<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Aptos;

        panose-1:2 11 0 4 2 2 2 2 2 4;}

@font-face

        {font-family:Consolas;

        panose-1:2 11 6 9 2 2 4 3 2 4;}

@font-face

        {font-family:Roboto;

        panose-1:2 11 6 4 2 2 2 2 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:10.0pt;

        font-family:"Aptos",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

pre

        {mso-style-priority:99;

        mso-style-link:"HTML Preformatted Char";

        margin:0in;

        font-size:10.0pt;

        font-family:"Courier New";}

span.gmail-rynqvb

        {mso-style-name:gmail-rynqvb;}

span.gmailsignatureprefix

        {mso-style-name:gmail_signature_prefix;}

span.HTMLPreformattedChar

        {mso-style-name:"HTML Preformatted Char";

        mso-style-priority:99;

        mso-style-link:"HTML Preformatted";

        font-family:"Consolas",serif;}

span.EmailStyle24

        {mso-style-type:personal-reply;

        font-family:"Aptos",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;

        mso-ligatures:none;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style>

</head>

<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt">As others have noted, the source address of queries to your gslb nameservers hosting the subzone gslb.example.br.com will be from the recursive resolver used by clients - not the source address of server that

 owns parent example.br.com (unless those nameservers are also functioning as recursive resolver for your clients).

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">If the source addresses of the recursive resolvers do not suffice for the policy on your gslb nameserver for identifying location of user, you may want to explore use of EDNS Client Subnet (ECS).    If the

 client resolvers support ECS, they can/will include the subnet of the originating DNS request and pass to your gslb nameservers as part of the request.  This requires that the resolvers used by clients and the authoritative gslb nameserver both support ECS.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>

<div id="mail-editor-reference-message-container">

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:

</span></b><span style="font-size:12.0pt;color:black">dns-operations <dns-operations-bounces@dns-oarc.net> on behalf of daniel majela <dmajela@gmail.com><br>

<b>Date: </b>Tuesday, February 27, 2024 at 07:27<br>

<b>To: </b>Lyle Giese <lyle@lcrcomputer.net><br>

<b>Cc: </b>dns-operations@lists.dns-oarc.net <dns-operations@lists.dns-oarc.net><br>

<b>Subject: </b>Re: [dns-operations] BIND9 and ADNS<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">Lyle.<span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> <span style="font-size:1.0pt;color:white">.<span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> <span style="font-size:1.0pt;color:white">.<span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> <span style="font-size:1.0pt;color:white">.

 Talvez colocar essa subzona em cada servidor DNS também possa resolver. Eu vou tentar fazer isso. muito obrigado. Em seg.</span><span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> </span><span style="font-size:1.0pt;color:white">, 26

 de fev. de 2024 às 20:</span><span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> </span><span style="font-size:1.0pt;color:white">07, Lyle Giese <lyle@</span><span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> </span><span style="font-size:1.0pt;color:white">lcrcomputer.</span><span style="font-size:1.0pt;font-family:"Arial",sans-serif;color:white"> </span><span style="font-size:1.0pt;color:white">net>

 escreveu: My understanding of DNS protocols <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerStart<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">ZjQcmQRYFpfptBannerEnd<o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span class="gmail-rynqvb"><span style="font-size:13.5pt;font-family:Roboto;color:#3C4043;background:whitesmoke">Lyle.... Talvez colocar essa subzona em cada servidor DNS também possa resolver. Eu vou tentar fazer isso. muito obrigado.</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt">Em seg., 26 de fev. de 2024 às 20:07, Lyle Giese <<a href="mailto:lyle@lcrcomputer.net">lyle@lcrcomputer.net</a>> escreveu:<o:p></o:p></span></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<p>My understanding of DNS protocols and the end user's OS is that it is programmed with 2 or 3(usually) recursive DNS servers to query for all of the end user's needs. And that the recursive DNS follows the trail of DNS to find the answer the end user needs. 

 In which case the end users ip address is never going to hit or ask your load balancer any questions.<o:p></o:p></p>

<p>The only way I can think of is to segregate those that need to query for that sub-zone by the recursive DNS server they are allowed to use and give that subset of recursive DNS servers that ability to query that sub-zone.<o:p></o:p></p>

<p>Lyle Giese<o:p></o:p></p>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt">On 2/26/24 15:09, daniel majela wrote:<o:p></o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt;font-family:Roboto;color:#3C4043;background:#D2E3FC">Hey guys.</span><span style="font-size:13.5pt;font-family:Roboto;color:#3C4043;background:whitesmoke"> I have "n" DNS servers on the network. I would like

 to configure a sub-zone that I will not publish on the network. Example would be:

<a href="https://urldefense.com/v3/__http:/example.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdWPjcbg8$" target="_blank">

example.com.br</a> and my subzone would be <a href="https://urldefense.com/v3/__http:/gslb.exemplo.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdmzYMq3M$" target="_blank">

gslb.exemplo.com.br</a>. On the server that owns the <a href="https://urldefense.com/v3/__http:/gslb.exemplo.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdmzYMq3M$" target="_blank">

gslb.exemplo.com.br</a> sub-zone, which is an ADNS balancer, I will add some targeting policies based on the origin IP. The problem is that the IP address that calls gslb is the server that owns the

<a href="https://urldefense.com/v3/__http:/example.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdWPjcbg8$" target="_blank">

example.com.br</a> zone and not the user's IP address and this way the policy will not work. I need the IP of the user's revolver to reach my ADNS and not the IP of the Resolver that owns

<a href="https://urldefense.com/v3/__http:/exemplification.com.br__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdaFmF84c$" target="_blank">

exemplification.com.br</a>. If anyone has a tip and if there is a solution, I would appreciate it.</span><span style="font-size:12.0pt"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt;font-family:Roboto;color:#3C4043"><br clear="all">

</span><span style="font-size:12.0pt"><o:p></o:p></span></p>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span class="gmailsignatureprefix"><span style="font-size:12.0pt">--

</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt">Daniel Majela Galvão<br>

<a name="m_-6429653502522582092_SignatureSanitize"></a><a href="https://urldefense.com/v3/__http:/br.linkedin.com/pub/daniel-souza/6/1b1/774__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdapJLTgs$" target="_blank" title="Visualizar perfil público"><span style="mso-bookmark:m_-6429653502522582092_SignatureSanitize">http://br.linkedin.com/pub/daniel-souza/6/1b1/774</span><span style="mso-bookmark:m_-6429653502522582092_SignatureSanitize"></span></a><span style="mso-bookmark:m_-6429653502522582092_SignatureSanitize"></span><br>

<br>

(55-012) - 9-8201-9885<br>

(55-012) - 9-9761-1511<br>

(55-012) - 32076909<o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt"><br>

<br>

<o:p></o:p></span></p>

<pre>_______________________________________________<o:p></o:p></pre>

<pre>dns-operations mailing list<o:p></o:p></pre>

<pre><a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><o:p></o:p></pre>

<pre><a href="https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6Kde-p27Kc$" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><o:p></o:p></pre>

</blockquote>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt">_______________________________________________<br>

dns-operations mailing list<br>

<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>

<a href="https://urldefense.com/v3/__https:/lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6Kde-p27Kc$" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><o:p></o:p></span></p>

</blockquote>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt"><br clear="all">

<o:p></o:p></span></p>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span class="gmailsignatureprefix"><span style="font-size:12.0pt">--

</span></span><span style="font-size:12.0pt"><o:p></o:p></span></p>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt">Daniel Majela Galvão<br>

<a name="SignatureSanitizer_SafeHtmlFilter_UNIQUE"></a><a href="https://urldefense.com/v3/__http:/br.linkedin.com/pub/daniel-souza/6/1b1/774__;!!KUqw_ieqaw8!4deAe4VGTQuzlYbKdRxyIsheGfklZno4j2wbHVqOCaXhYqWPIC30UOhB4HYvHm9_lqgjI5HTT6KdapJLTgs$" target="_blank" title="Visualizar perfil público"><span style="mso-bookmark:SignatureSanitizer_SafeHtmlFilter_UNIQUE">http://br.linkedin.com/pub/daniel-souza/6/1b1/774</span><span style="mso-bookmark:SignatureSanitizer_SafeHtmlFilter_UNIQUE"></span></a><span style="mso-bookmark:SignatureSanitizer_SafeHtmlFilter_UNIQUE"></span><br>

<br>

(55-012) - 9-8201-9885<br>

(55-012) - 9-9761-1511<br>

(55-012) - 32076909<o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>