Split-DNS + Views + master/slave
Ewald Jenisch
a at jenisch.at
Thu Jul 7 15:59:29 UTC 2011
Hi,
I'm in the process of setting up two DNS-servers
(master/slave). Response of these servers should be different as to
where the queries come from (inside our network vs. external). For
this purpose I thought about using views.
Here's an excerpt from what I got in my named.conf:
Master-DNS:
-----------
view "internal-view" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "v6.oekb.at" {
type master;
file "/etc/namedb/master/Internal/v6.oekb.at-forward.db";
notify yes;
allow-transfer { valid_secondary; };
};
...
};
view "external-view" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "v6.oekb.at" {
type master;
file "/etc/namedb/master/External/v6.oekb.at-forward.db";
allow-transfer { valid_secondary; };
allow-query {
any;
};
notify yes;
};
...
};
With "trusted", "valid_secondary" being acls containing the
addresses/ranges belonging to the internal range;
As you can see from the above excerpt I use distinct files for
internal and external view on the master (with the configuration for
the internal view containing a lot more entries than the one for
external, simply because it holds all the internal addresses, that are
not supposed to be known to the outside)
On the slave DNS the setup looks similar:
Slave-DNS:
----------
view "internal-view" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "v6.oekb.at" {
type slave;
file "/etc/namedb/slave/Internal/v6.oekb.at-forward.db";
masters {
143.245.5.61;
};
allow-query {
any;
};
allow-transfer { valid_secondary; };
};
...
};
view "external-view" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "v6.oekb.at" {
type slave;
file "/etc/namedb/slave/External/v6.oekb.at-forward.db";
masters {
143.245.5.61;
};
allow-query {
any;
};
};
With the master everything's fine: When sending it a query from the
inside network the client gets an answer out of the internal data-set
(i.e. file /etc/namedb/slave/Internal/v6.oekb.at-forward.db); when the
clients sits outside it gets an answer as per the external view. This
holds true for all zones on the master.
However on the slave DNS are a real mess: When starting up the slave I
end up with it having only one configuration for all the zones;
i.e. the distinction between internal and external views are gone.
Put in another way: On the master the two configurations (internal and
external) for the above zone are distinct (different config-files),
whereas on the slave I have the exact same data in the files for both
"Internal" and "External". Looks like the slave gets confused somehow
given the fact that it's the same zone name for both internal and
external views and mixes things up (?).
So here is my question: How do I set up two servers (master/slave)
using views (for internal and external clients) so that both of them
hold the the correct data and return the correct answers to their
respective clients (inside and outside)?
Thanks much in advance for any clue,
-ewald
More information about the bind-users
mailing list