Forwarding to a Cache

Mark Andrews Mark_Andrews at isc.org
Fri Feb 3 00:12:40 UTC 2006


> In article <drtaid$1jhv$1 at sf1.isc.org>,
>  Kimi Ostro <kimimeister at gmail.com> wrote:
> 
> > Hello,
> > I little while ago I posted to the list about setting up two authorative
> > servers and a caching server.
> > 
> > My current config works, although not overly satisfied that it is "correct"
> :
> > 
> > cache.kimi.home's named.conf:
> 
> This configuration seems overly complicated.  Why do you need views, 
> when you could simply put your internal subnets in the allow-query ACL?  
> Your ultimate-chaos view doesn't contain any useful zones and doesn't 
> allow recursion, so what's the point of it?
> 
> > options {
> >   directory "/etc/namedb";
> >   pid-file "/var/run/named/pid";
> >   recursion yes;
> >   allow-transfer { none; };
> >   //allow-update { none; };
> >   allow-notify { none; };
> >   allow-query { none; };
> >   allow-recursion { none; };
> >   listen-on { 192.168.1.0/24; 127.0.0.1/32; };
> 
> listen-on should contain specific IP's, not subnets.

	No.  It's a ACL. 
 
> >   listen-on-v6 { none; };
> >   query-source address 192.168.1.210 port 5353;
> >   //dnssec-enable yes;
> > };
> > /*
> > trusted-keys {
> >   include "Kkimi.home.+005+15825.key";
> > };
> > */
> > logging {
> >  channel "named_log" {
> >  // send most BIND logs to a dedicated log file
> >   file "/var/log/named.log" versions 10 size 500k;
> >   severity dynamic;
> >   print-category yes;
> >   print-severity yes;
> >   print-time yes;
> >  };
> >  channel "query_log" {
> >  // query logs go to a separate file
> >   file "/var/log/query.log" versions 10 size 500k;
> >   severity debug;
> >   print-severity yes;
> >   print-time yes;
> >  };
> >  category default { named_log; };
> >  category queries { query_log; };
> >  //category lame-servers { null; };
> > };
> > 
> > view "internal.kimi.home" {
> > 
> >  match-clients { 192.168.1.0/24; 127.0.0.1/32; };
> >  allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
> >  allow-query { 192.168.1.0/24; 127.0.0.1/32; };
> > 
> >  zone "." {
> >   type hint;
> >   file "master/root.cache";
> >  };
> > 
> >  zone "localhost" in {
> >   type master;
> >   file "master/mst.localhost.db";
> >  };
> > 
> >  zone "0.0.127.in-addr.arpa" in {
> >   type master;
> >   file "master/mst.loopback.rv";
> >  };
> > 
> >  zone "kimi.home" in {
> >   type forward;
> >   forwarders { 192.168.1.212; 192.168.1.211; };
> >  };
> > 
> >  zone "8.8.10.in-addr.arpa" in {
> >   type forward;
> >   forwarders { 192.168.1.212; 192.168.1.211; };
> >  };
> > 
> > };
> > 
> > view "ultimate-chaos" chaos {
> > 
> >  recursion no;
> > 
> >  zone "." {
> >   type hint;
> >   file "/dev/null";
> >  };
> > 
> >  zone "bind" {
> >   type master;
> >   file "master/named.bind";
> >  };
> > 
> > };
> > 
> > I was wondering if it at all possible and better that the authorative name
> > servers actually forward all querys to the cache that aren't from my local
> > domain kimi.home?
> 
> Why would the authoritative servers ever receive queries for names that 
> aren't in the zones they host?
> 
> -- 
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list