Zone transfers with views
Kevin Darcy
kcd at chrysler.com
Thu Apr 30 17:20:58 UTC 2009
Stephen Carville wrote:
> I am trying to create three DNS slave servers with views for internal
> an external IP's. Each has an address in the DMZ and the firewall
> (actually a CSS) routes requests from the external IP's to the
> internal addresses. The correspondence is one-to-one:
>
> external.1 <--> dmz.1
> external.2 <--> dmz.2
> external.3 <--> dmz.3
>
> This seems to work fine as long as the CSS admin remembers the DNS
> server need to see the actual source address of the request rather
> some intermediate NAT'ed IP.
>
> What I cannot figure out is how to configure the master server.
> Ideally it would use views too but it has to be on an internal network
> and only the DMZ machines can reach it:
>
> dmz.1 <--> master
> dmz.2 <--> master
> dmz.3 <--> master
>
> All four of dmz.1, 2, 3 and master are on subnets considered internal.
>
> I tried using views on the master and I can get the slaves to transfer
> the internal or external zones but not both. If I configure the views
> to treat the internal and dmz networks as internal, requests for an
> external zone are denied. If I change the configuration so internal
> and dmz addresses are considered external, requests for the internal
> zones are denied.
>
> All of the servers are running CentOS 5.3 with Bind version 9.3.4.
>
> I've searched the net on the subject and I found lots of help getting
> views to work but little about getting zones transferred in a
> situation like above. Is it even possible to do this with views? If
> not, is there a "recommended" solution?
>
Use TSIG keys to differentiate the views.
- Kevin
More information about the bind-users
mailing list