas Elsgaard Sent: Monday, September 27, 2010 9:01 AM To: bind-users@lists.isc.org Subject: DNS resolution based on source network Hello Is it possible with BIND, to resolve the same name (like test.gl) to different IP's based on the source network of the request? Here is an example A machine in network 10.3.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.2 A machine in network 10.5.0.0/16 is contacting DNS to lookup "test.gl", DNS returns -> 10.0.0.5 Thomas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users