Running both a cache-only and an authoritative server on the same server
David Forrest
drf at maplepark.com
Thu Jun 17 14:10:03 UTC 2010
On Thu, 17 Jun 2010, Torsten wrote:
> Am Thu, 17 Jun 2010 13:35:38 +0100
> schrieb Phil Mayers <p.mayers at imperial.ac.uk>:
>
>> On 17/06/10 12:39, Jørn Skjerven wrote:
>>> Hi!
>>>
>>> I've tried to search the archive for for this, but could not find
>>> anything relevant.
>>>
>>> We currently run a server with an authoritative set for domains. We
>>> want to use the same server as a cache-only DNS for other customers
>>> as well.
>>>
>>> Is it possible to achieve this in a single named.conf, or is it
>>> recommended to run two instances of bind, each with a different
>>> listen-on <ip> statement?
>>
>> Sure. Use views:
>>
>> view authoritative {
>> recursion no;
>> match-destinations { mycurrentip; };
>> zone ...
>> };
>>
>> view authoritative {
>> recursion yes;
>> match-destinations { myrecurseip; };
>> };
>
>
>
> The important part seems to be "on a secondary IP" and afaik listen-on
> statements don't work inside of view statements.
>
> That leaves you with running two seperate instances of Bind on the same
> server.
>
>
> Ciao
> Torsten
But match-clients does work in views
I set up an acl for my internal IPs as:
acl local-nets {
192.168.0.0/16; // our known internal net
127.0.0.1; // localhost loopback
::1; // Localhost IPV6
};
And one for the external:
acl isp-net { 99.178.153.41; }; // our ATT-Uverse net
and then used views:
view "internal" // only local hosts (match-clients) will see this view
{
match-clients { local-nets; };
allow-recursion { local-nets; };
zone .....
[zone ... ]
}
view "external" { // Primary nameserver for maplepark.com.
allow-query { any; };
// allow-recursion { none;}; // "additional-from-cache no;" will not work with this!
recursion no; // So use this instead.
additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
zone .....
[zone ... ]
}
and it has been working well. I do use all private addresses for my
internal network and that does require a separate zone file.
Dave
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation http://xen.maplepark.com
St. Louis, Missouri (Sent by ALPINE 2.01 FEDORA 11 LINUX)
More information about the bind-users
mailing list