Split-DNS + Views + master/slave

Brad Bendily Brad.Bendily at LA.GOV
Thu Jul 7 16:24:22 UTC 2011 

I am glad to be able to answer an email on this list.
I literally did this same thing 4 days ago and had the exact same
problem.
Here is the answer you seek:

https://www.isc.org/faq/item/182

bb 

> -----Original Message-----
> From: bind-users-bounces+brad.bendily=la.gov at lists.isc.org 
> [mailto:bind-users-bounces+brad.bendily=la.gov at lists.isc.org] 
> On Behalf Of Ewald Jenisch
> Sent: Thursday, July 07, 2011 10:59 AM
> To: bind-users at lists.isc.org
> Subject: Split-DNS + Views + master/slave
> 
> Hi,
> 
> I'm in the process of setting up two DNS-servers 
> (master/slave). Response of these servers should be different 
> as to where the queries come from (inside our network vs. 
> external). For this purpose I thought about using views.
> 
> Here's an excerpt from what I got in my named.conf:
> 
> Master-DNS:
> -----------
> 
> view "internal-view" in {
>     match-clients { trusted; };
>     recursion yes;
>     additional-from-auth yes;
>     additional-from-cache yes;
> 
> zone "v6.oekb.at" {
>         type master;
>         file "/etc/namedb/master/Internal/v6.oekb.at-forward.db";
>         notify yes;
>         allow-transfer { valid_secondary; }; }; ...
> };
> 
> view "external-view" in {
>     match-clients { any; };
>     recursion no;
>     additional-from-auth no;
>     additional-from-cache no;
>     
>         
> zone "v6.oekb.at" {
>         type master;
>         file "/etc/namedb/master/External/v6.oekb.at-forward.db";
>         allow-transfer { valid_secondary; };
>         allow-query {
>                 any;
>         };
>         notify yes;
> };
> ...
> };
> 
> 
> With "trusted", "valid_secondary" being acls containing the 
> addresses/ranges belonging to the internal range;
> 
> As you can see from the above excerpt I use distinct files 
> for internal and external view on the master (with the 
> configuration for the internal view containing a lot more 
> entries than the one for external, simply because it holds 
> all the internal addresses, that are not supposed to be known 
> to the outside)
> 
> On the slave DNS the setup looks similar:
> 
> Slave-DNS:
> ----------
> 
> 
> view "internal-view" in {
>     // Our internal (trusted) view. We permit the internal networks
>     // to freely access this view. We perform recursion for our
>     // internal hosts, and retrieve data from the cache for them.
> 
>     match-clients { trusted; };
>     recursion yes;
>     additional-from-auth yes;
>     additional-from-cache yes;
> 
> zone "v6.oekb.at" {
>         type slave;
>         file "/etc/namedb/slave/Internal/v6.oekb.at-forward.db";
>         masters {
>                 143.245.5.61;
>         };
>         allow-query {
>                 any;
>         };
>         allow-transfer { valid_secondary; }; }; ...
> };
> 
> 
> view "external-view" in {
>     // Our external (untrusted) view. We permit any client to access
>     // portions of this view. We do not perform recursion or cache
>     // access for hosts using this view.
>         
>     match-clients { any; };
>     recursion no;
>     additional-from-auth no;
>     additional-from-cache no;
> zone "v6.oekb.at" {
>         type slave;
>         file "/etc/namedb/slave/External/v6.oekb.at-forward.db";
>         masters {
>                 143.245.5.61;
>         };
>         allow-query {
>                 any;
>         };
> };
> 
> 
> With the master everything's fine: When sending it a query 
> from the inside network the client gets an answer out of the 
> internal data-set (i.e. file 
> /etc/namedb/slave/Internal/v6.oekb.at-forward.db); when the 
> clients sits outside it gets an answer as per the external 
> view. This holds true for all zones on the master.
> 
> However on the slave DNS are a real mess: When starting up 
> the slave I end up with it having only one configuration for 
> all the zones; i.e. the distinction between internal and 
> external views are gone.
> 
> Put in another way: On the master the two configurations (internal and
> external) for the above zone are distinct (different 
> config-files), whereas on the slave I have the exact same 
> data in the files for both "Internal" and "External". Looks 
> like the slave gets confused somehow given the fact that it's 
> the same zone name for both internal and external views and 
> mixes things up (?).
> 
> So here is my question: How do I set up two servers 
> (master/slave) using views (for internal and external 
> clients) so that both of them hold the the correct data and 
> return the correct answers to their respective clients 
> (inside and outside)?
> 
> Thanks much in advance for any clue,
> -ewald
> _______________________________________________
> Please visit 
> https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list