Split DNS sample config (was Re: iptables - lo interface problem)

Mike Burger mburger at bubbanfriends.org
Tue Aug 24 16:37:23 UTC 2004


Yang,

There's no reason that you can't also use your internal DNS server to 
serve up the public DNS entries.  Mine does that.

However, it appears that you may have underestimated the scope of the 
original request.  The original requester wanted to serve up DNS, 
externally, for web sites hosted on his server, but also wanted to be able 
to access those same sites, internally.  The point of a split view DNS is 
that you server up DNS for a zone, externally, with internet facing IP, 
and internally, with private facing IP.

To do so, you need to have replicated zones, with the external view 
serving up public IPs, and the internal view serving up private.

The sample offered is a simplified (specific references changed) version 
of the exact same configuration I'm using in my home, on my business class 
DSL circuit.  I'm doing secondary DNS for some zones, so I have the slave 
zone examples in place.  I do primary for a number of zones, as well, and 
I serve up dual views for them.

Given the initial request, and the follow-up request for the example, I 
thought it appropriate.

On Tue, 24 Aug 2004, Yang Xiao wrote:

> Mike,
> This is what is called "view" with BIND DNS, it's OK if you assume you
> do host the public and private DNS service locally on the same
> machine. But for a simple split DNS problem it might not be
> appropriate or even relevent.
> A simple split DNS uses internal DNS to resolve public services on the
> DMZ using their private IP address internally and public DNS servers
> tor all other DNS queries
> For example, in the /etc/resolv.conf file
> # /etc/resolv.conf
> domain mydomain.com
> nameserver xxx.xxx.xxx.xxx (my internal DNS server)
> nameserver xxx.xxx.xxx.xxx (some public DNS server)
> 
> 
> Yang
> 
> On Tue, 24 Aug 2004 07:29:27 -0500 (EST), Mike Burger
> <mburger at bubbanfriends.org> wrote:
> > > > Happy to help.
> > > >
> > > > If you need an example of a split DNS config, let me know.  I'm using
> > > > it, now, in lieu of the routing routing option.
> > > > --
> > > > Mike Burger
> > >
> > > Hi Mike,
> > >
> > > I would like to see the split-DNS config. This thread is very timely for
> > > me as I am setting up the exact arrangement in my network.
> > >
> > > Thanks,
> > > Travis Fraser
> > 
> > No problem, Travis.
> > 
> > Here is a pared down sample...I edited my own to remove my system/network
> > specific info, but it should do as a starting point.  I'll paste it in,
> > for anyone who wants to see it up close, and attach it for those that
> > don't.
> > 
> > The stuff at the very top is all for logging (I like to split my DNS
> > logging out into various files, to keep them cleaner).  I've commented
> > out the "size" variables for the logs, so that they don't just rotate
> > when they reach their size limits:
> > 
> > --------------------------------------------------------------------
> > 
> > options {
> >        directory "/var/named";
> >        /*
> >         * If there is a firewall between you and nameservers you want
> >         * to talk to, you might need to uncomment the query-source
> >         * directive below.  Previous versions of BIND always asked
> >         * questions using port 53, but BIND 8.1 uses an unprivileged
> >         * port by default.
> >         */
> >        // query-source address * port 53;
> >        auth-nxdomain yes;
> > };
> > 
> > logging {
> >        channel my_syslog { file "/var/log/named/named.log" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> >                                };
> >        channel my_lame { file "/var/log/named/lame.log" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >        channel my_xfer { file "/var/log/named/xfer.log" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >        channel my_update { file "/var/log/named/named.update" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >        channel my_db     { file "/var/log/named/db.log" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >         channel my_query  { file "/var/log/named/query.log" versions 25;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >        channel my_security { file "/var/log/named/security.log" versions
> > 99;
> >                                severity info;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> >        channel my_debug { file "/var/log/named/named.debug" versions 20;
> >                                severity dynamic;
> >                                print-category yes;
> >                                print-time yes;
> > //                              size 50M;
> >                                };
> > 
> >        category security       { my_security; };
> >        category default        { my_syslog; };
> >        category queries        { my_query; };
> >        category lame-servers   { my_lame; };
> >        category update         { my_update; };
> > //        category db             { my_db; };
> >        category xfer-in        { my_xfer; };
> >        category xfer-out       { my_xfer; };
> > //        category packet         { null; };
> > //        category eventlib       { my_syslog; };
> > 
> > };
> > 
> > //
> > // a caching only nameserver config
> > //
> > controls {
> >        inet 127.0.0.1 allow {
> >                localhost;
> >        }
> >         keys {
> >                "key";
> >        };
> > };
> > 
> > key "key" {
> >        algorithm hmac-md5;
> >        secret "<insert key string here";
> > };
> > 
> > //Split views set up, here
> > //
> > view "internal" {
> >        // This should match out internal network
> >        match-clients {
> >                192.168.0.0/24;
> >                127.0.0.1;
> >                192.168.0.1;
> >        };
> > 
> > // Provide recursive service to internal clients, only.
> > recursion yes;
> > 
> > // Provide a complete view of your local DNS  zone
> > // including addresses of internal hosts.
> > zone "." IN {
> >        type hint;
> >        file "named.ca";
> >        };
> > 
> > zone "localhost" IN {
> >        type master;
> >        file "localhost.zone";
> >        allow-update { none; };
> >        };
> > 
> > zone "0.0.127.in-addr.arpa" IN {
> >        type master;
> >        file "named.local";
> >        allow-update { none; };
> >        };
> > 
> > zone "0.168.192.in-addr.arpa" IN {
> >        type master;
> >        file "named.rev.192.168.0";
> >        allow-update { none; };
> >        };
> > 
> > zone "your.domain.here" {
> >        type master;
> >        file "your.domain.here.internal.hosts";
> >        };
> > 
> > zone "here.ip-range.reverse.internet.in-addr.arpa" {
> >        type master;
> >        file "/var/named/reverse.ip-range.here.rev";
> >        };
> > 
> > zone "slave.zone.com" {
> >        type slave;
> >        masters {
> >                ip.of.master;
> >                };
> >        file "slave.zone.com.hosts";
> >        };
> > 
> > zone "another.master.zone.org" {
> >        type master;
> >        file "another.master.zone.org.hosts";
> >        };
> > 
> > // End of internal view
> > 
> > view "external" {
> >        match-clients { any; };
> > 
> >        // Refuse recursive service to external clients.
> >        recursion no;
> > 
> >        // Provide restricted view of the bubbanfriends.org zone
> >        // containing only publicly accessible hosts.
> > zone "." IN {
> >        type hint;
> >        file "named.ca";
> >        };
> > 
> > zone "localhost" IN {
> >        type master;
> >        file "localhost.zone";
> >        allow-update { none; };
> >        };
> > 
> > zone "0.0.127.in-addr.arpa" IN {
> >        type master;
> >        file "named.local";
> >        allow-update { none; };
> >        };
> > 
> > zone "0.168.192.in-addr.arpa" IN {
> >        type master;
> >        file "named.rev.192.168.0";
> >        allow-update { none; };
> >        };
> > 
> > zone "your.domain.here" {
> >        type master;
> >        file "your.domain.here.internal.hosts";
> >        };
> > 
> > zone "here.ip-range.reverse.internet.in-addr.arpa" {
> >        type master;
> >        file "/var/named/reverse.ip-range.here.rev";
> >        };
> > 
> > zone "slave.zone.com" {
> >        type slave;
> >        masters {
> >                ip.of.master;
> >                };
> >        file "slave.zone.com.hosts";
> >        };
> > 
> > zone "another.master.zone.org" {
> >        type master;
> >        file "another.master.zone.org.hosts";
> >        };
> > 
> > };
> > // End of external view
> > 
> > --------------------------------------------------------------------
> > 
> > --
> > Mike Burger
> > http://www.bubbanfriends.org
> > 
> > Visit the Dog Pound II BBS
> > telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
> > 
> > To be notified of updates to the web site, visit
> > http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
> > message to:
> > 
> > site-update-request at bubbanfriends.org
> > 
> > with a message of:
> > 
> > subscribe
> > 
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> > 
> > 
> > 
> >
> 
> 
> 

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request at bubbanfriends.org

with a message of: 

subscribe





More information about the users mailing list