Doubt regarding acls and internal and external view.

Elias Pereira empbilly at gmail.com
Sat May 23 13:06:38 UTC 2015


I understood the explanations. Now why I asked the question.

Let's assume I have 3 services and all with public IPs.

- www.myservice.com
- Database
- Microsoft AD

I think the only service the external public needs to know that exists is
the www.

Assuming that, along with the explanations you have given me, I need to
duplicate the www entry in the internal and external views. The rest is
only in the "internal" view.

Now the question. If someone from the outside, run a nslookup to the
service of "AD" it will be able to catch the hostname service? Ex.
Ad.myservice.com

On Fri, May 22, 2015 at 4:37 PM, Darcy Kevin (FCA) <kevin.darcy at fcagroup.com
> wrote:

>  You’ll need to duplicate the www name into the internal zone if your
> internal clients need to resolve it. If a query doesn’t resolve in one
> view, it doesn’t “fail over” to another view in the config. It simply
> returns the negative response to the client.
>
>
>
>
> - Kevin
>
>
>
> *From:* bind-users-bounces at lists.isc.org [mailto:
> bind-users-bounces at lists.isc.org] *On Behalf Of *Elias Pereira
> *Sent:* Friday, May 22, 2015 10:48 AM
> *To:* bind-users at lists.isc.org
> *Subject:* Doubt regarding acls and internal and external view.
>
>
>
> Hello everyone,
>
>
>
> I have a doubt regarding acls and internal and external view.
>
>
>
> If I have some servers and among them, one only has access part of the
> "external (world)" to "internal (my infrastructure)." That would be the
> site (www). The rest is only internal.
>
>
>
> Like that:
>
>
>
> *www                                   --> zone db.external*
>
> *any other server/service  --> zone db.internal*
>
>
>
> acl "clients" {
>
>         localhost;
>
>        192.168.1.1/24;
>
>        172.16.1.1/24;
>
> };
>
>
>
> view "internal" {
>
>         match-clients { clients; };
>
>         recursion yes;
>
>
>
>        zone "internal" {
>
>                 type master;
>
>                 file "/etc/bind/db.internal";
>
>         };
>
>
>
> };
>
>
>
> view "external" {
>
>         match-clients { any; };
>
>         recursion no;
>
>         additional-from-auth no;
>
>         additional-from-cache no;
>
>
>
>         zone "external" {
>
>                 type master;
>
>                 file "/etc/bind/db.external";
>
>         };
>
> };
>
>
>
> Thus I should only put the site in a zone that is in the external view and
> the other servers on the internal view, would it?
>
>
>
> --
>
> Elias Pereira
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Elias Pereira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150523/15cde0f8/attachment.html>


More information about the bind-users mailing list