[Unbound-users] per-forwarder source address?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon May 7 12:04:40 UTC 2012

Hash: SHA1

Hi Michael,

On 05/02/2012 01:12 PM, Michael Tokarev wrote:
> 02.05.2012 13:12, Phil Mayers wrote: []
>> eth0 route via eth0 eth1 
>> route default via eth1
> No, this is not what I'm after.  The example config has been in the
> first email whhat started this thread.  Here it is again:

It looks useful, to you, for your complicated setup.  This sort of set
up may not be common.  It is pretty common in other areas (like zone
transfers for authority servers).  It is possible to configure ip
route src things, but this may get very complicated.  A code feature
is the alternative.

> Only one eth0, it is a dmz host.  This eth0 has 3 addresses 
> attached, two "external" - one for dns and one for something else,
> and one "internal", -- the address used by all internal networks to
> access this host.
> Default route points to the outside world, using first "external" 
> IP address.  But unbound should use _second_ "external" address 
> when performing regular queries.  So I had to set
> outgoing-interface parameter to be the second "external" address.
> But when accessing internal networks (for local auth nameservers),
> it must use the "internal" address.
> Actually we've quite a bit more complex setup, this is just a 
> simplification if it.  The key points are:
> 1) non-default outgoing-interface which I have to use, which sets
> outgoing address for _all_ queries, and 2) internal networks are
> inaccessible from that address.

- From this description I would think it may be possible to add a line
to the route table for your internal networks?  This line would
override the default route for that internal network prefix, and have
"ip route src=.." option set to prefer a particular source address,
and have the same settings as the default route otherwise.  Do you
think this could work (and it is not policy based routing, I believe)?

> I can use a policy routing rule to change SOURCE address of packets
> going from this DMZ host from one of its "external" addresses to
> certain list of internal hosts, port 53, but this is just ugly.

Yes, and then source modification sounds like an idea.  But if there
is a lack of other people with similar problems, I would not think
this is a feature that should be included in unbound itself (but if
you do create some solution, the src/contrib/ directory could be a
good way to distribute that as an optional part).

> The main question which I tried to ask here, 3 times already, is --
> why we do have global outgoing-interface when everything can be
> done using regular routing setup on the host?  We either should
> drop this parameter, or implement it correctly to be per- 
> forwarder, as $subject says.
> I'm willing to (try to) do the actual implementation, but asked if
> we should go the first, simple, route instead.

Best of luck,
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list