advanced views misconfiguration ?
Kevin Darcy
kcd at daimlerchrysler.com
Fri Dec 2 23:31:31 UTC 2005
frodo Baggins wrote:
>hi,
>
>i'm trying to setup a bind DNS server with view for my internet
>networks. i have clients with 10. ips and when
>they're connected to vpn get 192.168.X. ip, but also there are clients
>who cannot make vpn connections (for one or
>another reason) and they use internet on lan. there is a internet file
>server which is configured with aliases
>in it's network interface in 10. and 192.168.1. 192.168.2 networks. the
>idea is to "make" users use the lan (not
>vpn) connection to transfer files to/from file server - clients which
>use vpn to connect to 10. ip address of the
>server, and clients on lan to use 192.168.1.5, 192.168.2.5 for example.
>i decided to this "magic" using bind views
>feature, but i cannot achieve the goal, here is the example
>configuration i tested (and failed):
>[snip]
>acl "lan1" {
> 192.168.1.12;
> 192.168.1.15;
> 192.168.1.24;
> 192.168.1.41;
> 192.168.1.46;
> 192.168.1.63;
> 192.168.1.71;
> 192.168.1.91;
> 192.168.1.95;
>};
>
>acl "lan2" {
> 192.168.2.3;
> 192.168.2.4;
> 192.168.2.5;
> 192.168.2.6;
>};
>
>acl "vpn" {
> !lan1; 192.168.1.0/24;
> !lan2; 192.168.2.0/24;
>};
>
>view "internal_vpn" {
> match-clients { vpn; };
> zone "." in {
> type hint;
> file "root.hint";
> };
> zone "mydomain.net" in {
> type master;
> notify yes;
> file "zone/internal/mydomain.net-vpn";
> allow-transfer {none; };
> allow-query { vpn; };
> };
>};
>
>view "internal_lan1" {
> match-clients { lan1; };
> zone "." in {
> type hint;
> file "root.hint";
> };
> zone "mydomain.net" in {
> type master;
> notify yes;
> file "zone/internal/mydomain.net-lan1";
> allow-transfer {none; };
> allow-query { lan1; };
> };
>};
>
>view "external" {
> match-clients { "any"; };
> zone "." in {
> type hint;
> file "root.hint";
> };
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "zone/0.0.127.in-addr.arpa";
> };
> zone "XX.XX.XX.in-addr.arpa" in {
> type master;
> file "zone/master/XX.XX.XX.in-addr.arpa";
> allow-transfer { XX.XX.XX.XX; localhost; };
> allow-query { any; };
> };
> zone "mydomain.net" in {
> type master;
> notify yes;
> file "zone/master/mydomain.net";
> allow-transfer { XX.XX.XX.XX; localhost; };
> allow-query { any; };
> };
>};
>[snip]
>
>when start named with such a conf, clients cannot resolve at all
>is there misconfiguration or something ? :(
>do you have any ideas if this is impossible to realize with bind
>(views) how can be done ?
>
I think you've dug yourself a pretty deep hole with ACLs and negation
and view-matching and so forth. If you're running BIND 9.3 or later, the
matched view is shown in the query log, which should help you
troubleshoot and disentangle whatever is wrong with your view config.
But, if you control all of the resolvers here, I'd seriously consider
doing away with those views and accomplishing what you want with a
sortlist instead, i.e. define the file server with all of its addresses
and then just sort the A records according to the source IP of the
client. Might be simpler and more maintainable in the long run.
- Kevin
More information about the bind-users
mailing list