BIND 9 Configure Views To Partition External and Internal DNS Information

How do I configure Bind 9 dns server views to allow a single nameserver in my DMZ to make different sets of data available to different sets of clients? For example, I’d like to run recursion, some other data for LAN users (192.168.1.0/24), and for the Internet user I’d like to display limited DNS data without recursion. How do I configure views to partition external (Internet) and internal (LAN) DNS information?

ADVERTISEMENTS

You need to edit /etc/named.conf or /var/named/chroot/etc/named.conf file, run (the following configuration is tested on FreeBSD and RHEL 5.x BIND 9 servers):
# vi /var/named/chroot/etc/named.conf
Append the following and define internal subnet (192.168.1.0/24 and localhost with full access and recursion):

acl internal {
   192.168.1.0/24;
   localhost;
};

Define zone and other data as per your requirements:

//
// Lan zone recursion is the default 
// 
view "internal-view" {
  match-clients { internal; };
  zone "." IN {
    type hint;
    file "db.cache";
  };
  zone "internal.nixcraft.com " IN {
    type master;
    file "zones/lan.master.nixcraft.com";
    allow-transfer { key TRANSFER; };
  };
};
//
// external zone w/o recursion
//
view "external-view" {
  match-clients { any; };
  recursion no;
  zone "nixcraft.com " IN {
    type master;
    file "zones/internet.master.nixcraft.com";
    allow-transfer { key TRANSFER; };
  };
};

Make sure you configure TSIG as described here.

Create Zone Files

First, create required directories, enter:
# mkdir -p /var/named/chroot/var/named/zones
# chown named:named /var/named/chroot/var/named/zones

Create Internal Zone With LAN IP Data

Edit /var/named/chroot/var/named/zones/lan.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/lan.master.nixcraft.com
Append the data, enter:

$ORIGIN nixcraft.com.
$TTL 3h
@        IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
                       20080703328        ; Serial yyyymmddnn
                       3h                ; Refresh After 3 hours
                       1h                ; Retry Retry after 1 hour
                       1h                ; Expire after 1 week 1w
                       1h)             ; Minimum negative caching of 1 hour

@                          IN NS    ns1.nixcraft.com.
@                          IN NS    ns2.nixcraft.com.

@                      3600	IN MX 10 mail1.nixcraft.com.
@                      3600     IN MX 20 mail2.nixcraft.com.

@                      3600    IN A     208.43.79.236
ns1                    3600    IN A     208.43.138.52
ns2                    3600    IN A     75.126.168.152
mail1                  3600    IN A     208.43.79.236
mail2                  3600    IN A     67.228.49.229
out-router             3600    IN A     208.43.79.100
; lan data
wks1                   3600    IN A     192.168.1.5
wks2                   3600    IN A     192.168.1.5
wks3                   3600    IN A     192.168.1.5
in-router              3600    IN A     192.168.1.254
; add other lan specifc data below

Edit /var/named/chroot/var/named/zones/internet.master.nixcraft.com, run:
# vi /var/named/chroot/var/named/zones/internet.master.nixcraft.com
Same as above but no internal data:

$ORIGIN nixcraft.com.
$TTL 3h
@        IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
                       20080703328        ; Serial yyyymmddnn
                       3h                ; Refresh After 3 hours
                       1h                ; Retry Retry after 1 hour
                       1h                ; Expire after 1 week 1w
                       1h)             ; Minimum negative caching of 1 hour

@                          IN NS    ns1.nixcraft.com.
@                          IN NS    ns2.nixcraft.com.

@                      3600	IN MX 10 mail1.nixcraft.com.
@                      3600     IN MX 20 mail2.nixcraft.com.

@                      3600    IN A     208.43.79.236
ns1                    3600    IN A     208.43.138.52
ns2                    3600    IN A     75.126.168.152
mail1                  3600    IN A     208.43.79.236
mail2                  3600    IN A     67.228.49.229
out-router             3600    IN A     208.43.79.100

Finally, reload data:
# rndc reload
Test it, enter:
$ ping in-router.nixcraft.com
$ ping out-router.nixcraft.com

Recommend readings:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
7 comments… add one
  • Damian Myerscough Nov 21, 2009 @ 18:09

    Nice article. The arcitle title should have the keyword “Stealth DNS Server” because that
    is what this setup is :-)

  • prashant Nov 23, 2009 @ 13:29

    This type of DNS setup is Split-Horizon DNS, as desribed in the URL
    http://www.zytrax.com/books/dns/ch4/#split

  • Manpreet Nov 27, 2009 @ 19:18

    Nice One

    Does this means that we need a “two” zone entries in named.conf, one allowing recursion for LAN users and other without recursion for external users?

    Doesn’t this will make named.conf a “BIT” large (in view of performance), if we are managing 3000+ domains?

  • M Mar 19, 2011 @ 22:14

    Mar 19 19:12:24 cerberus named[12700]: loading configuration from ‘/etc/bind/named.conf’
    Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.local:9: when using ‘view’ statements, all zones must be in views
    Mar 19 19:12:24 cerberus named[12700]: /etc/bind/named.conf.options:19: both “recursion no;” and “allow-recursion” active for view external-view
    Mar 19 19:12:24 cerberus named[12700]: loading configuration: failure
    Mar 19 19:12:24 cerberus named[12700]: exiting (due to fatal error)

  • Justin Edmands Oct 24, 2014 @ 17:49

    Hey,
    Thanks for the tutorial. I am 99% finished with my zone file.
    My issue is that if I have a zone file for example.com. , all hosts such as host1.example.com host2.example.com server2.example.com server3.example.com no longer resolve. All hosts outside of example.com are OK. I can do “host google.com” or “host red.com” and I get that back just fine. But everything in the example.com domain is now unresolvable.

    I only wanted to use this zone file to “override” a few records that are in DNS. This essentially takes overthe entire domain. How do I accomplish this in a different way?

  • Matthew Dec 5, 2014 @ 13:50

    One note: Order matters. If your named.conf file lists the view with “match-clients { any;};” before a more restrictive view, the more restrictive view will never be used.

  • Jones Dec 10, 2015 @ 18:59

    Thank you Matthew!!
    Would be worth adding to the guide i think, saved me from going nuts ;)

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.