[Unbound-users] per-forwarder source address?

Michael Tokarev mjt at tls.msk.ru
Wed May 2 11:12:46 UTC 2012


02.05.2012 13:12, Phil Mayers wrote:
[]
> eth0 192.168.1.2/24
> route 192.168.0.0/16 via eth0
> eth1 192.0.2.1
> route default via eth1

No, this is not what I'm after.  The example config has been in
the first email whhat started this thread.  Here it is again:

Only one eth0, it is a dmz host.  This eth0 has 3 addresses
attached, two "external" - one for dns and one for something
else, and one "internal", -- the address used by all internal
networks to access this host.

Default route points to the outside world, using first "external"
IP address.  But unbound should use _second_ "external" address
when performing regular queries.  So I had to set outgoing-interface
parameter to be the second "external" address.  But when accessing
internal networks (for local auth nameservers), it must use the
"internal" address.

Actually we've quite a bit more complex setup, this is just a
simplification if it.  The key points are:

 1) non-default outgoing-interface which I have to use, which
    sets outgoing address for _all_ queries, and
 2) internal networks are inaccessible from that address.

I can use a policy routing rule to change SOURCE address of
packets going from this DMZ host from one of its "external"
addresses to certain list of internal hosts, port 53, but
this is just ugly.

The main question which I tried to ask here, 3 times already,
is -- why we do have global outgoing-interface when everything
can be done using regular routing setup on the host?  We either
should drop this parameter, or implement it correctly to be per-
forwarder, as $subject says.

I'm willing to (try to) do the actual implementation, but asked
if we should go the first, simple, route instead.

Thanks,

/mjt



More information about the Unbound-users mailing list