Re: Split DNS, internal/external

Tue, 03 Feb 2009 14:44:55 -0800 

On Tue, Feb 3, 2009 at 5:19 PM, Jeff Howard <howjeff...@gmail.com> wrote:

> Hi all,
>
> Having a problem setting up split DNS for the purpose of separating
> internal, recursive, caching responses vs external, non caching, non
> recusrive responses.  First off, can views be used to do this?
>
> If yes, here are the relevant (I hope) portions of named.conf, which I've
> set up based on http://www.cymru.com/Documents/secure-bind-template.html:
>
> acl trusted {
>         8.8.8.0/24;
> };
> ..snip..
> view internal-in in {
>     match clients { trusted };
>     recursion yes;
>     additional-from-auth yes;
>     additional-from-cache yes;
>
>     zone "." in {
>           // Link in the root server hint file.
>           type hint;
>           file "db.cache";
>           };
>
>           zone "ournetwork.com" in {
>           // Our internal A RR zone. There may be several of these.
>           type master;
>           file "ournetwork.com.db";
>           };
>
>     zone "8.8.8.in-addr.arpa" in {
>           // Our internal PTR RR zone. Again, there may be several of
> these.
>           type master;
>           file "8.8.8.in-addr.arpa.db";
>           };
>
> };
>
> view external-in in {
>     match-clients { any; };
>         recursion no;
>         additional-from-auth no;
>         additional-from-cache no;
>
>     zone "8.8.8.in-addr.arpa" in {
>           // Our internal PTR RR zone. Again, there may be several of
> these.
>           type master;
>           file "8.8.8.in-addr.arpa.db";
>           allow-query { any; };
>     };
>
>     zone "ournetwork.com" in {
>           // Our internal A RR zone. There may be several of these.
>           type master;
>           file "ournetwork.com.db";
>       allow-query { any; };
>         };
>
>     zone "." in {
>           // Link in the root server hint file.
>           type hint;
>           file "db.cache";
>         };
>
> };
>
> The result is that all requests outside the trusted IP range are being
> REFUSED.  Not sure why that is, though; anyone?
>
> Thanks a bunch!
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


Can you please post one of the REFUSED message? I doubt the clients are
outside the trusted.

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to