Doubt regarding acls and internal and external view.
Barry Margolin
barmar at alum.mit.edu
Sat May 23 15:23:36 UTC 2015
In article <mailman.2079.1432386408.26362.bind-users at lists.isc.org>,
Elias Pereira <empbilly at gmail.com> wrote:
> I understood the explanations. Now why I asked the question.
>
> Let's assume I have 3 services and all with public IPs.
>
> - www.myservice.com
> - Database
> - Microsoft AD
>
> I think the only service the external public needs to know that exists is
> the www.
>
> Assuming that, along with the explanations you have given me, I need to
> duplicate the www entry in the internal and external views. The rest is
> only in the "internal" view.
>
> Now the question. If someone from the outside, run a nslookup to the
> service of "AD" it will be able to catch the hostname service? Ex.
> Ad.myservice.com
If it's not in the external view, they won't be able to see it. Why is
this even a question, it's the basic way that views work: you can only
look up things that are in the first view whose ACL you match.
But I have a confusion about your configuration. You don't just have two
views, you also have different zone names in the two views. So in the
internal view, the name would be "www.internal", in the external view it
would be "www.external".
>
> On Fri, May 22, 2015 at 4:37 PM, Darcy Kevin (FCA) <kevin.darcy at fcagroup.com
> > wrote:
>
> > You’ll need to duplicate the www name into the internal zone if your
> > internal clients need to resolve it. If a query doesn’t resolve in one
> > view, it doesn’t “fail over†to another view in the config. It simply
> > returns the negative response to the client.
> >
> >
> >
> >
> > - Kevin
> >
> >
> >
> > *From:* bind-users-bounces at lists.isc.org [mailto:
> > bind-users-bounces at lists.isc.org] *On Behalf Of *Elias Pereira
> > *Sent:* Friday, May 22, 2015 10:48 AM
> > *To:* bind-users at lists.isc.org
> > *Subject:* Doubt regarding acls and internal and external view.
> >
> >
> >
> > Hello everyone,
> >
> >
> >
> > I have a doubt regarding acls and internal and external view.
> >
> >
> >
> > If I have some servers and among them, one only has access part of the
> > "external (world)" to "internal (my infrastructure)." That would be the
> > site (www). The rest is only internal.
> >
> >
> >
> > Like that:
> >
> >
> >
> > *www --> zone db.external*
> >
> > *any other server/service --> zone db.internal*
> >
> >
> >
> > acl "clients" {
> >
> > localhost;
> >
> > 192.168.1.1/24;
> >
> > 172.16.1.1/24;
> >
> > };
> >
> >
> >
> > view "internal" {
> >
> > match-clients { clients; };
> >
> > recursion yes;
> >
> >
> >
> > zone "internal" {
> >
> > type master;
> >
> > file "/etc/bind/db.internal";
> >
> > };
> >
> >
> >
> > };
> >
> >
> >
> > view "external" {
> >
> > match-clients { any; };
> >
> > recursion no;
> >
> > additional-from-auth no;
> >
> > additional-from-cache no;
> >
> >
> >
> > zone "external" {
> >
> > type master;
> >
> > file "/etc/bind/db.external";
> >
> > };
> >
> > };
> >
> >
> >
> > Thus I should only put the site in a zone that is in the external view and
> > the other servers on the internal view, would it?
> >
> >
> >
> > --
> >
> > Elias Pereira
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list