personally i would not mix that and have own virtual servers and control the reachability via iptables, the servers can act as slave/master where needed so that the datacenter nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers 4 dns servers, 2 of them only reachable from specific IP's some years ago i would have mixed that too, but now with VMware/Xen/KVM/LCX became mature.... Am 02.07.2014 18:18, schrieb Bob Harold: > The server I really need this for is a little more complex. I was just > trying for a simple test case. > > Here are more details on my plans to actually use "allow-query-on". Two DNS > servers, one only for the data > centers, and another for the users, but also as backup for the data center. > > DNS resolver for data center has these relevant settings in named.conf: > (has data center DNS resolver IP) > acl DATACENTER { ... data center subnets ... }; > options { allow-query { any; } ; > allow-recursion { any; } ; > recursion yes; > }; > view "datacenter" { > match-clients { DATACENTER; }; > ... my zones .... > }; > > DNS resolver for users, but also backup resolver for the data center: (There > are actually two of these.) > (has both user DNS resolver IP and data center DNS resolver IP) > options { > allow-query { any; } ; > allow-recursion { any; } ; > recursion yes; > }; > view "datacenter" { > match-clients { DATACENTER; }; > allow-query-on { data center resolver ip }; > ... my zones ... > }; > view "users" { > match-clients { "any"; }; > allow-query-on { user resolver ip }; > ... my zones ... > }; > > I don't want users trying to use the data center resolver IP. Without the > "allow-query-on", it would work for them > if the anycast path reached the user resolver, but not if it reached the data > center resolver. That confuses users. > > (Actually, both data center and users have two anycast resolver IP's each, so > double the above sets of servers.) > The authoritative servers are a separate set of servers, not using anycast, > not involved in this. > > On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <h.rei...@thelounge.net > <mailto:h.rei...@thelounge.net>> wrote: > > > Am 02.07.2014 17:08, schrieb Bob Harold: > > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: > > > > allow-query-on { 127.0.0.1; }; > > > > To the default /etc/bind/named.conf.options file. > > That should make it only answer queries sent to 127.0.0.1, and not > > answer queries sent to the server's normal IP. > > But it seems to have no effect > > why just listening on a interface you don#t want to > answer from and so accept packets at all? > > listen-on {any;}; > listen-on {127.0.0.1;}; > listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users