Running both a cache-only and an authoritative server on the same server

David Forrest drf at maplepark.com
Thu Jun 17 14:10:03 UTC 2010 

On Thu, 17 Jun 2010, Torsten wrote:

> Am Thu, 17 Jun 2010 13:35:38 +0100
> schrieb Phil Mayers <p.mayers at imperial.ac.uk>:
>
>> On 17/06/10 12:39, Jørn Skjerven wrote:
>>> Hi!
>>>
>>> I've tried to search the archive for for this, but could not find
>>> anything relevant.
>>>
>>> We currently run a server with an authoritative set for domains. We
>>> want to use the same server as a cache-only DNS for other customers
>>> as well.
>>>
>>> Is it possible to achieve this in a single named.conf, or is it
>>> recommended to run two instances of bind, each with a different
>>> listen-on <ip> statement?
>>
>> Sure. Use views:
>>
>> view authoritative {
>>    recursion no;
>>    match-destinations { mycurrentip; };
>>    zone ...
>> };
>>
>> view authoritative {
>>    recursion yes;
>>    match-destinations { myrecurseip; };
>> };
>
>
>
> The important part seems to be "on a secondary IP" and afaik listen-on
> statements don't work inside of view statements.
>
> That leaves you with running two seperate instances of Bind on the same
> server.
>
>
> Ciao
> Torsten

But match-clients does work in views

I set up an acl for my internal IPs as:
acl local-nets	{
 		192.168.0.0/16;		// our known internal net
 		127.0.0.1;		// localhost loopback
 		::1;			// Localhost IPV6
 		};
And one for the external:
acl isp-net	{ 99.178.153.41; };	// our ATT-Uverse net

and then used views:
view "internal"	  // only local hosts (match-clients) will see this view
{
match-clients	{ local-nets; };
allow-recursion { local-nets; };

zone .....
[zone  ... ]
}

view "external" {     		  // Primary nameserver for maplepark.com.
 	allow-query { any; };
// 	allow-recursion { none;}; // "additional-from-cache no;" will not work with this!
 	recursion no;             //  So use this instead.
 	additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

zone .....
[zone  ... ]
}

and it has been working well.  I do use all private addresses for my 
internal network and that does require a separate zone file.

Dave

-- 
David Forrest                   e-mail   drf @ maplepark.com
Maple Park Development Corporation  http://xen.maplepark.com
St. Louis, Missouri    (Sent by ALPINE 2.01 FEDORA 11 LINUX)

More information about the bind-users mailing list