2

I'm planning a new BIND9 DNS Server with a special kind of view.

We a have a lot of external zones and public IPv4 addresses. To keep things simple we have a subzone of our external domain just for the internal scope; something like: local.example.com

Our goal is to keep things simple and don't hassle with different example.com zone from the internal and external views.

To do that I must restrict only the local.example.com zone for internal clients. But internal clients should resolve the external addresses to, since we have internal clients with public IPv4 addresses.

Think the internal zone as a set of a Venn Diagram. The external set is inside the internal set, so all zones should be in the internal scope too and unmodified.

The main question can be summarised in this one: can I point the same db zone files in the internal and the external views?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
  • Isn't the entire point of using a separate zone in *local.example.com* be so you wouldn't need views in the first place? Configure it as the separate zone that it is and restrict outside queries to it. –  Apr 30 '14 at 19:14
  • There's a way to restrict outside queries to it? I was not able to find it, I thought that notify no; would help but doesn't appears to be the case. – Vinícius Ferrão Apr 30 '14 at 19:57
  • Yes, it's quite straightforward. I'll post as an answer so the formatting is readable. Notify has nothing to do with queries. Notify is how one server tells another server 'hey, I've been updated!' so that slave server grabs an update. –  Apr 30 '14 at 20:05

2 Answers2

2

If it's normal static master zones (ie, named will only ever read the files) you can reference the same zone files. If it's slave zones, zones with dynamic updates enabled or anything like that it will break.

Using include in the config file you could potentially even put the definitions of the zones shared between the views inside a separate file and just reference that in both views. Whether this is feasible of course depends on if there is anything you want to set up differently about the zones.

(If a subset of a zone is to be shared you could make use of $INCLUDE inside a zone file itself.)

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • The only DDNS zone will be the ones in the in the internal network. So I can be safe pointing to the same files in the external and the internal zone? – Vinícius Ferrão Apr 30 '14 at 18:25
2

Just use an acl to limit queries to your internal zone.

acl internal-networks {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
};

zone "internal.example.com" {
    type master;
    file "internal.example.com";
    allow-query { internal-networks; };
};

You can add additional IP addresses to the internal-networks acl. It doesn't matter if they are publicly routable or not; whatever you add there can query the zone.

  • Yes, this is certainly a more straightforward option if none of the zones need to be different, rather just exposing a different set of zones. – Håkan Lindqvist Apr 30 '14 at 20:36