bind9 split views, internal view leaked out???
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Nov 17 00:22:47 UTC 2003
> I "tried" to setup split dns at my site, but it became a mess, and my ISP's
> dns somehow got an update from me that contained my internal view!?! So I
> disabled my secondary dns for now to figgure it out - any help would be
> appreciated - heres the details of my setup:
>
> INTERNET ----> ROUTER/NAT ----> 192.168.1.0 network + DNS1 + DNS2
>
> DNS1: 192.168.1.110
> DNS2: 192.168.1.111
> Router translates outside address 64.42.17.169 to 192.168.1.110, and
> 64.42.17.170 to 192.168.1.111
> So my DNS servers to the outside world are 64.42.17.169 & .170, but the
> machines are really the above 192 addy.
>
> DNS1 named.conf:
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> allow-query { any; };
>
> forwarders {
> 216.174.194.53;
> };
> };
>
> acl "oem-subnet" { 192.168.1.0/24; };
>
> view "internal" {
> match-clients { "oem-subnet"; };
>
> zone "oemsupport.com" {
> type master;
> file "oemsupport.com.local.zone";
> allow-query { "oem-subnet"; };
> allow-update { 192.168.1.0/24; }; // allow dynamic updates
> from local subnet only
> };
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "1.168.192.in-addr.arpa.zone";
> allow-query { "oem-subnet"; };
> allow-update { 192.168.1.0/24; }; // allow dynamic updates
> from local subnet only
> };
> };
>
> view "external" { // view of our zones for the rest of the world
>
> match-clients { any; };
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
> zone "oemsupport.com" {
> type master;
> file "oemsupport.com.zone";
> };
>
> zone "oe.17.42.64.in-addr.arpa" {
> type master;
> file "oe.17.42.64.in-addr.arpa.zone";
> };
> };
>
> and on DNS2:
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> allow-query { any; };
>
> forwarders {
> 216.174.194.53;
> };
> };
>
> acl "oem-subnet" { 192.168.1.0/24; };
>
> view "internal" {
> match-clients { "oem-subnet"; };
>
> zone "oemsupport.com" {
> type slave;
> masters { 192.168.1.110; };
> file "backup.oemsupport.com.local.zone";
> allow-query { "oem-subnet"; };
> allow-update-forwarding { 192.168.1.0/24; }; // allow
> dynamic updates from local subnet only
> };
>
> zone "1.168.192.in-addr.arpa" {
> type slave;
> masters { 192.168.1.110; };
> file "backup.1.168.192.in-addr.arpa.zone";
> allow-query { "oem-subnet"; };
> allow-update-forwarding { 192.168.1.0/24; }; // allow
> dynamic updates from local subnet only
> };
> };
>
> view "external" { // view of our zones for the rest of the world
>
> match-clients { any; };
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
> zone "oemsupport.com" {
> type slave;
> masters { 64.42.17.169; };
> file "backup.oemsupport.com.zone";
> };
>
> zone "oe.17.42.64.in-addr.arpa" {
> type slave;
> masters { 64.42.17.169; };
> file "backup.oe.17.42.64.in-addr.arpa.zone";
> };
> };
>
> The resolv.conf for DNS1 is nameserver 192.168.1.110
> The resolv.conf for DNS2 is nameserver 192.168.1.111
>
> Somehow, my ISP (which has ns1 thru ns4.atgi.net, and slaves me) got a copy
> of my internal zone from my DNS2?? How did this happen??
>
> Thanks!
You are depending upon your NAT doing the correct thing
when it loops the connection back to transfer the external
zone. Does it change the source address to a external
address of the NAT?
When running on DNS2 what does the following produce.
dig axfr oemsupport.com @64.42.17.169
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list