Split DNS sample config (was Re: iptables - lo interface problem)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > Happy to help.
> >
> > If you need an example of a split DNS config, let me know.  I'm using 
> > it, now, in lieu of the routing routing option.
> > --
> > Mike Burger
>
> Hi Mike,
>
> I would like to see the split-DNS config. This thread is very timely for
> me as I am setting up the exact arrangement in my network.
> 
> Thanks,
> Travis Fraser

No problem, Travis.

Here is a pared down sample...I edited my own to remove my system/network 
specific info, but it should do as a starting point.  I'll paste it in, 
for anyone who wants to see it up close, and attach it for those that 
don't.

The stuff at the very top is all for logging (I like to split my DNS 
logging out into various files, to keep them cleaner).  I've commented 
out the "size" variables for the logs, so that they don't just rotate 
when they reach their size limits:

--------------------------------------------------------------------

options {
	directory "/var/named";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	// query-source address * port 53;
	auth-nxdomain yes;
};

logging {
        channel my_syslog { file "/var/log/named/named.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
                                };
        channel my_lame { file "/var/log/named/lame.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_xfer { file "/var/log/named/xfer.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_update { file "/var/log/named/named.update" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_db     { file "/var/log/named/db.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
         channel my_query  { file "/var/log/named/query.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_security { file "/var/log/named/security.log" versions 
99;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_debug { file "/var/log/named/named.debug" versions 20;
                                severity dynamic;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
 
 
        category security       { my_security; };
        category default        { my_syslog; };
        category queries        { my_query; };
        category lame-servers   { my_lame; };
        category update         { my_update; };
//        category db             { my_db; };
        category xfer-in        { my_xfer; };
        category xfer-out       { my_xfer; };
//        category packet         { null; };
//        category eventlib       { my_syslog; };
 
 
};

// 
// a caching only nameserver config
// 
controls {
	inet 127.0.0.1 allow {
		localhost;
	}
	 keys {
		"key"; 
	};
};

key "key" {
	algorithm hmac-md5;
        secret "<insert key string here";
};

//Split views set up, here
//
view "internal" {
	// This should match out internal network
	match-clients { 
		192.168.0.0/24; 
		127.0.0.1;
		192.168.0.1;
	};
	
// Provide recursive service to internal clients, only.
recursion yes;

// Provide a complete view of your local DNS  zone
// including addresses of internal hosts.
zone "." IN {
	type hint;
	file "named.ca";
	};

zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
	};
 
zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
	};
 
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "named.rev.192.168.0";
	allow-update { none; };
	};

zone "your.domain.here" {
	type master;
	file "your.domain.here.internal.hosts";
	};

zone "here.ip-range.reverse.internet.in-addr.arpa" {
	type master;
	file "/var/named/reverse.ip-range.here.rev";
	};

zone "slave.zone.com" {
	type slave;
	masters {
		ip.of.master;
		};
	file "slave.zone.com.hosts";
	};

zone "another.master.zone.org" {
	type master;
	file "another.master.zone.org.hosts";
	};

// End of internal view
 
view "external" { 
	match-clients { any; };

        // Refuse recursive service to external clients.
	recursion no;
        
        // Provide restricted view of the bubbanfriends.org zone
        // containing only publicly accessible hosts.
zone "." IN {
	type hint;
	file "named.ca";
	};

zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
	};
 
zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
	};
 
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "named.rev.192.168.0";
	allow-update { none; };
	};

zone "your.domain.here" {
	type master;
	file "your.domain.here.internal.hosts";
	};

zone "here.ip-range.reverse.internet.in-addr.arpa" {
	type master;
	file "/var/named/reverse.ip-range.here.rev";
	};

zone "slave.zone.com" {
	type slave;
	masters {
		ip.of.master;
		};
	file "slave.zone.com.hosts";
	};

zone "another.master.zone.org" {
	type master;
	file "another.master.zone.org.hosts";
	};

};
// End of external view

--------------------------------------------------------------------

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request@xxxxxxxxxxxxxxxxx

with a message of: 

subscribe
// generated by named-bootconf.pl

options {
	directory "/var/named";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	// query-source address * port 53;
	auth-nxdomain yes;
};

logging {
        channel my_syslog { file "/var/log/named/named.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
                                };
        channel my_lame { file "/var/log/named/lame.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_xfer { file "/var/log/named/xfer.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_update { file "/var/log/named/named.update" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_db     { file "/var/log/named/db.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
         channel my_query  { file "/var/log/named/query.log" versions 25;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_security { file "/var/log/named/security.log" versions 
99;
                                severity info;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
        channel my_debug { file "/var/log/named/named.debug" versions 20;
                                severity dynamic;
                                print-category yes;
                                print-time yes;
//                              size 50M;
                                };
 
 
        category security       { my_security; };
        category default        { my_syslog; };
        category queries        { my_query; };
        category lame-servers   { my_lame; };
        category update         { my_update; };
//        category db             { my_db; };
        category xfer-in        { my_xfer; };
        category xfer-out       { my_xfer; };
//        category packet         { null; };
//        category eventlib       { my_syslog; };
 
 
};

// 
// a caching only nameserver config
// 
controls {
	inet 127.0.0.1 allow {
		localhost;
	}
	 keys {
		"key"; 
	};
};

key "key" {
	algorithm hmac-md5;
        secret "<insert key string here";
};

//Split views set up, here
//
view "internal" {
	// This should match out internal network
	match-clients { 
		192.168.0.0/24; 
		127.0.0.1;
		192.168.0.1;
	};
	
// Provide recursive service to internal clients, only.
recursion yes;

// Provide a complete view of your local DNS  zone
// including addresses of internal hosts.
zone "." IN {
	type hint;
	file "named.ca";
	};

zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
	};
 
zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
	};
 
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "named.rev.192.168.0";
	allow-update { none; };
	};

zone "your.domain.here" {
	type master;
	file "your.domain.here.internal.hosts";
	};

zone "here.ip-range.reverse.internet.in-addr.arpa" {
	type master;
	file "/var/named/reverse.ip-range.here.rev";
	};

zone "slave.zone.com" {
	type slave;
	masters {
		ip.of.master;
		};
	file "slave.zone.com.hosts";
	};

zone "another.master.zone.org" {
	type master;
	file "another.master.zone.org.hosts";
	};

// End of internal view
 
view "external" { 
	match-clients { any; };

        // Refuse recursive service to external clients.
	recursion no;
        
        // Provide restricted view of the bubbanfriends.org zone
        // containing only publicly accessible hosts.
zone "." IN {
	type hint;
	file "named.ca";
	};

zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
	};
 
zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
	};
 
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "named.rev.192.168.0";
	allow-update { none; };
	};

zone "your.domain.here" {
	type master;
	file "your.domain.here.internal.hosts";
	};

zone "here.ip-range.reverse.internet.in-addr.arpa" {
	type master;
	file "/var/named/reverse.ip-range.here.rev";
	};

zone "slave.zone.com" {
	type slave;
	masters {
		ip.of.master;
		};
	file "slave.zone.com.hosts";
	};

zone "another.master.zone.org" {
	type master;
	file "another.master.zone.org.hosts";
	};

};
// End of external view

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux