Maintained by: NLnet Labs

[Unbound-users] per-forwarder source address?

W.C.A. Wijngaards
Mon May 7 14:04:40 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

On 05/02/2012 01:12 PM, Michael Tokarev wrote:
> 02.05.2012 13:12, Phil Mayers wrote: []
>> eth0 192.168.1.2/24 route 192.168.0.0/16 via eth0 eth1 192.0.2.1 
>> route default via eth1
> 
> No, this is not what I'm after.  The example config has been in the
> first email whhat started this thread.  Here it is again:

It looks useful, to you, for your complicated setup.  This sort of set
up may not be common.  It is pretty common in other areas (like zone
transfers for authority servers).  It is possible to configure ip
route src things, but this may get very complicated.  A code feature
is the alternative.

> Only one eth0, it is a dmz host.  This eth0 has 3 addresses 
> attached, two "external" - one for dns and one for something else,
> and one "internal", -- the address used by all internal networks to
> access this host.
> 
> Default route points to the outside world, using first "external" 
> IP address.  But unbound should use _second_ "external" address 
> when performing regular queries.  So I had to set
> outgoing-interface parameter to be the second "external" address.
> But when accessing internal networks (for local auth nameservers),
> it must use the "internal" address.
> 
> Actually we've quite a bit more complex setup, this is just a 
> simplification if it.  The key points are:
> 
> 1) non-default outgoing-interface which I have to use, which sets
> outgoing address for _all_ queries, and 2) internal networks are
> inaccessible from that address.

- From this description I would think it may be possible to add a line
to the route table for your internal networks?  This line would
override the default route for that internal network prefix, and have
"ip route src=.." option set to prefer a particular source address,
and have the same settings as the default route otherwise.  Do you
think this could work (and it is not policy based routing, I believe)?

> I can use a policy routing rule to change SOURCE address of packets
> going from this DMZ host from one of its "external" addresses to
> certain list of internal hosts, port 53, but this is just ugly.

Yes, and then source modification sounds like an idea.  But if there
is a lack of other people with similar problems, I would not think
this is a feature that should be included in unbound itself (but if
you do create some solution, the src/contrib/ directory could be a
good way to distribute that as an optional part).

> The main question which I tried to ask here, 3 times already, is --
> why we do have global outgoing-interface when everything can be
> done using regular routing setup on the host?  We either should
> drop this parameter, or implement it correctly to be per- 
> forwarder, as $subject says.
> 
> I'm willing to (try to) do the actual implementation, but asked if
> we should go the first, simple, route instead.

Best of luck,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPp7pXAAoJEJ9vHC1+BF+NXmEP/0HT/CEinB9sFjBYGeP4RMBv
240F9xEfvRuRK1h92e6toETswvjh+hCF1d+Ny6l+kDqsuGo+7gOwOOp3LkNaOpNx
8fB+fmIWZAOx5g8hkYEWEXflpPBY6HgPR9LIY96xYORfN4tWxE9xDPlh5VRTLwqo
Q8tSXRB4hrZ64XV/6EJ+bi+UtbuR+ycEcNJBU0N7GJ0Ln5QDeudnVizgTri828nk
ud8D4AxVzQIKKKPz5WzjPn4GepedUmfy8ikQ4Md/Ri5B5jl1LDFsuMvHcmy4lXs3
RHv1zkv15c/emiwc6TkgnDyvpmn9GaSi0JGJDGOoq4nkhu9ZCrdP0WnxOd6Z9veC
/fG1rP/tMYqmFgBQVKRQPODD4TNTW1Hv4axBva2f2Lo/SHnUj8eh0KtbHXB1hkkS
RWwNa4LKCsDHzFAn8ddAjE5Nhz1NKTngyWMvT9ZpEizHqvtFyongvPySz5heaikM
Of4qDF6f0jXHvUSKbbfrIEQ1Occe2qUqp8woZbzdta78kNDag9dGaBLnDyBLIqS6
3Zn96I/kouqBhin/z42kPHpBqBFhjVBJDbhXKTiapMaxuqPZGRmqMpEcMhEUfff1
/oz6HDJ/LqkJc3ciO6rwBmw4/DqwH1XsXNqpONkkWRPFU+KKFUdp0iauEpxtreze
tW76VnKHCkvSRTccB9so
=ER91
-----END PGP SIGNATURE-----