Split DNS, internal/external
Jeff Howard
howjeffard at gmail.com
Tue Feb 3 22:19:49 UTC 2009
Hi all,
Having a problem setting up split DNS for the purpose of separating
internal, recursive, caching responses vs external, non caching, non
recusrive responses. First off, can views be used to do this?
If yes, here are the relevant (I hope) portions of named.conf, which I've
set up based on http://www.cymru.com/Documents/secure-bind-template.html:
acl trusted {
8.8.8.0/24;
};
..snip..
view internal-in in {
match clients { trusted };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
// Link in the root server hint file.
type hint;
file "db.cache";
};
zone "ournetwork.com" in {
// Our internal A RR zone. There may be several of these.
type master;
file "ournetwork.com.db";
};
zone "8.8.8.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file "8.8.8.in-addr.arpa.db";
};
};
view external-in in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "8.8.8.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file "8.8.8.in-addr.arpa.db";
allow-query { any; };
};
zone "ournetwork.com" in {
// Our internal A RR zone. There may be several of these.
type master;
file "ournetwork.com.db";
allow-query { any; };
};
zone "." in {
// Link in the root server hint file.
type hint;
file "db.cache";
};
};
The result is that all requests outside the trusted IP range are being
REFUSED. Not sure why that is, though; anyone?
Thanks a bunch!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090203/9385f2b5/attachment.html>
More information about the bind-users
mailing list