Split-DNS + Views + master/slave
Brad Bendily
Brad.Bendily at LA.GOV
Thu Jul 7 16:24:22 UTC 2011
I am glad to be able to answer an email on this list.
I literally did this same thing 4 days ago and had the exact same
problem.
Here is the answer you seek:
https://www.isc.org/faq/item/182
bb
> -----Original Message-----
> From: bind-users-bounces+brad.bendily=la.gov at lists.isc.org
> [mailto:bind-users-bounces+brad.bendily=la.gov at lists.isc.org]
> On Behalf Of Ewald Jenisch
> Sent: Thursday, July 07, 2011 10:59 AM
> To: bind-users at lists.isc.org
> Subject: Split-DNS + Views + master/slave
>
> Hi,
>
> I'm in the process of setting up two DNS-servers
> (master/slave). Response of these servers should be different
> as to where the queries come from (inside our network vs.
> external). For this purpose I thought about using views.
>
> Here's an excerpt from what I got in my named.conf:
>
> Master-DNS:
> -----------
>
> view "internal-view" in {
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "v6.oekb.at" {
> type master;
> file "/etc/namedb/master/Internal/v6.oekb.at-forward.db";
> notify yes;
> allow-transfer { valid_secondary; }; }; ...
> };
>
> view "external-view" in {
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
>
> zone "v6.oekb.at" {
> type master;
> file "/etc/namedb/master/External/v6.oekb.at-forward.db";
> allow-transfer { valid_secondary; };
> allow-query {
> any;
> };
> notify yes;
> };
> ...
> };
>
>
> With "trusted", "valid_secondary" being acls containing the
> addresses/ranges belonging to the internal range;
>
> As you can see from the above excerpt I use distinct files
> for internal and external view on the master (with the
> configuration for the internal view containing a lot more
> entries than the one for external, simply because it holds
> all the internal addresses, that are not supposed to be known
> to the outside)
>
> On the slave DNS the setup looks similar:
>
> Slave-DNS:
> ----------
>
>
> view "internal-view" in {
> // Our internal (trusted) view. We permit the internal networks
> // to freely access this view. We perform recursion for our
> // internal hosts, and retrieve data from the cache for them.
>
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "v6.oekb.at" {
> type slave;
> file "/etc/namedb/slave/Internal/v6.oekb.at-forward.db";
> masters {
> 143.245.5.61;
> };
> allow-query {
> any;
> };
> allow-transfer { valid_secondary; }; }; ...
> };
>
>
> view "external-view" in {
> // Our external (untrusted) view. We permit any client to access
> // portions of this view. We do not perform recursion or cache
> // access for hosts using this view.
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
> zone "v6.oekb.at" {
> type slave;
> file "/etc/namedb/slave/External/v6.oekb.at-forward.db";
> masters {
> 143.245.5.61;
> };
> allow-query {
> any;
> };
> };
>
>
> With the master everything's fine: When sending it a query
> from the inside network the client gets an answer out of the
> internal data-set (i.e. file
> /etc/namedb/slave/Internal/v6.oekb.at-forward.db); when the
> clients sits outside it gets an answer as per the external
> view. This holds true for all zones on the master.
>
> However on the slave DNS are a real mess: When starting up
> the slave I end up with it having only one configuration for
> all the zones; i.e. the distinction between internal and
> external views are gone.
>
> Put in another way: On the master the two configurations (internal and
> external) for the above zone are distinct (different
> config-files), whereas on the slave I have the exact same
> data in the files for both "Internal" and "External". Looks
> like the slave gets confused somehow given the fact that it's
> the same zone name for both internal and external views and
> mixes things up (?).
>
> So here is my question: How do I set up two servers
> (master/slave) using views (for internal and external
> clients) so that both of them hold the the correct data and
> return the correct answers to their respective clients
> (inside and outside)?
>
> Thanks much in advance for any clue,
> -ewald
> _______________________________________________
> Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list