I understand the concept, but I'm not sure I fully understand how to
configure it.
I've updated my bind to 9.11 P05 compiled with "--with-ecdsa", and as far
as I can read EDNS is enabled for authoritative bind installations
automatically.
But I'm still getting wrong answers from my installation.
Here are my configurations:
named.conf:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-recursion { internal; };
allow-query { any; };
allow-query-cache { none; };
};
acl internal {
service_server_subnet/24;
service_server_wan_ip;
};
view "internal" {
match-clients { internal; };
zone "example.net" IN {
type master;
file "/etc/named/example.net.internal";
};
};
view "external" {
match-clients { any; };
zone "example.net" IN {
type master;
file "/etc/named/example.net.external";
};
};
example.net.external:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_wan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_wan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip
example.net.internal:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_lan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_lan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip
When I dig my subdomain however I get this replies:
# dig +noall +answer service.example.net @ns1.example.net
service.example.net. 3600 IN A service_server_lan_ip
# dig +noall +answer service.example.net @8.8.8.8
service.example.net. 3599 IN A service_server_wan_ip
Can you spot anything wrong with it?
Thanks
On 19 April 2017 at 09:37, Tony Finch <d...@dotat.at> wrote:
> Alberto Rinaudo <alberto.rina...@gmail.com> wrote:
>
> > I have a bind installation on a aws server and I'm trying to set up views
> > to give different responses based on the source location.
> >
> > It works fine when this dns server is the first dns used by a client, I
> > guess because the source address used to discriminate between views is
> the
> > last hop.
> >
> > If the query goes first to google dns instead I end up in the wrong view.
> >
> > So here's the question: is it possible to use the original source address
> > to chose the view?
>
> This is what the EDNS client subnet option is about. You can use it in
> BIND by adding "ecs" clauses to your address match lists for views or
> acls. However it isn't documented in the ARM and it has significant
> problems. See
> https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
> and especially
> https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html
>
> EDNS client subnet specification:
> https://tools.ietf.org/html/rfc7871
>
> Google Public DNS support for ECS on authoritative servers:
> https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM
>
> Tony.
> --
> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h
> punycode
> Viking, North Utsire: Southwesterly 5 or 6, decreasing 4 at times. Slight
> or
> moderate. Rain at times. Good, occasionally poor.
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
