I think you are pretty close. One detail that you appear to be missing are is
in the linked document:
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external-key; };
};
Your slaves should have a similar statement in each view with the IP of the
master and the relevant key for that view.
Two other things we have learned in deploying this:
* It is helpful to change your allow-transfer section to be key-based per-view
instead of IP based to save you from accidental zone transfers when other
configuration errors are made.
* The match-clients rule can be prepended with a key/!key set to prevent
accidental communication on that view when using keys; e.g.
match-clients {
# key matching rules
key admin-internal;
!key admin-external;
key slave-internal;
!key slave-external;
# ip/acl matching rules
internal-ips;
};
Regards,
Mathew Eis
Northern Arizona University
Information Technology Services
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Brian Pugh
<project...@gmail.com>
Date: Thursday, August 18, 2016 at 7:15 PM
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: DNS views setup help
I am running bind 9.8.2 on a pair of RHEL 6 DNS servers.. One server is the
master, one is the slave. My goal is to setup 2 views so that our internal
folks can resolve hostnames to internal IP's while still allowing our external
customers to resolve from the outside. Both of these servers are external
facing and have only one public IP each. First of all I would like to know if
what I am trying to achieve is even possible with my current setup. What we
have are internal users that are trying to access internal resources via a
domain name that only exist in our external DNS. We do not have an internal
zone for this domain or a inside DNS server that we can point them to in order
to get a result for the query. So that leaves us looking at views for the
solution.
To be more precise, this is what is happening now.
Internal client > looks up host that's actually on the internal network but
resolves to an external IP. The problem with this is 2 fold.
1) DNS returns an external IP
2) Since the resource is internal, the traffic flow to the outside and back in
happens on the same outside interface, which results in a hairpin, which we do
not allow.
Now, what I was told is that a DNS view type solution would not be applicable
to the hairpin. My understanding is that internal clients query the server
already to get results for external IP, so if we had a zone file in a view that
had internal mappings, this would work and the internal user could access the
resource since they are now being pointed to an internal IP.
So what I want to do is setup an "internal" view for the zone in question that
points to a db file with the internal IP of that host, and an external view for
everyone else.
My questions is:
1) Would DNS views work for my use case now that my server layout has been
described?
If so I need help in setting up TSIG because in my test lab everything seems to
work except that on my slave server my zone in "view A" is being updated with
the data from the master server from "view B". And view B seems to be in sync
on both servers, although it seems when I update zone files I have to restart
instead of a reload to get the zones to update. Even then, that does not always
work. There is a link I found online that says TSIG would be the solution for
this but it gives very little details on what the config is doing, so I do not
know how to make TSIG work in my environment. This is the link I found:
https://kb.isc.org/article/AA-00295/0/How-do-I-share-a-dynamic-zone-between-multiple-views-.html
Here are the relavent parts to my config as it stands now from the master.
acl internal {
1.2.3.4; // public IP coming from the inside users
};
acl external {
5.6.7.8; // everyone else
9.10.11.12;; // everyone else
};
view "insideview" {
match-clients { internal; };
zone"example.com<http://example.com>" IN {
type master;
file "/var/named/db.exampleinside.com<http://db.exampleinside.com>"; //
this db file will be shown to the clients in the internal ACL and map back to
internal IP's
};
};
view "extview" {
match-clients { external; };
zone"example.com<http://example.com>" IN {
type master;
file "/var/named/db.exampleoutside.com<http://db.exampleoutside.com>";
};
The conf from the slave is identical to the above. Can anyone help me by
showing me what a TSIG config would look like for my environemnt?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
