BIND9 views, shadow zones, and "hybrid" zones (based on query-source)
Nathan Benson
tuxtattoo at gmail.com
Thu May 12 19:46:43 UTC 2005
greetings everyone,
i've gotten myself into a fairly major DNS reorg and have run into a
problem i can't seem to find a reasonable solution to. the whole
point of the reorg was to consolidate the zones onto a single master
(responsible for internal and external zones using views) which in
turn updated the slaves.
anyway, to get to the issue at hand. i have a bind9 server configured
with views to serve up a single zone (say domain.com) which is split
into two files, one for internal and one for external. this is all
working beautifully and as expected. i also have slave servers in the
remote offices described below.
my problem is two remote offices that need to resolve both internal
and external IP's for the same zone. as simply as possible, they need
to resolve mail.domain.com to the external (DMZ) IP rather than the
internal (VPN) IP. but, if the host that they are trying to resolve
doesn't exist in the external zone, it needs to fall back to look it
up in the internal zone (such as an internal web server, etc).
this is basically so all mail traffic from these offices will go over
the WAN and to the DMZ, rather than over the VPN tunnel. currently,
if for any reason our VPN tunnel goes down, (even if both office's
WAN's are still up) these offices can't send/receive any mail.
i don't know if bind9 has the sort of control granularity that i'm
describing or not, but i'm *really* trying to stay away from having a
third (hybrid) zone file to maintain along with the current two
(internal and external).
i tried combining the internal/external zones and then using using
"sortlist" to order the result based on the query source. this would
"work" because the first IP would be the "right" one for the network,
but it returns all the IP's for that hostname, both internal and
external. not a super big deal for internal network use, but totally
out of the question for a public facing name server.
i'm sure there is a feasible, elegant (read: non-kludge) way to do
this, but it's escaping me. does anyone have any suggestions on how i
may accomplish this? maybe configuring the remote office slave
servers to use forwarders to the DMZ name server for external
resolution, and then falling back on the local slave zone (which would
be the internal zone)?
i appreciate any help/suggestions you all may have.
regards,
nathan
More information about the bind-users
mailing list