Forward to OpenDNS, with non-standard tags (aka Cisco Umbrella)

Description

1. Customer would like to use BIND resolvers to resolve queries for internal zones and any that the Customer are authoritative for, and forward all queries for external addresses to the hosted OpenDNS resolver service (aka Cisco Umbrella). The object is to use OpenDNS to filter these external queries and control responses to the client.

Request

2. ISC will develop an OpenDNS-filtering feature in BIND that will add three additional bit of information required by OpenDNS to queries forwarded to the OpenDNS system. These three fields are: Virtual ApplianceID (a numeric ID the Customer will statically configure into the BIND server used to identify the geographical site), an Organizational ID (also statically configured by the Customer, used to identify the Customer's resolvers), and a ClientIP address (IPv4 or IPv6 address, can be RFC 1918, which BIND will get from the DNS query and pass through to OpenDNS in the forwarded query).

3. The additional information sent to OpenDNS will be encoded in a ‘Protoss’ format EDNS option specified by OpenDNS.

4. ISC will minimize caching of responses from the OpenDNS resolver in BIND, although caching of approximately a second is unavoidable. In case of caching, ISC will cache responses per client.

5. ISC will perform interoperability testing with OpenDNS by accessing a test OpenDNS account provided by Cisco.

6. This new feature will be provided to the customer in a BIND 9.11.x-S subscriber-only release. These are stable releases supported by ISC for subscribers, but are not part of the public open source. There will be some minimal documentation provided about how to enable the feature and configure the two new options.

Links / references

Evan has been in communication with the OpenDNS development staff about the format of the proprietary options.