On Wed, 20 Jun 2012, Simo Sorce wrote:
There are at least 2 situations where it is needed, and they are common or will be common enough. The 2 use cases for which a properly configurable and dynamically changeable caching DNA name server would be really useful are: - DNSSEC verification - Clients using VPNs into private networks.
This already works out of the box using unbound, dnssec-trigger and openswan. I use it every day to connect to the red hat vpn, even if I'm at a hotspot place.
A good name caching server would forward all .redhat.com DNs request top the DNS addresses provided by the VPN connection, all my .home addresses to my local DNS server (provided by dhcp) and perhaps all other addresses to a configurable 'default DNS server'.
openswan does this based on the XAUTH informationn received. It receives the domain (redhat.com) and the name server IPs, and reconfigured unbound on the fly to forward those. When the tunnel is brought down, the DNS records are flushed so the external view becomes visible again. Please give it a shot, or ping me if you want to check your configuration. But it should be out of the box (apart from the openswan ipsec.conf) Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
