On Sun, Nov 19, 2023 at 09:10:13PM +0000, Elmar K. Bins wrote: ! my freshly recrafted DNS servers got the latest BIND 9.18 pkg from FreeBSD. ! They're all supposed to only respond for a certain set of zones to the outside, ! but should be able to be used as a resolver from localhost. ! ! The pkg comes with a default config that slaves "." and its cousins instead ! of pushing a static hints file. I like this.
Me too. :) ! Unfortunately, the config just has them as slave zones, without a "hint" ! marking. Anybody can query the box for them. I don't like this. It's tricky. One problem is these are slave zones, they are authoritative and do not work well with DNSSEC. So I crafted something that does apparently work... view "rootslave" { match-clients { 127.0.0.2/32; }; allow-query-cache { none; }; // von ARM example allow-recursion { none; }; recursion no; zone "." { type slave; masters { // the usual root servers... // etc.etc. view "intraslave" { match-clients { 127.0.0.3/32; key "slave2."; }; allow-query-cache { none; }; // von ARM example allow-recursion { none; }; recursion no; zone "example.com" { // internal version of my public domain // looks a little different than public version type slave; // comes from hidden primary // etc.etc. zone "intranet.example.com" { // my lan domain type slave; // etc. etc. // The outside authoritative stuff - but not yet serving it from here! view "extraslave" { match-clients { key "slave2a."; }; // slave2a. is for notify // from hidden primary allow-query-cache { none; }; // von ARM example allow-recursion { none; }; recursion no; zone "example.com" { // These are the zones I'm autoritative for type slave; // fetched from hidden primary // this must be placed here, and NOT in this view! allow-query { any; }; // etc.etc. // Now wiring it all together: view "guest" { // for local machines that can use my internet but are NOT // allowed into my lan (currently none exist) match-clients { none; }; // bring the root stuff in zone "." { type static-stub; server-addresses { 127.0.0.2; } ; }; zone "arpa" { type static-stub; server-addresses { 127.0.0.2; } ; }; // etc.etc. // include localhost and empty zones include "/usr/local/etc/namedb/named.localempty.conf"; include "/usr/local/etc/namedb/named.localempty-e.conf"; } // Serving the Intra-net: view "intra" { dnstap { all; }; match-clients { 127.0.0.1/32; ::1/128; 192.168.0.0/16; fd00::/8; // etc.etc. - all the locally used IP }; // bring the root stuff in zone "." { in-view "guest"; }; zone "arpa" { in-view "guest"; }; // etc.etc. zone "example.com" { // internal view of public domain! type static-stub; server-addresses { 127.0.0.3; } ; }; // lan domain zone "intranet.example.com" { type static-stub; server-addresses { 127.0.0.3; } ; }; // etc.etc. // localhost and empty zones include "/usr/local/etc/namedb/named.localempty.conf"; } // And finally outbound authoritative, i.e. the stuff for all internet view "external" { match-clients { any; } ; allow-query-cache { none; }; # von ARM example allow-recursion { none; }; recursion no; zone "example.com" { in-view "extraslave"; }; // etc.etc. // here we must NOT refer to the slave rootzones! // (not sure if this is needed at all) zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; // localhost and empty zones (shouldn't harm) include "/usr/local/etc/namedb/named.localempty.conf"; include "/usr/local/etc/namedb/named.localempty-e.conf"; }; ! I've put the appropriate "allow-query { localhost; };" into every friggin' ! zone entryto every friggin' zone entry. I REALLY don't like this. ! ! I'm wondering whether there's a more elegant way. Like "secondary-hint" zones. ! Have I overlooked something? Maybe. As You can see, it can be done, but it's a bit weird - I got the fancy that I want to have all six-way in one running image. ;) (Originally I just got bored of the SSH known-host files, and to get rid of these you need DANE/SSHFP and proper DNSSEC.) cheerio, Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users