bind9 split views, internal view leaked out???
news.callatg.com
pcalkins_NOSPAM_ at oemsupport.com
Fri Nov 14 02:24:05 UTC 2003
I "tried" to setup split dns at my site, but it became a mess, and my ISP's
dns somehow got an update from me that contained my internal view!?! So I
disabled my secondary dns for now to figgure it out - any help would be
appreciated - heres the details of my setup:
INTERNET ----> ROUTER/NAT ----> 192.168.1.0 network + DNS1 + DNS2
DNS1: 192.168.1.110
DNS2: 192.168.1.111
Router translates outside address 64.42.17.169 to 192.168.1.110, and
64.42.17.170 to 192.168.1.111
So my DNS servers to the outside world are 64.42.17.169 & .170, but the
machines are really the above 192 addy.
DNS1 named.conf:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
allow-query { any; };
forwarders {
216.174.194.53;
};
};
acl "oem-subnet" { 192.168.1.0/24; };
view "internal" {
match-clients { "oem-subnet"; };
zone "oemsupport.com" {
type master;
file "oemsupport.com.local.zone";
allow-query { "oem-subnet"; };
allow-update { 192.168.1.0/24; }; // allow dynamic updates
from local subnet only
};
zone "1.168.192.in-addr.arpa" {
type master;
file "1.168.192.in-addr.arpa.zone";
allow-query { "oem-subnet"; };
allow-update { 192.168.1.0/24; }; // allow dynamic updates
from local subnet only
};
};
view "external" { // view of our zones for the rest of the world
match-clients { any; };
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
notify no;
};
zone "oemsupport.com" {
type master;
file "oemsupport.com.zone";
};
zone "oe.17.42.64.in-addr.arpa" {
type master;
file "oe.17.42.64.in-addr.arpa.zone";
};
};
and on DNS2:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
allow-query { any; };
forwarders {
216.174.194.53;
};
};
acl "oem-subnet" { 192.168.1.0/24; };
view "internal" {
match-clients { "oem-subnet"; };
zone "oemsupport.com" {
type slave;
masters { 192.168.1.110; };
file "backup.oemsupport.com.local.zone";
allow-query { "oem-subnet"; };
allow-update-forwarding { 192.168.1.0/24; }; // allow
dynamic updates from local subnet only
};
zone "1.168.192.in-addr.arpa" {
type slave;
masters { 192.168.1.110; };
file "backup.1.168.192.in-addr.arpa.zone";
allow-query { "oem-subnet"; };
allow-update-forwarding { 192.168.1.0/24; }; // allow
dynamic updates from local subnet only
};
};
view "external" { // view of our zones for the rest of the world
match-clients { any; };
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
notify no;
};
zone "oemsupport.com" {
type slave;
masters { 64.42.17.169; };
file "backup.oemsupport.com.zone";
};
zone "oe.17.42.64.in-addr.arpa" {
type slave;
masters { 64.42.17.169; };
file "backup.oe.17.42.64.in-addr.arpa.zone";
};
};
The resolv.conf for DNS1 is nameserver 192.168.1.110
The resolv.conf for DNS2 is nameserver 192.168.1.111
Somehow, my ISP (which has ns1 thru ns4.atgi.net, and slaves me) got a copy
of my internal zone from my DNS2?? How did this happen??
Thanks!
More information about the bind-users
mailing list