Split DNS, internal/external
Linux Addict
linuxaddict7 at gmail.com
Tue Feb 3 22:42:34 UTC 2009
On Tue, Feb 3, 2009 at 5:19 PM, Jeff Howard <howjeffard at gmail.com> wrote:
> Hi all,
>
> Having a problem setting up split DNS for the purpose of separating
> internal, recursive, caching responses vs external, non caching, non
> recusrive responses. First off, can views be used to do this?
>
> If yes, here are the relevant (I hope) portions of named.conf, which I've
> set up based on http://www.cymru.com/Documents/secure-bind-template.html:
>
> acl trusted {
> 8.8.8.0/24;
> };
> ..snip..
> view internal-in in {
> match clients { trusted };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> // Link in the root server hint file.
> type hint;
> file "db.cache";
> };
>
> zone "ournetwork.com" in {
> // Our internal A RR zone. There may be several of these.
> type master;
> file "ournetwork.com.db";
> };
>
> zone "8.8.8.in-addr.arpa" in {
> // Our internal PTR RR zone. Again, there may be several of
> these.
> type master;
> file "8.8.8.in-addr.arpa.db";
> };
>
> };
>
> view external-in in {
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> zone "8.8.8.in-addr.arpa" in {
> // Our internal PTR RR zone. Again, there may be several of
> these.
> type master;
> file "8.8.8.in-addr.arpa.db";
> allow-query { any; };
> };
>
> zone "ournetwork.com" in {
> // Our internal A RR zone. There may be several of these.
> type master;
> file "ournetwork.com.db";
> allow-query { any; };
> };
>
> zone "." in {
> // Link in the root server hint file.
> type hint;
> file "db.cache";
> };
>
> };
>
> The result is that all requests outside the trusted IP range are being
> REFUSED. Not sure why that is, though; anyone?
>
> Thanks a bunch!
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
Can you please post one of the REFUSED message? I doubt the clients are
outside the trusted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090203/60833c79/attachment.html>
More information about the bind-users
mailing list