views: getting a secondary to mirror a primary split dns with transfer-source?
Pete Ehlke
pde at ehlke.net
Mon Nov 17 22:05:14 UTC 2003
On Mon, Nov 17, 2003 at 08:42:21AM -0800, Sean Boran wrote:
> Hi,
>
> I've just migrated a Primary & Secondary to using Views on Bind 9.2.1.
> The idea is to present and internal view to Intranet hosts, and an
> external view to the Internet.
>
> This has worked out fine on the primary, the published address spaces
> are as expected. However, on the secondary, the full (internal)
> namespace is mirrored to both internal and external view.
>
> I searched the FAQ and this group for relevant discussions, of which
> there a few lively ones, but no solution on exactly how to get the
> secondary to only transfer the external view from the primary for that
> namespace. (I would prefer to stay with Bind rather than change to
> another product).
>
You must have missed this part of the FAQ ;)
Q: How can I make a server a slave for both an internal and
an external view at the same time? When I tried, both views
on the slave were transfered from the same view on the master.
A: You will need to give the master and slave multiple IP addresses and
use those to make sure you reach the correct view on the other machine.
e.g.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;
query-source address 10.0.1.2;
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source address 10.0.1.3;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
You put the external address on the alias so that all the other
dns clients on these boxes see the internal view by default.
-Pete
More information about the bind-users
mailing list