Question about views

JAFFO neil.braebaum at gmail.com
Wed Feb 11 21:52:11 UTC 2009


I have a question regarding views, and the decisions that can be based
on network scenario. I'm not entirely sure whether it's possible to
provide resolution for the scenario I describe, but I thought I'd ask
the question.

I have a new small environment of machines (Unix – mainly Linux) that
need to be able to resolve hostnames (and potentially reverse lookups)
purely within this firewalled small number of subnets. On the main LAN
is a reasonably large DNS environment (mostly Windows 2003 DNS
servers). Between the LAN and the environment I'm describing, is a
firewall, among other things performing NAT.

In the new small setup, I'm going to be running one server running
BIND (9.3.5-p2). Ideally, I'd like the namespace in this new
environment to be a subdomain of the parent DNS server on my main LAN,
and be delegated to the BIND server in the new envionment. The new
environment doesn't need to resolve any hosts in the main LAN, but DNS
in the LAN needs to resolve to the available translated addresses from
the new environment.

What I was envisaging doing, was setting up views in the new
environment, one being defined by the subnets in the new environment –
notionally “local”, and everything else being “alien”. The problem for
me being the way NAT is currently being implemented, and I don't yet
know whether that's something that can be changed.

Say the subnets in the new environment are: 10.228.6.x, 10.228.7.x and
10.228.8.x (24 bit subnet mask). Currently, traffic from the main LAN
will be seen as (translated by NAT) as coming from singular IP
addresses on each of these subnets, eg: on 10.228.6.x, LAN traffic
seen as coming from 10.228.6.248; on 10.228.7.x, LAN traffic as
10.228.7.248; and on 10.228.8.x as 10.228.8.248. The last octet (for
the translated incoming traffic) is common, ie 248 on each subnet.

Using views, is it possible, to provide answers for “local” view data
for a range of IP addresses on each subnet, and / or an external view
for anything coming from a specific IP address on that subnet?

Or will that not be possible (or horrendously complex), and a more
easily segmented implementation of NAT be required (ie say LAN traffic
all appears to come from one, or a number of subnets: eg 10.228.88.x,
10.228.89.x and 10.228.90.x)?

Thanks in advance for any advice or help.



More information about the bind-users mailing list