BIND 9 Configure Views To Partition External and Internal DNS Information

by on November 21, 2009 · 6 comments· LAST UPDATED November 21, 2009

in , ,

How do I configure Bind 9 dns server views to allow a single nameserver in my DMZ to make different sets of data available to different sets of clients? For example, I'd like to run recursion, some other data for LAN users (192.168.1.0/24), and for the Internet user I'd like to display limited DNS data without recursion. How do I configure views to partition external (Internet) and internal (LAN) DNS information?

You need to edit /etc/named.conf or /var/named/chroot/etc/named.conf file, run (the following configuration is tested on FreeBSD and RHEL 5.x BIND 9 servers):
# vi /var/named/chroot/etc/named.conf
Append the following and define internal subnet (192.168.1.0/24 and localhost with full access and recursion):

acl internal {
   192.168.1.0/24;
   localhost;
};

Define zone and other data as per your requirements:

//
// Lan zone recursion is the default
//
view "internal-view" {
  match-clients { internal; };
  zone "." IN {
    type hint;
    file "db.cache";
  };
  zone "internal.nixcraft.com " IN {
    type master;
    file "zones/lan.master.nixcraft.com";
    allow-transfer { key TRANSFER; };
  };
};
//
// external zone w/o recursion
//
view "external-view" {
  match-clients { any; };
  recursion no;
  zone "nixcraft.com " IN {
    type master;
    file "zones/internet.master.nixcraft.com";
    allow-transfer { key TRANSFER; };
  };
};

Make sure you configure TSIG as described here.

Create Zone Files

First, create required directories, enter:
# mkdir -p /var/named/chroot/var/named/zones
# chown named:named /var/named/chroot/var/named/zones

Create Internal Zone With LAN IP Data

Edit /var/named/chroot/var/named/zones/lan.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/lan.master.nixcraft.com
Append the data, enter:

$ORIGIN nixcraft.com.
$TTL 3h
@        IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
                       20080703328        ; Serial yyyymmddnn
                       3h                ; Refresh After 3 hours
                       1h                ; Retry Retry after 1 hour
                       1h                ; Expire after 1 week 1w
                       1h)             ; Minimum negative caching of 1 hour
@                          IN NS    ns1.nixcraft.com.
@                          IN NS    ns2.nixcraft.com.
@                      3600	IN MX 10 mail1.nixcraft.com.
@                      3600     IN MX 20 mail2.nixcraft.com.
@                      3600    IN A     208.43.79.236
ns1                    3600    IN A     208.43.138.52
ns2                    3600    IN A     75.126.168.152
mail1                  3600    IN A     208.43.79.236
mail2                  3600    IN A     67.228.49.229
out-router             3600    IN A     208.43.79.100
; lan data
wks1                   3600    IN A     192.168.1.5
wks2                   3600    IN A     192.168.1.5
wks3                   3600    IN A     192.168.1.5
in-router              3600    IN A     192.168.1.254
; add other lan specifc data below

Edit /var/named/chroot/var/named/zones/internet.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/internet.master.nixcraft.com
Same as above but no internal data:

$ORIGIN nixcraft.com.
$TTL 3h
@        IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
                       20080703328        ; Serial yyyymmddnn
                       3h                ; Refresh After 3 hours
                       1h                ; Retry Retry after 1 hour
                       1h                ; Expire after 1 week 1w
                       1h)             ; Minimum negative caching of 1 hour
@                          IN NS    ns1.nixcraft.com.
@                          IN NS    ns2.nixcraft.com.
@                      3600	IN MX 10 mail1.nixcraft.com.
@                      3600     IN MX 20 mail2.nixcraft.com.
@                      3600    IN A     208.43.79.236
ns1                    3600    IN A     208.43.138.52
ns2                    3600    IN A     75.126.168.152
mail1                  3600    IN A     208.43.79.236
mail2                  3600    IN A     67.228.49.229
out-router             3600    IN A     208.43.79.100

Finally, reload data:
# rndc reload
Test it, enter:
$ ping in-router.nixcraft.com
$ ping out-router.nixcraft.com

Recommend readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 6 comments… read them below or add one }

1 Damian Myerscough November 21, 2009 at 6:09 pm

Nice article. The arcitle title should have the keyword “Stealth DNS Server” because that
is what this setup is :-)

Reply

2 prashant November 23, 2009 at 1:29 pm

This type of DNS setup is Split-Horizon DNS, as desribed in the URL
http://www.zytrax.com/books/dns/ch4/#split

Reply

3 Manpreet November 27, 2009 at 7:18 pm

Nice One

Does this means that we need a “two” zone entries in named.conf, one allowing recursion for LAN users and other without recursion for external users?

Doesn’t this will make named.conf a “BIT” large (in view of performance), if we are managing 3000+ domains?

Reply

4 M March 19, 2011 at 10:14 pm

Mar 19 19:12:24 cerberus named[12700]: loading configuration from ‘/etc/bind/named.conf’
Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.local:9: when using ‘view’ statements, all zones must be in views
Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.options:19: both “recursion no;” and “allow-recursion” active for view external-view
Mar 19 19:12:24 cerberus named[12700]: loading configuration: failure
Mar 19 19:12:24 cerberus named[12700]: exiting (due to fatal error)

Reply

5 Justin Edmands October 24, 2014 at 5:49 pm

Hey,
Thanks for the tutorial. I am 99% finished with my zone file.
My issue is that if I have a zone file for example.com. , all hosts such as host1.example.com host2.example.com server2.example.com server3.example.com no longer resolve. All hosts outside of example.com are OK. I can do “host google.com” or “host red.com” and I get that back just fine. But everything in the example.com domain is now unresolvable.

I only wanted to use this zone file to “override” a few records that are in DNS. This essentially takes overthe entire domain. How do I accomplish this in a different way?

Reply

6 Matthew December 5, 2014 at 1:50 pm

One note: Order matters. If your named.conf file lists the view with “match-clients { any;};” before a more restrictive view, the more restrictive view will never be used.

Reply

Leave a Comment

Tagged as: , , , , , ,

Previous Faq:

Next Faq: