Re: Split DNS sample config (was Re: iptables - lo interface problem)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike,
This is what is called "view" with BIND DNS, it's OK if you assume you
do host the public and private DNS service locally on the same
machine. But for a simple split DNS problem it might not be
appropriate or even relevent.
A simple split DNS uses internal DNS to resolve public services on the
DMZ using their private IP address internally and public DNS servers
tor all other DNS queries
For example, in the /etc/resolv.conf file
# /etc/resolv.conf
domain mydomain.com
nameserver xxx.xxx.xxx.xxx (my internal DNS server)
nameserver xxx.xxx.xxx.xxx (some public DNS server)


Yang

On Tue, 24 Aug 2004 07:29:27 -0500 (EST), Mike Burger
<mburger@xxxxxxxxxxxxxxxxx> wrote:
> > > Happy to help.
> > >
> > > If you need an example of a split DNS config, let me know.  I'm using
> > > it, now, in lieu of the routing routing option.
> > > --
> > > Mike Burger
> >
> > Hi Mike,
> >
> > I would like to see the split-DNS config. This thread is very timely for
> > me as I am setting up the exact arrangement in my network.
> >
> > Thanks,
> > Travis Fraser
> 
> No problem, Travis.
> 
> Here is a pared down sample...I edited my own to remove my system/network
> specific info, but it should do as a starting point.  I'll paste it in,
> for anyone who wants to see it up close, and attach it for those that
> don't.
> 
> The stuff at the very top is all for logging (I like to split my DNS
> logging out into various files, to keep them cleaner).  I've commented
> out the "size" variables for the logs, so that they don't just rotate
> when they reach their size limits:
> 
> --------------------------------------------------------------------
> 
> options {
>        directory "/var/named";
>        /*
>         * If there is a firewall between you and nameservers you want
>         * to talk to, you might need to uncomment the query-source
>         * directive below.  Previous versions of BIND always asked
>         * questions using port 53, but BIND 8.1 uses an unprivileged
>         * port by default.
>         */
>        // query-source address * port 53;
>        auth-nxdomain yes;
> };
> 
> logging {
>        channel my_syslog { file "/var/log/named/named.log" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
>                                };
>        channel my_lame { file "/var/log/named/lame.log" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>        channel my_xfer { file "/var/log/named/xfer.log" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>        channel my_update { file "/var/log/named/named.update" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>        channel my_db     { file "/var/log/named/db.log" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>         channel my_query  { file "/var/log/named/query.log" versions 25;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>        channel my_security { file "/var/log/named/security.log" versions
> 99;
>                                severity info;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
>        channel my_debug { file "/var/log/named/named.debug" versions 20;
>                                severity dynamic;
>                                print-category yes;
>                                print-time yes;
> //                              size 50M;
>                                };
> 
>        category security       { my_security; };
>        category default        { my_syslog; };
>        category queries        { my_query; };
>        category lame-servers   { my_lame; };
>        category update         { my_update; };
> //        category db             { my_db; };
>        category xfer-in        { my_xfer; };
>        category xfer-out       { my_xfer; };
> //        category packet         { null; };
> //        category eventlib       { my_syslog; };
> 
> };
> 
> //
> // a caching only nameserver config
> //
> controls {
>        inet 127.0.0.1 allow {
>                localhost;
>        }
>         keys {
>                "key";
>        };
> };
> 
> key "key" {
>        algorithm hmac-md5;
>        secret "<insert key string here";
> };
> 
> //Split views set up, here
> //
> view "internal" {
>        // This should match out internal network
>        match-clients {
>                192.168.0.0/24;
>                127.0.0.1;
>                192.168.0.1;
>        };
> 
> // Provide recursive service to internal clients, only.
> recursion yes;
> 
> // Provide a complete view of your local DNS  zone
> // including addresses of internal hosts.
> zone "." IN {
>        type hint;
>        file "named.ca";
>        };
> 
> zone "localhost" IN {
>        type master;
>        file "localhost.zone";
>        allow-update { none; };
>        };
> 
> zone "0.0.127.in-addr.arpa" IN {
>        type master;
>        file "named.local";
>        allow-update { none; };
>        };
> 
> zone "0.168.192.in-addr.arpa" IN {
>        type master;
>        file "named.rev.192.168.0";
>        allow-update { none; };
>        };
> 
> zone "your.domain.here" {
>        type master;
>        file "your.domain.here.internal.hosts";
>        };
> 
> zone "here.ip-range.reverse.internet.in-addr.arpa" {
>        type master;
>        file "/var/named/reverse.ip-range.here.rev";
>        };
> 
> zone "slave.zone.com" {
>        type slave;
>        masters {
>                ip.of.master;
>                };
>        file "slave.zone.com.hosts";
>        };
> 
> zone "another.master.zone.org" {
>        type master;
>        file "another.master.zone.org.hosts";
>        };
> 
> // End of internal view
> 
> view "external" {
>        match-clients { any; };
> 
>        // Refuse recursive service to external clients.
>        recursion no;
> 
>        // Provide restricted view of the bubbanfriends.org zone
>        // containing only publicly accessible hosts.
> zone "." IN {
>        type hint;
>        file "named.ca";
>        };
> 
> zone "localhost" IN {
>        type master;
>        file "localhost.zone";
>        allow-update { none; };
>        };
> 
> zone "0.0.127.in-addr.arpa" IN {
>        type master;
>        file "named.local";
>        allow-update { none; };
>        };
> 
> zone "0.168.192.in-addr.arpa" IN {
>        type master;
>        file "named.rev.192.168.0";
>        allow-update { none; };
>        };
> 
> zone "your.domain.here" {
>        type master;
>        file "your.domain.here.internal.hosts";
>        };
> 
> zone "here.ip-range.reverse.internet.in-addr.arpa" {
>        type master;
>        file "/var/named/reverse.ip-range.here.rev";
>        };
> 
> zone "slave.zone.com" {
>        type slave;
>        masters {
>                ip.of.master;
>                };
>        file "slave.zone.com.hosts";
>        };
> 
> zone "another.master.zone.org" {
>        type master;
>        file "another.master.zone.org.hosts";
>        };
> 
> };
> // End of external view
> 
> --------------------------------------------------------------------
> 
> --
> Mike Burger
> http://www.bubbanfriends.org
> 
> Visit the Dog Pound II BBS
> telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
> 
> To be notified of updates to the web site, visit
> http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
> message to:
> 
> site-update-request@xxxxxxxxxxxxxxxxx
> 
> with a message of:
> 
> subscribe
> 
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
> 
> 
>



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux