I have a situation where I need to filter out our private infrastructure from our public-facing DNS servers. This is certainly something that should have been done a long time ago, but I just recently took over the spot. Now, I've seen plenty of examples using views and separate zonefiles, but what I can't find are examples of the same domain zone-xfering both zonefiles.
Our DNS infrastructure is large and the configuration varies from server type
to server type. Some are configured to be the primary auth servers - facing the
Internet. Others are public-facing, but accessed only by customer devices, and
still others service our internal systems. I would like to get us down to just
1 set of configuration files across the board, using views as the way to do it,
but what I can't get around are split zone transfers.
In this example, we have a straightforward example of a split zone:
view "trusted" {
match-clients { 192.168.23.0/24; }; // our network
recursion yes;
// other view statements as required
zone "example.com" {
type master;
// private zone file including local hosts
file "internal/master.example.com
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
};
// add required zones
};
view "badguys" {
match-clients {"any"; }; // all other hosts
// recursion not supported
recursion no;
// other view statements as required
zone "example.com" {
type master;
// public only hosts
file "external/master.example.com
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
};
// add required zones
};
Now, what I would like to have are slave servers that would zone-xfer both the
internal and external-flavored files for example.com and serve them using the
same view structure. The hidden masters can generate the split zone files based
on private IP address ranges, but I see no way to use zone transfers to get
both types of files replicated to the many slave servers that I would need to
get them to.
This obviously won't work, but this is what I'm after from a logical sense.
view "trusted" {
match-clients { 192.168.23.0/24; }; // our network
recursion yes;
// other view statements as required
zone "example.com" {
type slave;
masters = { 1.2.3.4, 4.5.6.7 };
// private zone file including local hosts
file "internal/master.example.com
<http://www.zytrax.com/books/dns/ch6/mydomain-internal.html> ";
};
// add required zones
};
view "badguys" {
match-clients {"any"; }; // all other hosts
// recursion not supported
recursion no;
// other view statements as required
zone "example.com" {
type slave;
masters = { 1.2.3.4, 4.5.6.7 };
// public only hosts
file "external/master.example.com
<http://www.zytrax.com/books/dns/ch6/mydomain-external.html> ";
};
// add required zones
};
I suppose I could set up another pair of hidden masters to serve up the
internal zones, or another pair of IP addrs on the masters, but I'm hoping not
to go down that road.
Thanks,
Eric Chandler
Systems Architect
23 Main Street, Holmdel, NJ 07733
(: 732.203.7437
(: 732.284.8504 (iPhone)
*: eric.chand...@vonage.com <mailto:eric.chand...@vonage.com>
รพ: www.vonage.com <http://www.vonage.com/>
NOTE: The information contained in this email message is considered
confidential and proprietary to the sender and is intended solely
for review and use by the named recipient. Any unauthorized review, use or
distribution is strictly prohibited. If you have received this
message in error, please advise the sender by reply email and delete the message
<<image001.gif>>
<<image002.jpg>>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
