I am glad to be able to answer an email on this list. I literally did this same thing 4 days ago and had the exact same problem. Here is the answer you seek:
https://www.isc.org/faq/item/182 bb > -----Original Message----- > From: bind-users-bounces+brad.bendily=la....@lists.isc.org > [mailto:bind-users-bounces+brad.bendily=la....@lists.isc.org] > On Behalf Of Ewald Jenisch > Sent: Thursday, July 07, 2011 10:59 AM > To: bind-users@lists.isc.org > Subject: Split-DNS + Views + master/slave > > Hi, > > I'm in the process of setting up two DNS-servers > (master/slave). Response of these servers should be different > as to where the queries come from (inside our network vs. > external). For this purpose I thought about using views. > > Here's an excerpt from what I got in my named.conf: > > Master-DNS: > ----------- > > view "internal-view" in { > match-clients { trusted; }; > recursion yes; > additional-from-auth yes; > additional-from-cache yes; > > zone "v6.oekb.at" { > type master; > file "/etc/namedb/master/Internal/v6.oekb.at-forward.db"; > notify yes; > allow-transfer { valid_secondary; }; }; ... > }; > > view "external-view" in { > match-clients { any; }; > recursion no; > additional-from-auth no; > additional-from-cache no; > > > zone "v6.oekb.at" { > type master; > file "/etc/namedb/master/External/v6.oekb.at-forward.db"; > allow-transfer { valid_secondary; }; > allow-query { > any; > }; > notify yes; > }; > ... > }; > > > With "trusted", "valid_secondary" being acls containing the > addresses/ranges belonging to the internal range; > > As you can see from the above excerpt I use distinct files > for internal and external view on the master (with the > configuration for the internal view containing a lot more > entries than the one for external, simply because it holds > all the internal addresses, that are not supposed to be known > to the outside) > > On the slave DNS the setup looks similar: > > Slave-DNS: > ---------- > > > view "internal-view" in { > // Our internal (trusted) view. We permit the internal networks > // to freely access this view. We perform recursion for our > // internal hosts, and retrieve data from the cache for them. > > match-clients { trusted; }; > recursion yes; > additional-from-auth yes; > additional-from-cache yes; > > zone "v6.oekb.at" { > type slave; > file "/etc/namedb/slave/Internal/v6.oekb.at-forward.db"; > masters { > 143.245.5.61; > }; > allow-query { > any; > }; > allow-transfer { valid_secondary; }; }; ... > }; > > > view "external-view" in { > // Our external (untrusted) view. We permit any client to access > // portions of this view. We do not perform recursion or cache > // access for hosts using this view. > > match-clients { any; }; > recursion no; > additional-from-auth no; > additional-from-cache no; > zone "v6.oekb.at" { > type slave; > file "/etc/namedb/slave/External/v6.oekb.at-forward.db"; > masters { > 143.245.5.61; > }; > allow-query { > any; > }; > }; > > > With the master everything's fine: When sending it a query > from the inside network the client gets an answer out of the > internal data-set (i.e. file > /etc/namedb/slave/Internal/v6.oekb.at-forward.db); when the > clients sits outside it gets an answer as per the external > view. This holds true for all zones on the master. > > However on the slave DNS are a real mess: When starting up > the slave I end up with it having only one configuration for > all the zones; i.e. the distinction between internal and > external views are gone. > > Put in another way: On the master the two configurations (internal and > external) for the above zone are distinct (different > config-files), whereas on the slave I have the exact same > data in the files for both "Internal" and "External". Looks > like the slave gets confused somehow given the fact that it's > the same zone name for both internal and external views and > mixes things up (?). > > So here is my question: How do I set up two servers > (master/slave) using views (for internal and external > clients) so that both of them hold the the correct data and > return the correct answers to their respective clients > (inside and outside)? > > Thanks much in advance for any clue, > -ewald > _______________________________________________ > Please visit > https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
