honestly , I have worked with iptables in really complex
environments for many years, i never have heard of
manipulating dns records on the fly, I don't even think you
can do this with string matching since string matching lets
you check for a string, not manipulate it.
I really wonder why views aren't scalable, maybe there is
another solution, I always draw my stuff out on paper (yes
REAL paper :)) and visualize it that way, then find easier
solution by looking at the picture. Views in Bind are meant
for this kind of thing , different access control from
different ips give you different results. Would you mind
sharing some more info? maybe the amount of views you are
handling etc. Maybe someone comes up with a more streamlined idea?
Consider this example, your company wants to provide access to a
partner company over an IPSec VPN connection. The servers at both
companies are on the same 192.168.1.0/24 network. Your company
wants to also forward DNS requests to your partner company's DNS
server for lookups involving their internal DNS domain.
There are several points worth noting about this setup:
i) NAT will have to be used to prevent the two internal networks
colliding
ii) your partner company's DNS server will be returning addresses on
your own network, not on the remote NAT'ed network.
ii) you might not be able to request views on your partner company's
DNS server
iii) it is not a scalable and maintainable solution to provide spoofed
zones for your partner company's DNS zones.
An ideal solution (as provided by the PIX) is to manipulate the DNS
responses from your partner company's DNS server.
I've never even bothered trying to set-up a deployment, with these
issues, with IPTables --- any pointers as to how to do this with IPTables
would be greatly appreciated.
Paul
