faqts : Computers : Internet : Domain Names : djbdns

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

65 of 66 people (98%) answered Yes
Recently 10 of 10 people (100%) answered Yes

Entry

How do I make my dnscache act as a forwarding proxy server?
How do I implement split horizon DNS using djbdns?

Jun 12th, 2004 01:26
Jonathan de Boyne Pollard, Brian Coogan, http://cr.yp.to/djbdns/faq/cache.html#forwardonly http://cr.yp.to/djbdns/tinydns-data.html#differentiation http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html
 


Normally, dnscache acts as a resolving proxy server.  That is, 
it uses the root servers listed in servers/@ (or cached 
information already obtained from them) to derive IP addresses 
by contacting the appropriate DNS content servers.
However, dnscache will instead act as a forwarding proxy server 
if the environment variable ${FORWARDONLY} is set when it 
starts up.  
If ${FORWARDONLY} is set, dnscache will forward all queries 
onto a specified list of servers (typically running dnscache) 
which do the actual query resolution and return the result.  
This list of server IP addresses is put in the servers/@ file, 
totally replacing the root server IP addresses which are 
normally kept in that file.
The really nice thing here is that even in FORWARDONLY mode, 
dnscache honours domain specific DNS servers set (as usual) in 
the servers directory.  Using that fact makes it very easy to 
cause dnscache to use internal servers for internally known IP 
addresses and forward requests for external IP addresses 
onwards.  This makes split-horizon DNS terribly easy!
For instance, if your company domain was example.com and you 
were running dnscache with FORWARDONLY, you would create a file 
called servers/example.com containing the IP address of your 
internal DNS content server (usually tinydns, and often just 
running on the localhost on a loopback address such as 
127.0.0.2).  Requests for unknown hosts in example.com would be 
fetched from the example.com tinydns and all other requests 
would be forwarded, usually to an instance of dnscache running 
on an externally visible machine such as a firewall.
To set the FORWARDONLY environment variable for dnscache:
    echo 1 > /service/dnscache/env/FORWARDONLY
You would also need to set up your forwarding resolver IP 
address(es) in servers/@ and any local domains, both forward 
(example.com) and reverse (10.in-addr.arpa).
DJB's FAQ entry is listed above, but note that it does not 
mention the possibility of setting up forwarding for specific 
internal domains.
Another technique that helps with some types of split horizon 
solutions is that tinydns allows you to return different data 
depending on the location of the client.  See the tinydns-data 
documentation (URL given above) for further details.
Jonathan de Boyne Pollard's page describing Split Horizon 
techniques in djbdns, BIND, Microsoft's DNS server, and others, 
and giving some techniques, is also given above.