Split horizon and some problems on sec.

Marek Kozlowski kozlowsm at mini.pw.edu.pl
Thu Sep 3 17:50:00 UTC 2015


:-)

I have several domains for which I have two "internal" DNS servers (a
primary and one of the secondaries) and two "external" DNS servers (both
secondaries). There are six domains for each of them I have pairs of
zone description files: a private (for internal clients) and a public
(for all other clients) one. For all other domains there are single,
common ZDFs. I'd like to have private ZDFs on "internal" servers only
while public and "common" - on all four servers. I implemented split
horizon as follows:

/etc/named.conf on my primary server includes:
----------------------------------------------------------------------
acl "mini" {...};    // my network
acl "ns-mini" {...}; // "internal" DNS servers
acl "ns-coi {...};   // "external" DNS servers

key "public" {
        algorithm hmac-md5;
        secret "<some key here>";
};

view  "private" {
        match-clients { !key public; mini; };
        allow-transfer { ns-mini; };

        include "/etc/named-zone-include.conf";
...
};

view  "public" {
        match-clients { key public; any; };
        allow-transfer { ns-mini; ns-coi; };
        server <"internal" DNS IP here> { keys public; };

        include "/etc/named-zone-include.conf";
...
};
----------------------------------------------------------------------
And on my "internal" DNS:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
acl "mini" {...}; // my network
acl "ns-mini" {...}; // "internal" DNS servers
acl "ns-coi {...}; // "external" DNS servers

key "public" {
algorithm hmac-md5;
secret "<some key here>";
};

view "private" {
	match-clients { !key public; mini; };

	include "/etc/named-zone-include.conf";
...
};

view "public" {
	match-clients { key public; any; };
	server <primary DNS IP here> { keys public; };

	include "/etc/named-zone-include.conf";
...
};
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

It used to work. After the most recent update (9.10.2.P3-1 on ArchLinux)
some problem occurred on my "internal" DNS.

The problem is as follows:
1. All "zone" and "include" blocks must be contained inside "view"
blocks (otherwise BIND fails).
2. "Internal" secondary DNS is a secondary DNS for all zones; it opens
all zone description files in read-write mode.
3. If "common" ZDFs are declared or included in both views BIND fails
because it can't open the same files as writable ones twice.

OK, on my "internal" DNS I can declare fake (I mean: the same) "private"
and "public" files for all "common" zones and use in views:
	include "/etc/named-zone-include-priv.conf";
and
	include "/etc/named-zone-include-pub.conf";

But it's rather annoying. I have over 50 "common" zones and only six
"private" and "public" ones. How can I implement split horizon for just
a few zones and consider other ones as "common"?

Best regards,
Marek


More information about the bind-users mailing list