Re: Host-level forwarding override - DNS

This is a discussion on Re: Host-level forwarding override - DNS ; Jan Ceuleers wrote: > First of all, I apologise if this is a FAQ. I have googled, > google-grouped and read the ISC BIND FAQ before coming here. > > I work for a company (let's say that it's called ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Host-level forwarding override

  1. Re: Host-level forwarding override

    Jan Ceuleers wrote:
    > First of all, I apologise if this is a FAQ. I have googled,
    > google-grouped and read the ISC BIND FAQ before coming here.
    >
    > I work for a company (let's say that it's called foo) and have a
    > foo-issued and managed laptop. What I'd like to be able to do is connect
    > this laptop either directly to the company network, or to the internet,
    > or to the company VPN, without changing its configuration. (Note that
    > none of this is contrary to company policy).
    >
    > The specific problem that I have is that both the browser's proxy
    > servers and the VPN servers are in zone foo.tld. However, since the
    > proxy servers are on the intranet they are not resolvable from the Internet.
    >
    > I had begun tackling this problem by creating a master zone on my home
    > DNS server for foo.tld, containing only the proxy servers (and in fact
    > with the same IP addresses as on the intranet; I simply configured my
    > firewall to reroute traffic to my own proxy server). The problem is that
    > with this setup my DNS server authoritatively states that the VPN
    > servers (or any other addresses in foo.tld) don't exist.
    >
    > I cannot request a zone transfer and simply edit that, because (1) zone
    > transfers are not allowed by the foo.tld name servers, and (2) I don't
    > want to have to keep doing this for ever more.
    >
    > My question therefore: Can I cause bind to first consult a local zone
    > file for a domain, and if a query cannot be resolved by doing that
    > forward the query to another name server?
    >

    No, there is no "failover fowarding" in BIND. Maybe some other DNS
    implementation supports this.

    Why don't you just reconfigure your browser to access your proxy
    directly, *without* using the foo.tld name? Seems to me your proxy could
    then be smart enough to route things appropriately, according to what
    network connectivity you happen to have at any particular point in time.


    - Kevin




  2. Re: Host-level forwarding override

    Kevin Darcy wrote:
    > Why don't you just reconfigure your browser to access your proxy
    > directly, *without* using the foo.tld name? Seems to me your proxy could
    > then be smart enough to route things appropriately, according to what
    > network connectivity you happen to have at any particular point in time.


    Kevin,

    Thanks. I don't quite understand what you are saying though. I *must*
    use the proxy servers (e.g. named proxy1.foo.tld and proxy2.foo.tld)
    when the laptop is connected directly to the company network (i.e. when
    I'm at work).

    What I'm trying to do is create an environment at home where this also
    works (1) without having to change the configuration of the laptop at
    all, and (2) without losing the ability to connect to other hosts in
    foo.tld which are visible from the Internet, and (3) without creating a
    maintenance nightmare.

    I know of various solutions to my problem, but none that meet all three
    conditions above. Hence my question.

    Cheers, Jan



+ Reply to Thread