6.7.6. Resolver policies

Resolver policies specify how a given service should resolve the domain names in client requests. This capability is essential when non-transparent services are used, as in these cases the Zorp host has to determine the destination address, and the results of a name resolution are needed. Zorp is also able to store the addresses of often used domain names in a hash. Zorp supports DNS-based (DNSResolver) and Hash table-based (HashResolver) name resolution.

Resolver policies

Figure 6.75. Resolver policies

DNSResolver policies query the domain name server used by Zorp in general to resolve domain names. If a domain name is associated to multiple IP addresses (that is, it has more than one 'A' records), these records can be retrieved by checking the Return multiple DNS records checkbox. From Zorp version 7.0 12, the DNSResolver policies also cache the domain names and the IP addresses found. (The DNS server used by the Zorp host can be specified on the Resolver tab of the Networking component, see Section 5.3, Managing client-side name resolution for details.)

Tip

Retrieving multiple 'A' records is useful when Zorp is used to perform load balancing.

Example 6.15. Defining a Resolver policy

Python: Below is a simple DNSResolver policy enabled to return multiple 'A' records.

ResolverPolicy(name="Mailservers", resolver=DNSResolver(multi=TRUE))

HashResolver policies are used to locally store the IP addresses belonging to a domain name. A domain name (Hostname) and one or more corresponding IP addresses (Addresses) can be stored in a hash. If the domain name to be resolved is not included in the hash, the name resolution will fail. The HashResolver can be used to direct incoming connections to specific servers based on the target domain name. From Zorp version 7.0.12, the HashResolver policies also cache the domain names and the IP addresses found.

Example 6.16. Using HashResolver to direct traffic to specific servers

If a Zorp host is protecting a number of servers located in a DMZ, the connections can be easily directed to the proper server without a DNS query if the hostname – IP address pairs are stored in a HashResolver. If multiple IPs are associated with a hostname, simple fail-over functionality can be realized by using FailOverChainer.

The resolver policy below associates the IP addresses 192.168.1.12 and 192.168.1.13 with the mail.example.com domain name.

Defining a new HashResolver

Figure 6.76. Defining a new HashResolver

Python:
ResolverPolicy(name="DMZ", resolver=HashResolver(mapping={"mail.example.com":\
("192.168.1.12", "192.168.1.13")}))