Split DNS, internal/external

Linux Addict linuxaddict7 at gmail.com
Tue Feb 3 22:42:34 UTC 2009 

On Tue, Feb 3, 2009 at 5:19 PM, Jeff Howard <howjeffard at gmail.com> wrote:

> Hi all,
>
> Having a problem setting up split DNS for the purpose of separating
> internal, recursive, caching responses vs external, non caching, non
> recusrive responses.  First off, can views be used to do this?
>
> If yes, here are the relevant (I hope) portions of named.conf, which I've
> set up based on http://www.cymru.com/Documents/secure-bind-template.html:
>
> acl trusted {
>         8.8.8.0/24;
> };
> ..snip..
> view internal-in in {
>     match clients { trusted };
>     recursion yes;
>     additional-from-auth yes;
>     additional-from-cache yes;
>
>     zone "." in {
>           // Link in the root server hint file.
>           type hint;
>           file "db.cache";
>           };
>
>           zone "ournetwork.com" in {
>           // Our internal A RR zone. There may be several of these.
>           type master;
>           file "ournetwork.com.db";
>           };
>
>     zone "8.8.8.in-addr.arpa" in {
>           // Our internal PTR RR zone. Again, there may be several of
> these.
>           type master;
>           file "8.8.8.in-addr.arpa.db";
>           };
>
> };
>
> view external-in in {
>     match-clients { any; };
>         recursion no;
>         additional-from-auth no;
>         additional-from-cache no;
>
>     zone "8.8.8.in-addr.arpa" in {
>           // Our internal PTR RR zone. Again, there may be several of
> these.
>           type master;
>           file "8.8.8.in-addr.arpa.db";
>           allow-query { any; };
>     };
>
>     zone "ournetwork.com" in {
>           // Our internal A RR zone. There may be several of these.
>           type master;
>           file "ournetwork.com.db";
>       allow-query { any; };
>         };
>
>     zone "." in {
>           // Link in the root server hint file.
>           type hint;
>           file "db.cache";
>         };
>
> };
>
> The result is that all requests outside the trusted IP range are being
> REFUSED.  Not sure why that is, though; anyone?
>
> Thanks a bunch!
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


Can you please post one of the REFUSED message? I doubt the clients are
outside the trusted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090203/60833c79/attachment.html>

More information about the bind-users mailing list