DNS views setup help

Fri Aug 19 02:15:42 UTC 2016

I am running bind 9.8.2 on a pair of RHEL 6 DNS servers.. One server is the
master, one is the slave. My goal is to setup 2 views so that our internal
folks can resolve hostnames to internal IP's while still allowing our
external customers to resolve from the outside. Both of these servers are
external facing and have only one public IP each. First of all I would like
to know if what I am trying to achieve is even possible with my current
setup. What we have are internal users that are trying to access internal
resources via a domain name that only exist in our external DNS. We do not
have an internal zone for this domain or a inside DNS server that we can
point them to in order to get a result for the query. So that leaves us
looking at views for the solution.

To be more precise, this is what is happening now.

Internal client > looks up host that's actually on the internal network but
resolves to an external IP. The problem with this is 2 fold.

1) DNS returns an external IP
2) Since the resource is internal, the traffic flow to the outside and back
in happens on the same outside interface, which results in a hairpin, which
we do not allow.

Now, what I was told is that a DNS view type solution would not be
applicable to the hairpin. My understanding is that internal clients query
the server already to get results for external IP, so if we had a zone file
in a view that had internal mappings, this would work and the internal user
could access the resource since they are now being pointed to an internal
IP.

So what I want to do is setup an "internal" view for the zone in question
that points to a db file with the internal IP of that host, and an external
view for everyone else.

My questions is:

1) Would DNS views work for my use case now that my server layout has been
described?

If so I need help in setting up TSIG because in my test lab everything
seems to work except that on my slave server my zone in "view A" is being
updated with the data from the master server from "view B". And view B
seems to be in sync on both servers, although it seems when I update zone
files I have to restart instead of a reload to get the zones to update.
Even then, that does not always work. There is a link I found online that
says TSIG would be the solution for this but it gives very little details
on what the config is doing, so I do not know how to make TSIG work in my
environment. This is the link I found:

https://kb.isc.org/article/AA-00295/0/How-do-I-share-a-dynamic-zone-between-multiple-views-.html

Here are the relavent parts to my config as it stands now from the master.

acl internal {
1.2.3.4; // public IP coming from the inside users
};

acl external {
5.6.7.8; // everyone else
9.10.11.12;; // everyone else
};

view "insideview" {
      match-clients { internal; };

      zone"example.com" IN {
      type master;
      file "/var/named/db.exampleinside.com"; // this db file will be shown
to the clients in the internal ACL and map back to internal IP's
};
};

view "extview" {
      match-clients { external; };

zone"example.com" IN {
      type master;
      file "/var/named/db.exampleoutside.com";
};

The conf from the slave is identical to the above. Can anyone help me by
showing me what a TSIG config would look like for my environemnt?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160818/135459ed/attachment-0001.html>