On Thu 28/11/2019 16:16, Otto Moerbeek wrote: > On Thu, Nov 28, 2019 at 03:26:34PM +0100, Otto Moerbeek wrote: > > > Hi, > > > > In many offices, split horizon DNS is used. This means that if you are > > in the office you are supposed to use a specific resolver that will > > hand out different results than when asking for the same name on the > > rest of the internet. > > > > Until now unwind could not really handle that, e.g. in recursing mode, > > it would produce the view as from outside of the office. > > > > With this diff, it becomes possible to force using a specific resolver > > when resolving names in specific domains. > > > > For example, with this unwind.conf: > > > > # Office forwarder > > forwarder 1.2.3.4 > > force forwarder { > > myoffice.com > > dmz.colocation.com > > } > > > > This will make unwind always use the mentioned forwarder for anything > > under office.com or dmz.colocation.com. If the forwarder is dead, > > regular resolving is done for these names and www.office.com will > > likely return the external address. > > > > Often split-horizon DNS breaks DNSSEC for these specific domains. If > > that is the case, you can use > > > > force acceptbogus forwarder { > > ... > > } > > > > please test this, > > > > -Otto > > > > OAIndex: frontend.c > > Dont know hwre that OA is comming from. But it confuses patch, making > it skip first part of the diff. Proper diff below:
@Home I'm redirecting all DNS requests to a machine with unbound serving a couple of local-zones. unwind didn't work for me as these local-zones would not resolve because of DNSSEC. With your diff, and the config below unwind works perfect. forwarder 10.0.0.1 force acceptbogus forwarder { lan } I experienced no regression while using the free wifi service of the Dutch railways, which is known to do strange things with DNS.