1
the company has changed to Zscaler private access, and now connections for an IP are no longer working.
What is working, is a hostname, as it get's translated to 100.64.x.y and then routed to the drop off in the datacenter.
My question now: is there a way to tell bind, to resolve something like 10.1.1.1.ip.domain.com to 10.1.1.1 without adding 16M records? Something like "* IN A *" is not working?
Thanks
docc
Posted 2019-01-17T17:21:41.593
Reputation: 11
0
I've not played with this, and I don't believe Bind is the correct tool for the job.
I would be very surprised if this can be done using a typical Bind configuration file, but I expect using a DLZ (dynamically linked module) this could be done - probably using an SQL query. That said, I would think running a dns system with native sql support might work better (ProDNS?)
That said, it does not make sense to me that IP connections no longer work, and you may want to explore and fix this underlying issue. (I cant see how something external to your computers can intercept the stack and break connecting to an IP while allowing a lookup to that IP to then resolve and connect to that IP can work)
davidgo
Posted 2019-01-17T17:21:41.593
Reputation: 49 152
To give you an idea how and why it is broken: – docc – 2019-01-17T19:37:20.437
Did you mean to add a link in there? – davidgo – 2019-01-17T19:42:06.020
To give you an idea how and why it is broken: I am working remotely, and have a local Zscaler application on the laptop, which is basically a kind of VPN, allowing access to internal resources. If you resolve a hostname like host.internaldomain.com, internal let's say 10.1.1.1, it is translated to something 100.64.x.y, and the Zscaler client then transfers that request across the app to the internal dropoff in the datacenter. Some kind of NAT so to say. Any direct connection attempt based on IP is not handled by the local client. Some of the company services are only known by IP – docc – 2019-01-17T19:48:54.900
Surely then you only need to add those company services to DNS? – davidgo – 2019-01-17T19:53:38.690
Sure, that is the best solution. But you hit barriers in NetOps, taking the output of any command like "show standby", lldp or alike, which only outputs IPs and you wanna login to it. Sure you can use socks proxy. – docc – 2019-01-17T20:13:16.990
I have solved it now: Created a bind zone file with the 16M entries for 10/8 subnet.
for i in {0..255}; do for j in {0..255}; do for k in {0..255}; do echo -e "10.$i.$j.$k\tIN\tA\t10.$i.$j.$k"; done ; done; done > db.zone. Bind is not able to handle the 5GB zone file, so I changed the setup to powerdns with mysql backend, and imported the zone file. Avg response time on 4GB RAM server: ~30ms. – docc – 2019-01-18T12:14:05.213