On Thu 28/11/2019 16:16, Otto Moerbeek wrote:
> On Thu, Nov 28, 2019 at 03:26:34PM +0100, Otto Moerbeek wrote:
>
> > Hi,
> >
> > In many offices, split horizon DNS is used. This means that if you are
> > in the office you are supposed to use a specific resolver that will
> > hand out different results than when asking for the same name on the
> > rest of the internet.
> >
> > Until now unwind could not really handle that, e.g. in recursing mode,
> > it would produce the view as from outside of the office.
> >
> > With this diff, it becomes possible to force using a specific resolver
> > when resolving names in specific domains.
> >
> > For example, with this unwind.conf:
> >
> > # Office forwarder
> > forwarder 1.2.3.4
> > force forwarder {
> > myoffice.com
> > dmz.colocation.com
> > }
> >
> > This will make unwind always use the mentioned forwarder for anything
> > under office.com or dmz.colocation.com. If the forwarder is dead,
> > regular resolving is done for these names and www.office.com will
> > likely return the external address.
> >
> > Often split-horizon DNS breaks DNSSEC for these specific domains. If
> > that is the case, you can use
> >
> > force acceptbogus forwarder {
> > ...
> > }
> >
> > please test this,
> >
> > -Otto
> >
> > OAIndex: frontend.c
>
> Dont know hwre that OA is comming from. But it confuses patch, making
> it skip first part of the diff. Proper diff below:
@Home I'm redirecting all DNS requests to a machine with unbound serving
a couple of local-zones. unwind didn't work for me as these local-zones
would not resolve because of DNSSEC. With your diff, and the config
below unwind works perfect.
forwarder 10.0.0.1
force acceptbogus forwarder {
lan
}
I experienced no regression while using the free wifi service of the
Dutch railways, which is known to do strange things with DNS.
