Is conditional forwarding possible?

[Petr Menšík]

Is there any trick possible to make unbound forward to different hosts 
based on incoming query address?

I have been thinking how to use unbound to provide DNS over TLS layer 
for our BIND authoritative server, which is integrated with LDAP 
multimaster server by freeipa package. My problem is our BIND9 version 
does not support DoT query forwarding even on Fedora, let alone on RHEL. 
So I thought unbound could provide encrypted connectivity from LAN 
clients to the server and also encrypted upstream forwarder.

Something like:

[clients] ==== [unbound] ======= [DoT upstream]
                |     ^
                v     |

                [bind]

Problem with this idea is unbound does not know the list of domains 
served by bind. Even the bind does not have it configured by statically, 
but via LDAP backend of bind-dyndb-ldap plugin on start and possibly 
changing during runtime.

So I thought I could just let all queries from clients to forward to 
bind. And if that were not a query bind handles, it would forward that 
back. If the source query were from it, I would forward it to upstream 
server directly.

But it seems only local authoritative data can be in different views. 
Does exist some trick or configuration, which would allow sharing common 
cache, but forwarding request from normal clients to alternative local 
daemon and only forward further by if is was him asking?

I know I could use unbound#1 in the front and unbound#2 as upstream 
forwarder only, but that makes this already complicated enough and would 
double caching done by unbound(s). It would be possible with views in 
bind, but it seems views in unbound are limited to local-zone only.

Would you have a better tip how to solve such configuration?

Best Regards,
Petr

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB