CISCO_DEF_DOMAIN VS CISCO_SPLIT_DNS
Kevin Cernekee
cernekee at gmail.com
Wed Sep 17 15:40:54 PDT 2014
On Wed, Sep 17, 2014 at 12:04 PM, Erinn Looney-Triggs
<erinn.looneytriggs at gmail.com> wrote:
> The question that has come up, and unfortunately with the environment I have,
> I am unable to test to answer it, is if the CISCO_SPLIT_DNS is populated with
> with a domain if there is only one domain defined?
>
> It kinda of makes sense both ways for it to either be defined or not. If
> CISCO_SPLIT_DNS isn't defined for a single domain I will need to test for the
> existence of CISCO_DEF_DOMAIN as a fallback if CISCO_SPLIT_DNS is zero and
> configure unbound appropriately.
These are two independent settings:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_groups.html#wp1135689
CISCO_SPLIT_DNS can be empty, or it could include a different list of
domains. Some plausible configurations include:
# default domain matches a local site name, but split DNS applies to
the whole intranet
CISCO_DEF_DOMAIN=nyc.example.com
CISCO_SPLIT_DNS=example.com
# all DNS requests go through $INTERNAL_IP4_DNS (which may or may not redirect
# internet sites to a proxy)
CISCO_DEF_DOMAIN=example.com
CISCO_SPLIT_DNS=
# use split DNS for all properties owned by the company
CISCO_DEF_DOMAIN=
CISCO_SPLIT_DNS="facebook.com,snapchat.com,instagram.com"
> + OIFS=${IFS}
> + IFS=','
> + domains=(${CISCO_SPLIT_DNS})
> + IFS=OIFS
I know this is a work in progress, but note that arrays produce a
"checkbashisms" warning.
Maybe something like this would be OK:
OIFS=${IFS}
IFS=','
set $CISCO_SPLIT_DNS
IFS=$OIFS
for domain in $@; do
[...]
> elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then
It would be nice to use "unbound-control -q status" here, but
unfortunately it doesn't look like that works in all versions.
More information about the openconnect-devel
mailing list