personally i would not mix that and have own virtual servers and control the reachability via iptables, the servers can act as slave/master where needed so that the datacenter nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's
some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature....
Am 02.07.2014 18:18, schrieb Bob Harold:
> The server I really need this for is a little more complex. I was just
> trying for a simple test case.
>
> Here are more details on my plans to actually use "allow-query-on". Two DNS
> servers, one only for the data
> centers, and another for the users, but also as backup for the data center.
>
> DNS resolver for data center has these relevant settings in named.conf:
> (has data center DNS resolver IP)
> acl DATACENTER { ... data center subnets ... };
> options { allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> ... my zones ....
> };
>
> DNS resolver for users, but also backup resolver for the data center: (There
> are actually two of these.)
> (has both user DNS resolver IP and data center DNS resolver IP)
> options {
> allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> allow-query-on { data center resolver ip };
> ... my zones ...
> };
> view "users" {
> match-clients { "any"; };
> allow-query-on { user resolver ip };
> ... my zones ...
> };
>
> I don't want users trying to use the data center resolver IP. Without the
> "allow-query-on", it would work for them
> if the anycast path reached the user resolver, but not if it reached the data
> center resolver. That confuses users.
>
> (Actually, both data center and users have two anycast resolver IP's each, so
> double the above sets of servers.)
> The authoritative servers are a separate set of servers, not using anycast,
> not involved in this.
>
> On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <h.rei...@thelounge.net
> <mailto:h.rei...@thelounge.net>> wrote:
>
>
> Am 02.07.2014 17:08, schrieb Bob Harold:
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> >
> > allow-query-on { 127.0.0.1; };
> >
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not
> > answer queries sent to the server's normal IP.
> > But it seems to have no effect
>
> why just listening on a interface you don#t want to
> answer from and so accept packets at all?
>
> listen-on {any;};
> listen-on {127.0.0.1;};
> listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
