Kernun UTM's dns-proxy is not designed to be used as a
name server — it does not cache DNS queries. A possible solution
is a combination of named and dns-proxy.
In this scenario, named listens for DNS queries on the internal
interface and provides the cache. It queries dns-proxy
that is bound to the loopback interface and, in accordance with ACLs, permits or
denies the query, sends a response or queries the DNS root servers.
The configuration in Figure 5.18, “Caching Name Server configuration” shows the
named daemon configured in the nameserver
section to listen on Kernun UTM's internal address on port 53
(listen-sock ^system.INT.ipv4.host : 53), while Kernun UTM uses it
as its resolver (server ^system.INT.ipv4.host : 53 in
the resolver section). dns-proxy is bound to
the loopback interface by the non-transparent [127.0.0.1] : 53 item in the
listen-on section of dns-proxy. See
named.conf(5) for more details.
The other typical scenario is that one or more name servers exist in the internal network. In this situation, clients are configured to query the server in the internal network, which queries dns-proxy that is configured to listen on the internal address, while Kernun UTM itself uses the internal name server as its resolver.
Note that in both of these scenarios it is necessary to have multiple name servers running in order to provide different DNS responses for different clients, because the response is cached on the name server and therefore not matched against the ACLs of dns-proxy. Nevertheless, it is always possible to plug requests coming from particular clients to a host with a different IP address, ignoring the DNS name in the request for every service.