address_match_list question

Fri Jul 23 18:25:43 UTC 2004

Well im still new to views as well but I successfully set up a 3  view
master/slave setup 2 weeks ago, so heregoes...  

> -----Original Message-----
> From: bind-users-bounce at isc.org
> [mailto:bind-users-bounce at isc.org] On Behalf Of Ben Blakely
> Sent: Friday, July 23, 2004 12:48 AM
> To: bind-users at isc.org
> Subject: address_match_list question
> 
> Hello List,
>   I have a question regarding a server running BIND 9.2.3-13. 
>  I am implementing views on this server so that it can serve an 
> internal network, a remote network, and the world as a whole (external 
> hosts).
> My problem is that as soon as I add the view for the whole internet, 
> all hosts start using that information instead of their respective 
> views.
> The zone for the external hosts is defined last in the named.conf 
> file.
> The acl for external hosts is:
> 
> acl "external" {
>     ! 172.16.4/22;         // The internal network
>     ! 216.159.1/24;       // The remote network
>     any;                         // The rest of the world
> };

1.	Shouldn't need to disallow those networks.  The disallows are
irrelevant if the rest of the views are setup correctly. Basically my setup
is as follows:

2.	First you setup your different acl's - maybe internal, external,
public, etc.

3.	Set your localhost view (I have my localhost in its own view just
for separations sake). Set it recursive yes.

4.	Set your internal view - match-clients to the nets on the inside
of the fw.  In my case I have lan and vpn connections that I always want to
use internal dns for.  Recursion is set to yes so that if there is no
internal answer it goes out and gets the resolve as needed. (you can
disallow this if you want to keep hands off)

5.	Then I have my external view. Match-clients is set to any.
Recursion set to yes.  This is for servers and workstations out on the net
in which I want to use my dns servers pub ip as the resolver.

It really is that simple - one good note is that your views need to be in
order of priority.  Meaning specifically your "any"
matched-clients needs to be at the end cuz that's more or less the
"catch-all".

I hope this helps, sorry if it doesn't but again views are still pretty new
to me - but thats 

> 
> The corresponding view statement is:
> 
> view "world" {
>    match-clients{ "external"; };
>    ...zone info...
> };
> 
> My complete named.conf is attached.  Thanks in advance for any help 
> you can provide!
> 
> /ben Blakely
> bab at bablakely.com
> 
> 
> -- Attached file included as plaintext by Ecartis --
> -- File: named.conf
> 
> controls {
>         inet 127.0.0.1 allow { localhost; } keys { rndckey; }; };
> 
> include "/etc/rndc.key";
> 
> options { 
> 	directory "/var/named/"; 
> 	pid-file "/var/named/named.pid";
> };
> 
> 
> acl "polkcity" {
>   216.159.1/24;
> };
> 
> view "pc" {
>   match-clients{polkcity;};
> 
>   zone  "4.16.172.in-addr.arpa" {
>         type master;
>         file  "pc/4.16.172.in-addr.arpa.zone";
>   };
>   zone  "152.165.207.in-addr.arpa" {        
> 	type master;
>         file  "pc/152.165.207.in-addr.arpa.zone";
>   };
>   zone "n-polk.k12.ia.us" {
>         type master;
>         file "pc/n-polk.k12.ia.us.zone";
>   };
>   zone  "0.0.127.in-addr.arpa" {
>         type master;
>         file  "0.0.127.in-addr.arpa.zone";
>   };
>   zone "localhost.localdomain" {
>         type master;
>         file "localhost.localdomain.zone";
>   };
>   zone "." {
>         type hint;
>         file "db.cache";
>   };
> };
> 
> acl "internal" {
>   172.16.4/22;
> };
> 
> view "internal" {
>   match-clients{"internal";};
> 
>   zone  "4.16.172.in-addr.arpa" { 
> 	type master;
> 	file  "int/4.16.172.in-addr.arpa.zone";
>   };
>   zone  "152.165.207.in-addr.arpa" { 
> 	type master; 
> 	file  "int/152.165.207.in-addr.arpa.zone";
>   };
>   zone  "1.159.216.in-addr.arpa" {
> 	type master;
> 	file "int/1.159.216.in-addr.arpa.zone";
>   };
>   zone "n-polk.k12.ia.us" {
> 	type master;
> 	file "int/n-polk.k12.ia.us.zone";
>   };
>   zone  "0.0.127.in-addr.arpa" {
>         type master;
>         file  "0.0.127.in-addr.arpa.zone";
>   };
>   zone "localhost.localdomain" {
>         type master;
>         file "localhost.localdomain.zone";
>   };
>   zone "." {
>         type hint;
>         file "db.cache";
>   };
> };
> 
> // DON'T UNCOMMENT THE FOLLOWING UNTIL YOU FIGURE OUT HOW TO MAKE THE 
> INTERNET // HOSTS GO TO THE CORRECT VIEW!!!!
> //
> //acl "external" {
> //  !172.16.4/22;
> //  !216.159.1/24;
> //  any;
> //};
> 
> //view "world" {
> //  match-clients{"external";};
> //
> //  zone  "152.165.207.in-addr.arpa" {
> //        type master;
> //        file  "ext/152.165.207.in-addr.arpa.zone";
> //  };
> //  zone  "1.159.216.in-addr.arpa" {
> //        type master;
> //        file "ext/1.159.216.in-addr.arpa.zone";
> //  };
> //  zone "n-polk.k12.ia.us" {
> //        type master;
> //        file "ext/n-polk.k12.ia.us.zone";
> //  };
> //};
> 
> 
> 
> 