no. of Views and Zones

Lightner, Jeff jlightner at water.com
Mon Nov 8 18:35:54 UTC 2010 

Right.

Since we do external and internal we actually have separate NICs for our
internal facing network and our external facing network.  We do use
virtual IPs for the zone transfers from the master to slaves though.

I wasn't suggesting the OP use dozens or hundreds of views because as I
noted I don't know what the performance impact is.  I was mainly posting
to say that a single zone file wouldn't do what he wanted.   Views
theoretically work but performance is a key question.

Setting up VMs would probably be a good idea from a security standpoint
(i.e. one client doesn't see what another one has).  However, it seems
one would not be able to run as many VMs as views simply because each VM
would take up resources not just for DNS but for the underlying OS on
each.

If it were me I'd prefer doing multiple VMs at least (and as many
servers as required to support the VMs) if I was concerned about
security of each customer.   This would especially be true if those
customers also had web, mail or other servers being hosted by me as
well.


-----Original Message-----
From: Chris Buxton [mailto:chris.p.buxton at gmail.com] 
Sent: Monday, November 08, 2010 12:32 PM
To: Lightner, Jeff
Cc: bind-users at lists.isc.org
Subject: Re: no. of Views and Zones

Lightner, Jeff wrote:
> You would NOT use a single zone for this.   Views are designed
> specifically to control what is seen.  However, that control is mainly
> done by acl's specifying which networks access which views.

Or by server IP. You can use match-destinations with views to provide a 
different virtual server per server IP address, all on one box, with a 
single instance of named. You can even combine match-destinations, 
match-clients, and match-recursive-only together to satisfy even more 
complex scenarios.

That said, if it were me, I'd run separate boxes, separate VM's, or at 
least separate instances of named (each attached to a different IP) in 
the scenario posed by the OP.

> Do you
> assign specific subnets to each client?  If so you could do this with
> views but processing needed to load dozens of views is not something I
> can comment on as I think most people only do a couple.   (Here we do
> only internal and external to differentiate what people on the
internet
> see as opposed to what people on our intranet see.)
>    

I also don't have any empirical data, but I do expect that setting up 
thousands of views would have a significant impact on performance - each

query runs a gantlet of match-* ACL's before finding the correct view.

Regards,
Chris Buxton
BlueCat Networks
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list