Thank you Sten, that's a great explanation. I had already read the ARM but the ARM did not explain why it seemed to work at my home. <br><br>I will check tcpdump to investigate further but I believe you're on to something. <br>
<br><div class="gmail_quote">2012/10/22 Sten Carlsen <span dir="ltr"><<a href="mailto:stenc@s-carlsen.dk" target="_blank">stenc@s-carlsen.dk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFCC" text="#000000">
<br>
From the Bind ARM<br>
<div>
<div>
<div>
<p><span style="font-size:12.000000pt;font-family:'URWPalladioL';font-weight:700">6.2.24</span><span style="font-size:12.000000pt;font-family:'URWPalladioL';font-weight:700"> view Statement
Definition and Usage
</span></p>
</div>
<div> <span style="font-size:10.000000pt;font-family:'URWPalladioL'">The </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">view </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">statement is a
powerful feature of BIND 9 that lets a name server answer a
DNS query differ-
ently depending on who is asking. It is particularly useful
for implementing split DNS setups without
having to run multiple servers.
</span></div>
</div>
<div>
<div>
<p><span style="font-size:10.000000pt;font-family:'URWPalladioL'">Each </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">view </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">statement defines a view of
the DNS namespace that will be seen by a subset of
clients. A
client matches a view if its source IP address matches the
</span><span style="font-size:10.000000pt;font-family:'NimbusMonL'">address match list </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">of the view’s </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-
clients </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">clause and its destination IP
address matches the </span><span style="font-size:10.000000pt;font-family:'NimbusMonL'">address match list
</span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">of the view’s </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-
destinations </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">clause. If not specified,
both </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-clients
</span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">and </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-destinations </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">default to
matching
all addresses. In addition to checking IP addresses </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-clients </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">and </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-destinations </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">can also take
</span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">keys </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">which provide an mechanism for the client
to select the view. A view can also be specified as
</span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">match-recursive-only, </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">which means that only recursive requests
from matching clients will match that
view. The order of the </span><span style="font-size:10.000000pt;font-family:'URWPalladioL';font-weight:700">view </span><span style="font-size:10.000000pt;font-family:'URWPalladioL'">statements is significant — <b><i><u>a
client request will be resolved in the context of
the first </u></i></b></span><b><i><u><span style="font-size:10pt;font-family:'URWPalladioL'">view </span></u></i></b><b><i><u><span style="font-size:10.000000pt;font-family:'URWPalladioL'">that it matches.
</span></u></i></b></p>
</div>
</div>
</div>
Your intranet view is recursive, hence it will resolve your "master
zones" from the root since they don't exist in the view.<br>
<br>
My guess is that your DNS server is a hidden master and the
recursion will point to your slaves, which are not in the same
machine and will therefore give you the answer, possibly you will
have the benefit from a side effect of NAT, that in asking the
external address, it will look like you come from !localnets but
from your external address.<br>
<br>
Wireshark or similar could tell you exactly how the resolution
happens, I suggest you trace queries very carefully, noting both
addresses of every packet involved.<div><div class="h5"><br>
<br>
<div>On 22/10/12 10:48, Stefan Midjich
wrote:<br>
</div>
<blockquote type="cite">This seems very cumbersome to have copies of every
single zone for every single view. That would quickly reach
thousands of zones, all have to be maintained for every single
change in a zone. <br>
<br>
I'm asking, are you sure? My first venture into views was my
private router at home. It has very few zones but it has two
views, one intranet and one wan (internet). <br>
<br>
Just to show an example, my wan view has <a href="http://domain1.se" target="_blank">domain1.se</a>
and <a href="http://domain2.se" target="_blank">domain2.se</a>.
My intranet view has <a href="http://domain1.se" target="_blank">domain1.se</a> and nothing else. <br>
<br>
<a href="http://domain1.se" target="_blank">domain1.se</a>
in intranet and wan point to different IP-addresses, in intranet
they're internal and in wan they're external. <br>
<br>
<a href="http://domain2.se" target="_blank">domain2.se</a>
exists only in wan view and points to external IP-addresses. <br>
<br>
If I do a query from may LAN for <a href="http://server.domain1.se" target="_blank">server.domain1.se</a> I get an
internal IP, if I do a query from my LAN for <a href="http://domain2.se" target="_blank">domain2.se</a> I
get an external IP. <br>
<br>
That means I don't have a copy of <a href="http://domain2.se" target="_blank">domain2.se</a> in both views, but I can
still get a response from BIND for <a href="http://domain2.se" target="_blank">domain2.se</a> from the lan and wan
views. <br>
<br>
This is my configuration at home. <br>
<br>
acl lanClients {<br>
<a href="http://192.168.22.0/24" target="_blank">192.168.22.0/24</a>;<br>
127.0.0.1;<br>
};<br>
<br>
view "intranet" {<br>
match-clients { lanClients; };<br>
recursion yes;<br>
notify no;<br>
<br>
// Standard zones<br>
//<br>
zone "." {<br>
type hint;<br>
file "etc/root.hint";<br>
};<br>
<br>
zone "<a href="http://domain1.se" target="_blank">domain1.se</a>"
{<br>
type master;<br>
file "intranet/<a href="http://domain1.se" target="_blank">domain1.se</a>";<br>
};<br>
};<br>
<br>
view "internet" {<br>
match-clients { !localnets; any; };<br>
recursion no;<br>
allow-transfer { slaveDNS; };<br>
<br>
include "master.zones";<br>
};<br>
<br>
The above configuration is just a snippet but it works the way I
want. One zone exists in two views, it responds differently in
intranet as opposed to wan. Another zone exists only in wan yet it
responds correctly both from LAN and wan. <br>
<br>
I am unable to copy this configuration to two other name servers
with hundreds of zones. This is my goal. <br>
<br>
<div class="gmail_quote">2012/10/22 Sten Carlsen <span dir="ltr"><<a href="mailto:stenc@s-carlsen.dk" target="_blank">stenc@s-carlsen.dk</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFCC" text="#000000">
<div>
<div> <br>
<div>On 22/10/12 9:32, Stefan Midjich wrote:<br>
</div>
<blockquote type="cite">I want to have an exception for
certain zones that also exist in my main "wan" view. <br>
<br>
So I created an acl for the network that needs the
exception. <br>
<br>
acl OtherNetwork {<br>
<a href="http://10.0.2.192/28" target="_blank">10.0.2.192/28</a>;<br>
};<br>
<br>
Then I made this block. <br>
<br>
view "OtherNetwork" {<br>
match-clients { OtherNetworkClients; };<br>
allow-recursion { OtherNetworkClients; };<br>
include "/etc/bind/views/othernetwork.zones";<br>
};<br>
<br>
This worked for the othernetwork.zones, but if I
request any zones outside of this view I get no
response. <br>
<br>
I want requests for other zones to be forwarded to the
"wan" view where the rest of the zones are. How can I
accompllish this with Bind? The only solution I can
see now is to copy and maintain hundreds of zones for
each view, there must be an easier way. <br clear="all">
</blockquote>
</div>
</div>
You should look at each view as a separate server without
any connection to the other servers.<br>
<br>
Your "OtherNetwork" server has no other information than
what you show here, your other networks will be resolved by
normal recursion from the root up.<br>
<br>
The traditional solution here is to include a copy of the
other zones here, separate files, not a reference to the
same files, specially if any kind of dynamic DNS is valid.<br>
<blockquote type="cite">
<div> <br>
-- <br>
Hälsningar / Greetings<br>
<br>
Stefan Midjich<br>
[De omnibus dubitandum]<br>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Hälsningar / Greetings<br>
<br>
Stefan Midjich<br>
[De omnibus dubitandum]<br>
</blockquote>
<br>
<pre cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Hälsningar / Greetings<br><br>Stefan Midjich<br>[De omnibus dubitandum]<br>