In article <mailman.2079.1432386408.26362.bind-us...@lists.isc.org>,
Elias Pereira <empbi...@gmail.com> wrote:
> I understood the explanations. Now why I asked the question.
>
> Let's assume I have 3 services and all with public IPs.
>
> - www.myservice.com
> - Database
> - Microsoft AD
>
> I think the only service the external public needs to know that exists is
> the www.
>
> Assuming that, along with the explanations you have given me, I need to
> duplicate the www entry in the internal and external views. The rest is
> only in the "internal" view.
>
> Now the question. If someone from the outside, run a nslookup to the
> service of "AD" it will be able to catch the hostname service? Ex.
> Ad.myservice.com
If it's not in the external view, they won't be able to see it. Why is
this even a question, it's the basic way that views work: you can only
look up things that are in the first view whose ACL you match.
But I have a confusion about your configuration. You don't just have two
views, you also have different zone names in the two views. So in the
internal view, the name would be "www.internal", in the external view it
would be "www.external".
>
> On Fri, May 22, 2015 at 4:37 PM, Darcy Kevin (FCA) <kevin.da...@fcagroup.com
> > wrote:
>
> > Youâll need to duplicate the www name into the internal zone if your
> > internal clients need to resolve it. If a query doesnât resolve in one
> > view, it doesnât âfail overâ to another view in the config. It simply
> > returns the negative response to the client.
> >
> >
> >
> >
> > - Kevin
> >
> >
> >
> > *From:* bind-users-boun...@lists.isc.org [mailto:
> > bind-users-boun...@lists.isc.org] *On Behalf Of *Elias Pereira
> > *Sent:* Friday, May 22, 2015 10:48 AM
> > *To:* bind-users@lists.isc.org
> > *Subject:* Doubt regarding acls and internal and external view.
> >
> >
> >
> > Hello everyone,
> >
> >
> >
> > I have a doubt regarding acls and internal and external view.
> >
> >
> >
> > If I have some servers and among them, one only has access part of the
> > "external (world)" to "internal (my infrastructure)." That would be the
> > site (www). The rest is only internal.
> >
> >
> >
> > Like that:
> >
> >
> >
> > *www --> zone db.external*
> >
> > *any other server/service --> zone db.internal*
> >
> >
> >
> > acl "clients" {
> >
> > localhost;
> >
> > 192.168.1.1/24;
> >
> > 172.16.1.1/24;
> >
> > };
> >
> >
> >
> > view "internal" {
> >
> > match-clients { clients; };
> >
> > recursion yes;
> >
> >
> >
> > zone "internal" {
> >
> > type master;
> >
> > file "/etc/bind/db.internal";
> >
> > };
> >
> >
> >
> > };
> >
> >
> >
> > view "external" {
> >
> > match-clients { any; };
> >
> > recursion no;
> >
> > additional-from-auth no;
> >
> > additional-from-cache no;
> >
> >
> >
> > zone "external" {
> >
> > type master;
> >
> > file "/etc/bind/db.external";
> >
> > };
> >
> > };
> >
> >
> >
> > Thus I should only put the site in a zone that is in the external view and
> > the other servers on the internal view, would it?
> >
> >
> >
> > --
> >
> > Elias Pereira
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
