How do I configure Bind 9 dns server views to allow a single nameserver in my DMZ to make different sets of data available to different sets of clients? For example, I'd like to run recursion, some other data for LAN users (192.168.1.0/24), and for the Internet user I'd like to display limited DNS data without recursion. How do I configure views to partition external (Internet) and internal (LAN) DNS information?
You need to edit /etc/named.conf or /var/named/chroot/etc/named.conf file, run (the following configuration is tested on FreeBSD and RHEL 5.x BIND 9 servers):
# vi /var/named/chroot/etc/named.conf
Append the following and define internal subnet (192.168.1.0/24 and localhost with full access and recursion):
acl internal {
192.168.1.0/24;
localhost;
};Define zone and other data as per your requirements:
//
// Lan zone recursion is the default
//
view "internal-view" {
match-clients { internal; };
zone "." IN {
type hint;
file "db.cache";
};
zone "internal.nixcraft.com " IN {
type master;
file "zones/lan.master.nixcraft.com";
allow-transfer { key TRANSFER; };
};
};
//
// external zone w/o recursion
//
view "external-view" {
match-clients { any; };
recursion no;
zone "nixcraft.com " IN {
type master;
file "zones/internet.master.nixcraft.com";
allow-transfer { key TRANSFER; };
};
};
Make sure you configure TSIG as described here.
Create Zone Files
First, create required directories, enter:
# mkdir -p /var/named/chroot/var/named/zones
# chown named:named /var/named/chroot/var/named/zones
Create Internal Zone With LAN IP Data
Edit /var/named/chroot/var/named/zones/lan.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/lan.master.nixcraft.com
Append the data, enter:
$ORIGIN nixcraft.com.
$TTL 3h
@ IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
20080703328 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1h ; Expire after 1 week 1w
1h) ; Minimum negative caching of 1 hour
@ IN NS ns1.nixcraft.com.
@ IN NS ns2.nixcraft.com.
@ 3600 IN MX 10 mail1.nixcraft.com.
@ 3600 IN MX 20 mail2.nixcraft.com.
@ 3600 IN A 208.43.79.236
ns1 3600 IN A 208.43.138.52
ns2 3600 IN A 75.126.168.152
mail1 3600 IN A 208.43.79.236
mail2 3600 IN A 67.228.49.229
out-router 3600 IN A 208.43.79.100
; lan data
wks1 3600 IN A 192.168.1.5
wks2 3600 IN A 192.168.1.5
wks3 3600 IN A 192.168.1.5
in-router 3600 IN A 192.168.1.254
; add other lan specifc data belowEdit /var/named/chroot/var/named/zones/internet.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/internet.master.nixcraft.com
Same as above but no internal data:
$ORIGIN nixcraft.com.
$TTL 3h
@ IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
20080703328 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1h ; Expire after 1 week 1w
1h) ; Minimum negative caching of 1 hour
@ IN NS ns1.nixcraft.com.
@ IN NS ns2.nixcraft.com.
@ 3600 IN MX 10 mail1.nixcraft.com.
@ 3600 IN MX 20 mail2.nixcraft.com.
@ 3600 IN A 208.43.79.236
ns1 3600 IN A 208.43.138.52
ns2 3600 IN A 75.126.168.152
mail1 3600 IN A 208.43.79.236
mail2 3600 IN A 67.228.49.229
out-router 3600 IN A 208.43.79.100
Finally, reload data:
# rndc reload
Test it, enter:
$ ping in-router.nixcraft.com
$ ping out-router.nixcraft.com
Recommend readings:
- Bind Security: Transaction Signatures (TSIG) Configuration
- named.conf, and named man page
- BIND 9 Administrator Reference Manual
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 4 comments… read them below or add one }
Nice article. The arcitle title should have the keyword “Stealth DNS Server” because that
is what this setup is :-)
This type of DNS setup is Split-Horizon DNS, as desribed in the URL
http://www.zytrax.com/books/dns/ch4/#split
Nice One
Does this means that we need a “two” zone entries in named.conf, one allowing recursion for LAN users and other without recursion for external users?
Doesn’t this will make named.conf a “BIT” large (in view of performance), if we are managing 3000+ domains?
Mar 19 19:12:24 cerberus named[12700]: loading configuration from ‘/etc/bind/named.conf’
Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.local:9: when using ‘view’ statements, all zones must be in views
Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.options:19: both “recursion no;” and “allow-recursion” active for view external-view
Mar 19 19:12:24 cerberus named[12700]: loading configuration: failure
Mar 19 19:12:24 cerberus named[12700]: exiting (due to fatal error)