Split DNS and zone transfers

Lightner, Jeff JLightner at water.com
Mon Apr 16 16:01:53 UTC 2012 

You can also do it by IP in views but need separate IPs for each view.   You can do that with virtual IPs on the same NICs as the primary IPs.   Such virtual IPs of course have to be in the same subnet as the primary and also you’d need to insure firewall (including host level if any) is opened for the new IPs.






________________________________
From: bind-users-bounces+jlightner=water.com at lists.isc.org [mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf Of Eric Chandler
Sent: Monday, April 16, 2012 11:47 AM
To: bind-users at lists.isc.org
Subject: RE: Split DNS and zone transfers

I’ve been pointed to the right place to figure this out.  The answer is in using TSIG.  That saved me a lot of time. I searched everywhere but the most-obvious place – the bind9 faq.


Eric Chandler
Systems Architect

From: bind-users-bounces+eric.chandler=vonage.com at lists.isc.org [mailto:bind-users-bounces+eric.chandler=vonage.com at lists.isc.org] On Behalf Of Eric Chandler
Sent: Monday, April 16, 2012 11:36 AM
To: bind-users at lists.isc.org
Subject: Split DNS and zone transfers

I have a situation where I need to filter out our private infrastructure from our public-facing DNS servers. This is certainly something that should have been done a long time ago, but I just recently took over the spot. Now, I’ve seen plenty of examples using views and separate zonefiles, but what I can’t find are examples of the same domain zone-xfering both zonefiles.

Our DNS infrastructure is large and the configuration varies from server type to server type. Some are configured to be the primary auth servers – facing the Internet. Others are public-facing, but accessed only by customer devices, and still others service our internal systems. I would like to get us down to just 1 set of configuration files across the board, using views as the way to do it, but what I can’t get around are split zone transfers.

In this example, we have a straightforward example of a split zone:

view "trusted" {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone "example.com" {

   type master;

   // private zone file including local hosts

   file "internal/master.example.com<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html>";

  };

  // add required zones

 };

view "badguys" {

 match-clients {"any"; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone "example.com" {

   type master;

   // public only hosts

   file "external/master.example.com<http://www.zytrax.com/books/dns/ch6/mydomain-external.html>";

  };

  // add required zones

 };

Now, what I would like to have are slave servers that would zone-xfer both the internal and external-flavored files for example.com and serve them using the same view structure. The hidden masters can generate the split zone files based on private IP address ranges, but I see no way to  use zone transfers to get both types of files replicated to the many slave servers that I would need to get them to.

This obviously won’t work, but this is what I’m after from a logical sense.


view "trusted" {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone "example.com" {

   type slave;

    masters = { 1.2.3.4, 4.5.6.7 };

   // private zone file including local hosts

   file "internal/master.example.com<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html>";

  };

  // add required zones

 };

view "badguys" {

 match-clients {"any"; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone "example.com" {

   type slave;

    masters = { 1.2.3.4, 4.5.6.7 };

   // public only hosts

   file "external/master.example.com<http://www.zytrax.com/books/dns/ch6/mydomain-external.html>";

  };

  // add required zones

 };

I suppose I could set up another pair of hidden masters to serve up the internal zones, or another pair of IP addrs on the masters, but I’m hoping not to go down that road.

Thanks,

Eric Chandler
Systems Architect

[Description: cid:image009.gif at 01CB4E82.96E92D50]
23 Main Street, Holmdel, NJ 07733
•: 732.203.7437
•: 732.284.8504 (iPhone)
•: Eric.Chandler at vonage.com<mailto:Eric.Chandler at vonage.com>
þ: www.vonage.com<http://www.vonage.com/>
[Description: cid:image010.jpg at 01CB4E82.96E92D50]

NOTE: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely
for review and use by the named recipient.  Any unauthorized review, use or distribution is strictly prohibited. If you have received this
message in error, please advise the sender by reply email and delete the message






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today!



---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120416/c81e3198/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 3076 bytes
Desc: image001.gif
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120416/c81e3198/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4216 bytes
Desc: image002.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120416/c81e3198/attachment.jpg>

More information about the bind-users mailing list