Unbound views

Attila_Nagy · August 11, 2009, 9:17am

Hello,

Zdenek Vasicek (author of the python module) was very kind and helped to make the query's source IP (and port and transport) accessible from the python module. This made answering queries based on the source IP possible with unbound.

This is pretty much fine if you want to respond according to complex rules (which involves source IP), but sometimes a simple "views" (like in bind) solution would be perfectly enough.

This, with the flexible local and stub zones configuration would satisfy a lot use cases.

So the question is: how hard would it be to make unbound's configuration source-IP aware? I mean, putting arbitrary configuration into netblock-indexed configuration blocks.

Theoretical example:

server:
  directory: "/etc/unbound"
  username: unbound
  interface: 0.0.0.0
  interface: ::0
  access-control: 0.0.0.0/0 allow
  access-control: ::/0 allow
  view: 10.0.0.0/8, 192.168.0.0/16, 2001:DB8::/64
    local-zone: "localhost." static
    local-data: "localhost. 10800 IN NS localhost."
    local-data: "localhost. 10800 IN
                     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
    local-data: "localhost. 10800 IN A 127.0.0.1"
    local-data: "localhost. 10800 IN AAAA ::1"
    # but nearly every option should do (if it makes sense):
    verbosity: 1 # this would make debugging much easier

Thanks,

Wouter · August 11, 2009, 11:36am

Hi Attila,

Zdenek Vasicek (author of the python module) was very kind and helped to
make the query's source IP (and port and transport) accessible from the
python module. This made answering queries based on the source IP
possible with unbound.

An idea, but because the cache does not know about that
source IP it does not work. The cache stores the result
from the python module and will then return it to everyone.

This is pretty much fine if you want to respond according to complex
rules (which involves source IP), but sometimes a simple "views" (like
in bind) solution would be perfectly enough.

This, with the flexible local and stub zones configuration would satisfy
a lot use cases.

So the question is: how hard would it be to make unbound's configuration
source-IP aware? I mean, putting arbitrary configuration into
netblock-indexed configuration blocks.

Easier to deploy two servers, one for internal, one external.
Changing the code to have two unbounds internally that it chooses
from based on source IP would be bloat I think.

Who needs different resolving for internal and external?
Names on the internet are names on the internet, right?

I would guess this is about authority information?
Maybe, simply block access to the local-data elements for some IPs
is do-able. But the question, for me, is more about what is
really needed here. If you want infinite customizability then
deploy two servers.

Best regards,
Wouter

Artis_Caune · August 11, 2009, 11:55am

We also used bind views, but now we use two instances of unbound.
Views don't really differ from two servers, every view eats it's own
memory and act just like two separate servers but two servers gives
you more flexibility.
We don't have to touch unbound just to change internal/external acl's,
just change firewall tables and you're done.

Leen_Besselink · August 11, 2009, 1:24pm

(I didn't read the whole discussion)

Maybe it's a good idea to have the one for external be the forwarder
for the one for internal, that safes on queries to the internet.

We do something similair.

Wouter · August 11, 2009, 1:28pm

Hi Artis, Attila,

Easier to deploy two servers, one for internal, one external.
Changing the code to have two unbounds internally that it chooses
from based on source IP would be bloat I think.

Who needs different resolving for internal and external?
Names on the internet are names on the internet, right?

Apologies, this seems to be not very unconfusing from me.
I meant with the above: the problem seems to be the static,
authoritative information that is returned. With views you
maybe not so interested in actual different recursive resolution
of names on the internet, and this is more about a different
view on the local organisation than a different view on the
internet. And then I tried to combine this with unbound's
goal of doing recursive lookups in a small and pretty way.

We also used bind views, but now we use two instances of unbound.
Views don't really differ from two servers, every view eats it's own
memory and act just like two separate servers but two servers gives
you more flexibility.
We don't have to touch unbound just to change internal/external acl's,
just change firewall tables and you're done.

Cool, that is one solution that provides everything

Best regards,
Wouter

Attila_Nagy · August 11, 2009, 7:09pm

Hello,

W.C.A. Wijngaards wrote:

Zdenek Vasicek (author of the python module) was very kind and helped to
make the query's source IP (and port and transport) accessible from the
python module. This made answering queries based on the source IP
possible with unbound.


An idea, but because the cache does not know about that
source IP it does not work.  The cache stores the result
from the python module and will then return it to everyone.

Hmm, yes, that’s what I first thought of, but running Zdenek’s sample python program (and the modified pythonmod, which makes the source IP accessible) it doesn’t seem to be the case.
At least, when I issue two queries from two, different machines I get different answers, as it should be.

This is pretty much fine if you want to respond according to complex
rules (which involves source IP), but sometimes a simple "views" (like
in bind) solution would be perfectly enough.

This, with the flexible local and stub zones configuration would satisfy
a lot use cases.

So the question is: how hard would it be to make unbound's configuration
source-IP aware? I mean, putting arbitrary configuration into
netblock-indexed configuration blocks.


Easier to deploy two servers, one for internal, one external.
Changing the code to have two unbounds internally that it chooses
from based on source IP would be bloat I think.

Who needs different resolving for internal and external?
Names on the internet are names on the internet, right?

Not always.
Think of a DNS load balancer, which actively monitors servers and give back only those, which work. And because this doesn’t (usually, but can, for example source sticky load balancing) involve the client’s IP, take for example a location based redirector.

BTW, what I need this for is the following:
I have a service name, which must be the same for all clients (it is hardwired in the device). The clients are spread out in the country and use a normal internet connection and the normal caching nameservers (in this case: unbound).
The problem is that that hardwired name must resolve to an IP, which is close to the client. This is determined by the routers’ assigned pools, so everything is simple in theory:
1.1.1.0/24 should resolve abcd.name to 192.168.0.1
1.1.2.0/24 should resolve abcd.name to 192.168.1.1
… and so on.
There is no given pattern, everything can be on each sides. The networks are aggregated (and does not change often), so it’s not a great hassle to list them in a static config file, that’s what bind’s views are good for. But we use unbound.

So this is not quite internal/external (and not just two of them).

Oh, and please, don’t come with anycast routing, that’s what I said to the group, which invented this, but there are other reasons, which makes that unsuitable for this purpose.

I would guess this is about authority information?
Maybe, simply block access to the local-data elements for some IPs
is do-able.  But the question, for me, is more about what is
really needed here.  If you want infinite customizability then
deploy two servers.

I hope I described it above to a level, which makes it clear.

Thanks,

Attila_Nagy · August 11, 2009, 7:12pm

Artis Caune wrote:

Easier to deploy two servers, one for internal, one external.
Changing the code to have two unbounds internally that it chooses
from based on source IP would be bloat I think.

Who needs different resolving for internal and external?
Names on the internet are names on the internet, right?

We also used bind views, but now we use two instances of unbound.
Views don't really differ from two servers, every view eats it's own
memory and act just like two separate servers but two servers gives
you more flexibility.
We don't have to touch unbound just to change internal/external acl's,
just change firewall tables and you're done.

The problem here is that we would need 100s of unbound and their primary role is not to act as an authoritative server, but as a recursive.
So divide the currently used 8/16GiB of cache with 100s and you will start to get the point (not talking about the increased complexity of starting, configuring unbounds and the packet filter).
It is a lot more efficient and simpler to change back to bind then...

This is not an internal/external stuff.

Attila_Nagy · August 11, 2009, 7:14pm

W.C.A. Wijngaards wrote:

We also used bind views, but now we use two instances of unbound.
Views don't really differ from two servers, every view eats it's own
memory and act just like two separate servers but two servers gives
you more flexibility.
We don't have to touch unbound just to change internal/external acl's,
just change firewall tables and you're done.

Cool, that is one solution that provides everything

Not quite.

Ondrej_Sury · August 11, 2009, 7:26pm

Seems like you are trying to fit square brick into a round hole. Try setting zero ttl when returnong response from python, so unbound doesn’t cache the result. Or try evldns framework which Ray has just released to create custom dns server.

Ondrej

Attila_Nagy · August 11, 2009, 7:45pm

Why? (the brick into the hole)
I've already written a custom DNS server (but didn't know about evldns, thanks), but the task here is to give different results depending on the *client's ip* on a *recursive nameserver*, which they use otherwise.

I wouldn't reimplement unbound (a recursive nameserver) just to give back different IP for a single name from different source networks. And of course (if you have read what I wrote, it must be clear) I can't implement this feature in an authoritative NS, because there I've already lost the client's real IP.

Ondřej Surý wrote:

Wouter · August 12, 2009, 6:03am

Hi Attila,

Yeah with the patch from Zdenek, then in the python
module use TTL 0, and you can return a source specific IP address.

This is not optimal performance for that source-IP name,
but it is easy to operate... Perhaps this solves it?

Best regards,
Wouter

Attila_Nagy · August 12, 2009, 8:10am

Hello,

Yes, this solves my problem (it's not as fast as views would be, but more flexible (I don't need that flexibility this time, BTW :)).

My only question, whether that change can go into the upstream version. It won't be good to always patch unbound...

Thanks,

W.C.A. Wijngaards wrote:

Florian_Lohoff1 · August 14, 2009, 9:29am

Where can i find this? I have thought of something like this for a while
as i'd like to return "personalized" cnames e.g.

sbc.dom.ain IN CNAME p1.2.3.4.redirect.sbc.dom.ain

Where a central kept zone is capable of returning per ip address
srv and a records.

Flo