[Freeipa-users] non-authoritative tricks for DNS resolution

[Sullivan, Daniel [AAA]]

Would a DNS view (bind) work?

http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm

Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT).  This is known as DNS doctoring, at least in the world of Cisco.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Let me know if either of those will solve your problem.  If not, I might have a misunderstanding of what you are asking.

Dan

> On Jul 17, 2016, at 3:36 PM, Brendan Kearney <bpk678 at gmail.com> wrote:
> 
> i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS.  the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT).  i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT.
> 
> say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4.  my VPN NAT would be 192.168.99.137.  i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet.
> 
> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns.  how do i setup the zone and record to accomplish this DNS trick?  i have talked with some DNS gurus and they indicate that i can do something with the "@" record.  it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP.  i could be wrong about the details, but something like this is how to setup resolution the way i want.
> 
> any pointers would be greatly appreciated.
> 
> thanks,
> 
> brendan
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************