Saturday, August 25, 2012

Using views in bind 9

If you need a DNS server resolving different addresses for the same name depending on the IP address of the client that makes the request, then this article may be of your interest.

What you need is to configure views, which allow one single zone to have different information to be served.

This is very useful in the following cases:
  • A DNS server connected to two or more networks with different needs.
  • A DNS server connected to Internet and an Intranet, where the IP addresses are local and you might have more services for private use.
  • A DNS server connected to a single network but receiving requests from other networks for which you may need to resolve differently.
Let's see how views work. For my example, I'll assume you already read the article  Basic DNS configuration, for this is an evolution of the previous configuration.

The steps should be:
  1. Go to /etc/bind and backup the file named.conf.local (just in case, you never know):
    cp named.conf.local named.conf.local.20120825
  2. For every view you can decide which clients will match it with the directive match-clients, where you can specify the addresses directly or use an ACL, as in my example.
  3. The file named.conf.local could be similar to this one:
    //
    // Do any local configuration here
    //

    acl "company-net" { 192.168.56.0/24; 192.168.100.0/24; };

    view "private" {

        match-clients { "company-net"; };

        zone "yourcompany.com" {
            type master;
            file "/etc/bind/db.yourcompany.com-private";
        };

    };

    view "public" {

        match-clients { any; };

        zone "yourcompany.com" {
            type master;
            file "/etc/bind/db.yourcompany.com-public";
        };

    };

    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";
  4. In this case, request from clients on the networks 192.168.56.0/24 and 192.168.100.0/24 will get the information of the file db.yourcompany.com-private and the rest from the file db.yourcompany.com-public.
  5. Now copy the original file to db.yourcompany.com-private (just in case) and to db.yourcompany.com-public (this is the one we'll modify in a minute).
    sergio@zeus:/etc/bind$ sudo cp db.yourcompany.com db.yourcompany.com-private
    sergio@zeus:/etc/bind$ sudo cp db.yourcompany.com db.yourcompany.com-public
  6. We'll keep unmodified the private zone file and modify the public zone file to have less records and different IP addresses for the services. The result is:
    ; BIND direct file for yourcompany.com zone
    ;
    $TTL    86400
    @       IN    SOA    zeus.yourcompany.com. hostmaster.yourcompany.com. (
                      1        ; Serial
                  43200        ; Refresh (12h)
                   3600        ; Retry (1h)
                2419200        ; Expire (2 weeks)
                  86400 )      ; Negative Cache TTL
    ;
    @       IN    NS    zeus.yourcompany.com.
    zeus    IN    A     213.176.100.20
    atila   IN    A     213.176.100.21
    www     IN    CNAME atila
  7. Compare the two files to see the differences. Go to Basic DNS configuration to see the original.
  8. At this point, if you restart bind, you'll have trouble because ALL the zones MUST be in VIEWS.
  9. This means that all the includes in the file named.conf must lead to zones in views. Therefore, you should modify the file named.conf.default-zones accordingly to what has been explained (you could include all the default zones in a general view allowing the access to any client, for instance).
  10. Backup the file:
    sudo cp named.conf.default-zones named.conf.default-zones.20120825
  11. Modify it just adding the first 2 lines at the top and don't forget the closing }; at the bottom:
    view "general" {

    match-clients { any; };

    // prime the server with knowledge of the root servers
    zone "." {
        type hint;
        file "/etc/bind/db.root";
    };

    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912

    zone "localhost" {
        type master;
        file "/etc/bind/db.local";
    };

    zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
    };

    zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
    };

    zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
    };

    };
  12. Now restart the DNS server:
    sudo service bind9 restart
  13. And make some queries to check it. From the private network (using a client with IP address 192.168.56.2) we can resolve www and ramses, getting their address in this network:
    sergio@odin:~$ sudo ifconfig vboxnet0
    vboxnet0  Link encap:Ethernet  direcciónHW 0a:00:27:00:00:00 
              Direc. inet:192.168.56.2  Difus.:192.168.56.255  Másc:255.255.255.0
              Dirección inet6: fe80::800:27ff:fe00:0/64 Alcance:Enlace
              ACTIVO DIFUSIÓN FUNCIONANDO MULTICAST  MTU:1500  Métrica:1
              Paquetes RX:0 errores:0 perdidos:0 overruns:0 frame:0
              Paquetes TX:73 errores:0 perdidos:0 overruns:0 carrier:0
              colisiones:0 long.colaTX:1000
              Bytes RX:0 (0.0 B)  TX bytes:13181 (13.1 KB)
    sergio@odin:~$ nslookup
    > server zeus
    Default server: zeus
    Address: 192.168.56.101#53
    > www.yourcompany.com
    Server:        zeus
    Address:    192.168.56.101#53

    www.yourcompany.com    canonical name = atila.yourcompany.com.
    Name:    atila.yourcompany.com
    Address: 192.168.56.102
    > ramses.yourcompany.com
    Server:        zeus
    Address:    192.168.56.101#53

    Name:    ramses.yourcompany.com
    Address: 192.168.56.103
    > exit
  14. However, from outside the private network we get the public IP address of www but not ramses, which wasn't in the public zone data file:
    coord@mudel:~$ sudo ifconfig eth0
    eth0      Link encap:Ethernet  HWaddr 08:00:27:d3:f8:c1 
              inet addr:192.168.1.145  Bcast:192.168.1.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fed3:f8c1/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
              TX packets:598 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1269977 (1.2 MiB)  TX bytes:52897 (51.6 KiB)

    coord@mudel:~$ nslookup
    > server zeus
    Default server: zeus
    Address: 192.168.1.143#53
    > www.yourcompany.com
    Server:        zeus
    Address:    192.168.1.143#53

    www.yourcompany.com    canonical name = atila.yourcompany.com.
    Name:    atila.yourcompany.com
    Address: 213.176.100.21
    > ramses.yourcompany.com
    Server:        zeus
    Address:    192.168.1.143#53

    ** server can't find ramses.yourcompany.com: NXDOMAIN
    > exit

No comments:

Post a Comment