[Cialug] bind 9 - split zones
David Champion
dchamp1337 at gmail.com
Fri Nov 19 16:33:15 CST 2010
I'm attempting to set up a name server with split zones, so the internal
network can do recursive lookups, but people on the outside can't.
My 2 main references have been:
http://www.bind9.net/manual/bind/9.3.1/Bv9ARM.ch04.html#AEN767
http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php
This config runs, but doesn't look like it's blocking the "external" people
- I get the same results back from "dig -t NS @my.name.server.com" from the
inside and the outside. If I make it block 127.0.0.1 (while running it on my
laptop) I get back basically no results, which is what you should get
externally if it's working.
Here's a scaled down sample of what I'm trying. One thing I was wondering
about is if the problem is due to having the firewall at 192.168.1.1, which
is included in the 192.168.1.0/24 subnet?
I've also tried both iterations of the "match-clients { !localnets; any; };"
with and without the !localnets parameter.
Any ideas?
-dc
----------
// named.conf
acl internals { 192.168.1.0/24; };
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
recursion no;
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
// -----------------------------------------------
view "internal" {
match-clients { internals; };
recursion yes;
notify no;
include "/etc/root_zones.inc";
include "/etc/master_zones.inc";
};
// -----------------------------------------------
view "external" {
//match-clients { !localnets; any; };
match-clients { any; };
recursion no;
include "/etc/master_zones.inc";
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20101119/3ab2cf85/attachment.htm
More information about the Cialug
mailing list