Views seem to have broken my config

Kevin Darcy kcd at daimlerchrysler.com
Wed Dec 7 23:59:26 UTC 2005 

Mark Ratering wrote:

>Hi everyone,
>
>I created a new config for myself using views so that my internal multihomed
>hosts would get traffic on their inside interfaces.  One day after
>implementing this new config noone in the inside network can access any site
>for which my DNS server is the SOA.  When I query from outside I receive
>this output for my dig command, does anyone have any idea what would cause
>this?
>
>; <<>> DiG 9.2.2 <<>> efax.com
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61675
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;efax.com.                      IN      A
>
>;; AUTHORITY SECTION:
>.                       518400  IN      NS      F.ROOT-SERVERS.NET.
>.                       518400  IN      NS      G.ROOT-SERVERS.NET.
>.                       518400  IN      NS      H.ROOT-SERVERS.NET.
>.                       518400  IN      NS      I.ROOT-SERVERS.NET.
>.                       518400  IN      NS      J.ROOT-SERVERS.NET.
>.                       518400  IN      NS      K.ROOT-SERVERS.NET.
>.                       518400  IN      NS      L.ROOT-SERVERS.NET.
>.                       518400  IN      NS      M.ROOT-SERVERS.NET.
>.                       518400  IN      NS      A.ROOT-SERVERS.NET.
>.                       518400  IN      NS      B.ROOT-SERVERS.NET.
>.                       518400  IN      NS      C.ROOT-SERVERS.NET.
>.                       518400  IN      NS      D.ROOT-SERVERS.NET.
>.                       518400  IN      NS      E.ROOT-SERVERS.NET.
>
>;; Query time: 56 msec
>;; SERVER: 152.160.35.51#53(152.160.35.51)
>;; WHEN: Wed Dec  7 09:20:39 2005
>;; MSG SIZE  rcvd: 237
>
>
>My config:
>
>options {
>
>        directory "/var/named";
>
>        serial-query-rate 5;
>
>        allow-transfer {
>                69.61.38.17;
>                209.69.70.3;
>                129.250.35.34;
>                129.250.35.250;
>                129.250.35.251;
>                };
>
>        also-notify {
>                69.61.38.17;
>    129.250.35.34;
>                129.250.35.250;
>                129.250.35.251;
>        };
>        notify yes;
>
>};
>
>
>view "internal" {       //Internal view of zones
>
>        match-clients {
>                192.168.0.0/24;
>                192.168.1.0/24;
>                };
>Bunch of zones
>
>};
>view "external" {       //View for the outside world
>
>match-clients { any; };
>recursion no;
>        
>Bunch of zones
>
>};
>
You have recursion turned off for your "external" view, so you shouldn't 
be able to resolve names in non-hosted (assuming it's non-hosted) zones 
like efax.com for Internet clients. Therefore the output you show seems 
perfectly normal to me.

Can you query *hosted* zones from the Internet?

What's more perplexing is why your internal clients can't resolve hosted 
zones. The only thing that comes to mind is that there's some extra 
NAT'ing going on, and the queries aren't coming from the address ranges 
you think them are. I would turn on query logging -- if you have 9.3 or 
later, the query log will even tell which view was matched, which might 
be useful in your situation.

- Kevin

More information about the bind-users mailing list