Forwarding to a Cache
Barry Margolin
barmar at alum.mit.edu
Fri Feb 3 00:01:56 UTC 2006
In article <drtaid$1jhv$1 at sf1.isc.org>,
Kimi Ostro <kimimeister at gmail.com> wrote:
> Hello,
> I little while ago I posted to the list about setting up two authorative
> servers and a caching server.
>
> My current config works, although not overly satisfied that it is "correct":
>
> cache.kimi.home's named.conf:
This configuration seems overly complicated. Why do you need views,
when you could simply put your internal subnets in the allow-query ACL?
Your ultimate-chaos view doesn't contain any useful zones and doesn't
allow recursion, so what's the point of it?
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> recursion yes;
> allow-transfer { none; };
> //allow-update { none; };
> allow-notify { none; };
> allow-query { none; };
> allow-recursion { none; };
> listen-on { 192.168.1.0/24; 127.0.0.1/32; };
listen-on should contain specific IP's, not subnets.
> listen-on-v6 { none; };
> query-source address 192.168.1.210 port 5353;
> //dnssec-enable yes;
> };
> /*
> trusted-keys {
> include "Kkimi.home.+005+15825.key";
> };
> */
> logging {
> channel "named_log" {
> // send most BIND logs to a dedicated log file
> file "/var/log/named.log" versions 10 size 500k;
> severity dynamic;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> channel "query_log" {
> // query logs go to a separate file
> file "/var/log/query.log" versions 10 size 500k;
> severity debug;
> print-severity yes;
> print-time yes;
> };
> category default { named_log; };
> category queries { query_log; };
> //category lame-servers { null; };
> };
>
> view "internal.kimi.home" {
>
> match-clients { 192.168.1.0/24; 127.0.0.1/32; };
> allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
> allow-query { 192.168.1.0/24; 127.0.0.1/32; };
>
> zone "." {
> type hint;
> file "master/root.cache";
> };
>
> zone "localhost" in {
> type master;
> file "master/mst.localhost.db";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "master/mst.loopback.rv";
> };
>
> zone "kimi.home" in {
> type forward;
> forwarders { 192.168.1.212; 192.168.1.211; };
> };
>
> zone "8.8.10.in-addr.arpa" in {
> type forward;
> forwarders { 192.168.1.212; 192.168.1.211; };
> };
>
> };
>
> view "ultimate-chaos" chaos {
>
> recursion no;
>
> zone "." {
> type hint;
> file "/dev/null";
> };
>
> zone "bind" {
> type master;
> file "master/named.bind";
> };
>
> };
>
> I was wondering if it at all possible and better that the authorative name
> servers actually forward all querys to the cache that aren't from my local
> domain kimi.home?
Why would the authoritative servers ever receive queries for names that
aren't in the zones they host?
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list