Is there any trick possible to make unbound forward to different hosts based on incoming query address?
I have been thinking how to use unbound to provide DNS over TLS layer for our BIND authoritative server, which is integrated with LDAP multimaster server by freeipa package. My problem is our BIND9 version does not support DoT query forwarding even on Fedora, let alone on RHEL. So I thought unbound could provide encrypted connectivity from LAN clients to the server and also encrypted upstream forwarder.
Something like:
[clients] ==== [unbound] ======= [DoT upstream]
> ^
v |
\[bind\]
Problem with this idea is unbound does not know the list of domains served by bind. Even the bind does not have it configured by statically, but via LDAP backend of bind-dyndb-ldap plugin on start and possibly changing during runtime.
So I thought I could just let all queries from clients to forward to bind. And if that were not a query bind handles, it would forward that back. If the source query were from it, I would forward it to upstream server directly.
But it seems only local authoritative data can be in different views. Does exist some trick or configuration, which would allow sharing common cache, but forwarding request from normal clients to alternative local daemon and only forward further by if is was him asking?
I know I could use unbound#1 in the front and unbound#2 as upstream forwarder only, but that makes this already complicated enough and would double caching done by unbound(s). It would be possible with views in bind, but it seems views in unbound are limited to local-zone only.
Would you have a better tip how to solve such configuration?
Best Regards,
Petr