[Unbound-users] unbound views
wouter at NLnetLabs.nl
Wed Aug 12 06:03:36 UTC 2009
Yeah with the patch from Zdenek, then in the python
module use TTL 0, and you can return a source specific IP address.
This is not optimal performance for that source-IP name,
but it is easy to operate... Perhaps this solves it?
On 08/11/2009 09:45 PM, Attila Nagy wrote:
> Why? (the brick into the hole)
> I've already written a custom DNS server (but didn't know about evldns,
> thanks), but the task here is to give different results depending on the
> *client's ip* on a *recursive nameserver*, which they use otherwise.
> I wouldn't reimplement unbound (a recursive nameserver) just to give
> back different IP for a single name from different source networks. And
> of course (if you have read what I wrote, it must be clear) I can't
> implement this feature in an authoritative NS, because there I've
> already lost the client's real IP.
> Ondřej Surý wrote:
>> Seems like you are trying to fit square brick into a round hole. Try
>> setting zero ttl when returnong response from python, so unbound
>> doesn't cache the result. Or try evldns framework which Ray has just
>> released to create custom dns server.
>>> Dne 118 2009, 9:11 PM "Attila Nagy" <bra at fsn.hu <mailto:bra at fsn.hu>>
>>> W.C.A. Wijngaards wrote: > > On 08/11/2009 11:17 AM, Attila Nagy
>>> wrote: > >> >> Zdenek Vasicek ...
>>> Hmm, yes, that's what I first thought of, but running Zdenek's sample
>>> python program (and the modified pythonmod, which makes the source IP
>>> accessible) it doesn't seem to be the case.
>>> At least, when I issue two queries from two, different machines I get
>>> different answers, as it should be.
>>> >> This is pretty much fine if you want to respond according to
>>> complex >> rules (which involves s...
>>> Not always. :)
>>> Think of a DNS load balancer, which actively monitors servers and
>>> give back only those, which work. And because this doesn't (usually,
>>> but can, for example source sticky load balancing) involve the
>>> client's IP, take for example a location based redirector.
>>> BTW, what I need this for is the following:
>>> I have a service name, which must be the same for all clients (it is
>>> hardwired in the device). The clients are spread out in the country
>>> and use a normal internet connection and the normal caching
>>> nameservers (in this case: unbound).
>>> The problem is that that hardwired name must resolve to an IP, which
>>> is close to the client. This is determined by the routers' assigned
>>> pools, so everything is simple in theory:
>>> 188.8.131.52/24 <http://184.108.40.206/24> should resolve abcd.name
>>> <http://abcd.name> to 192.168.0.1
>>> 220.127.116.11/24 <http://18.104.22.168/24> should resolve abcd.name
>>> <http://abcd.name> to 192.168.1.1
>>> ... and so on.
>>> There is no given pattern, everything can be on each sides. The
>>> networks are aggregated (and does not change often), so it's not a
>>> great hassle to list them in a static config file, that's what bind's
>>> views are good for. But we use unbound. :)
>>> So this is not quite internal/external (and not just two of them).
>>> Oh, and please, don't come with anycast routing, that's what I said
>>> to the group, which invented this, but there are other reasons, which
>>> makes that unsuitable for this purpose. :)
>>> > > I would guess this is about authority information? > Maybe,
>>> simply block access to the local-d...
>>> I hope I described it above to a level, which makes it clear.
>>> Unbound-users mailing list
>>> Unbound-users at unbound.net <mailto:Unbound-users at unbound.net>
More information about the Unbound-users