One host serving both internal and external nameservice, which view should match-clients for the local host?

Barry Margolin barmar at alum.mit.edu
Tue Oct 26 04:23:40 UTC 2010 

In article <mailman.552.1288046764.555.bind-users at lists.isc.org>,
 Stewart Dean <sdean at bard.edu> wrote:

> I did exactly that, but that wasn't what I was asking (I don't think).  
> 
> What I want to know is about how the nameserver host itself handles any calls 
> it itself makes to localhost.  If I have one view handling 10. addresses and 
> the other handling ALL others (match-clients { any; }, then it would seem to 
> me that the nameserver itself, in its OWN need for name resolutions, could 
> ONLY resolve external addresses (because localhost/127.0.0.1 would fall into 
> the external view match-client { any;}), it couldn't resolve any 10. internal 
> addresses for itself in local host calls.
> 
> Is what I'm getting at understandable?  Correct?  Is there something to do 
> with router tables that could allow the nameserver to resolve its OWN 10. 
> name resolutions that are needed on the box itself.  Again, I am NOT asking 
> about resolution request calls either from 10. internal hosts NOR from the 
> outside world, RATHER I am asking about resolution calls the machine has to 
> do FOR ITSELF through localhost/127.0.0.1.  I could add local host to the 
> internal view's match-cllient statement, yes, but then the box wouldn't be 
> able to resolve external addresses made through local host......... 

You could make a third view that matches just "localhost", and do 
whatever you think should be done for the machine querying itself.

But you can't have it both ways.  If you have two versions of your zone, 
you have to decide which version should be returned to localhost.  
There's no obvious way to know whether a particular query is intended to 
be internal or external.

> 
> 
> ----- Original Message -----
> From: "Todd Snyder" <tsnyder at rim.com>
> To: "Stewart Dean" <sdean at bard.edu>, bind-users at lists.isc.org
> Sent: Monday, October 25, 2010 3:00:54 PM
> Subject: RE: One host serving both internal and external nameservice, which	
> view should match-clients for the local host?
> 
> What I have done is add another IP to boxes with views, one per view (ie: 
> 127.0.1.1/2/3/4).  Then put one of those ips in each view match statement.  
> When you do your dig, you tell it to source from a specific interface (dig -b 
> 127.0.1.1 @localhost record.ext).  That will ensure that you can hit the view 
> you want to hit, without any guess work.
> 
> YMMV.
> 
> Cheers,
> 
> Todd.
> 
> -----Original Message-----
> From: bind-users-bounces+tsnyder=rim.com at lists.isc.org 
> [mailto:bind-users-bounces+tsnyder=rim.com at lists.isc.org] On Behalf Of 
> Stewart Dean
> Sent: Monday, October 25, 2010 2:54 PM
> To: bind-users at lists.isc.org
> Subject: Q: One host serving both internal and external nameservice, which 
> view should match-clients for the local host?
> 
> I have set up a nameserver as per pg 249 of DNS & Bind, 5th Ed.  The host is 
> on
> two networks, serving the internal 10 based network as nsi at 10.5.0.5 with 
> an
> internal view and the external network as nsx at 192.246.229.x with an 
> external
> view.  Everything makes sense until I get to the match-clients definition. 
> Using
> the example on 249, named will serve the internal addresses, and the external
> view match-clients { any; } will take everything else....including the local
> host 127.0.0.1.
> 
> That would seem to me to make it so the local host would be unable to resolve
> (for itself) internal addresses, forcing it to only be able to resolve 
> external
> addresses for itself.
> 
> Is this as it should be?  Am I missing something?
> --
> "One must think like a hero to behave like a merely decent human being." - 
> May
> Sarton Stewart Dean, Unix System Admin, Bard College, New York 12504
> sdean at bard.edu voice: 845-758-7475, fax: 845-758-7035
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential 
> information, privileged material (including material protected by the 
> solicitor-client or other applicable privileges), or constitute non-public 
> information. Any use of this information by anyone other than the intended 
> recipient is prohibited. If you have received this transmission in error, 
> please immediately reply to the sender and delete this information from your 
> system. Use, dissemination, distribution, or reproduction of this 
> transmission by unintended recipients is not authorized and may be unlawful.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list