What you need is to configure views, which allow one single zone to have different information to be served.
This is very useful in the following cases:
- A DNS server connected to two or more networks with different needs.
- A DNS server connected to Internet and an Intranet, where the IP addresses are local and you might have more services for private use.
- A DNS server connected to a single network but receiving requests from other networks for which you may need to resolve differently.
The steps should be:
- Go to /etc/bind and backup the file named.conf.local (just in case, you never know):
cp named.conf.local named.conf.local.20120825 - For every view you can decide which clients will match it with the directive match-clients, where you can specify the addresses directly or use an ACL, as in my example.
- The file named.conf.local could be similar to this one:
//
// Do any local configuration here
//
acl "company-net" { 192.168.56.0/24; 192.168.100.0/24; };
view "private" {
match-clients { "company-net"; };
zone "yourcompany.com" {
type master;
file "/etc/bind/db.yourcompany.com-private";
};
};
view "public" {
match-clients { any; };
zone "yourcompany.com" {
type master;
file "/etc/bind/db.yourcompany.com-public";
};
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918"; - In this case, request from clients on the networks 192.168.56.0/24 and 192.168.100.0/24 will get the information of the file db.yourcompany.com-private and the rest from the file db.yourcompany.com-public.
- Now copy the original file to db.yourcompany.com-private (just in case) and to db.yourcompany.com-public (this is the one we'll modify in a minute).
sergio@zeus:/etc/bind$ sudo cp db.yourcompany.com db.yourcompany.com-private
sergio@zeus:/etc/bind$ sudo cp db.yourcompany.com db.yourcompany.com-public - We'll keep unmodified the private zone file and modify the public zone file to have less records and different IP addresses for the services. The result is:
; BIND direct file for yourcompany.com zone
;
$TTL 86400
@ IN SOA zeus.yourcompany.com. hostmaster.yourcompany.com. (
1 ; Serial
43200 ; Refresh (12h)
3600 ; Retry (1h)
2419200 ; Expire (2 weeks)
86400 ) ; Negative Cache TTL
;
@ IN NS zeus.yourcompany.com.
zeus IN A 213.176.100.20
atila IN A 213.176.100.21
www IN CNAME atila - Compare the two files to see the differences. Go to Basic DNS configuration to see the original.
- At this point, if you restart bind, you'll have trouble because ALL the zones MUST be in VIEWS.
- This means that all the includes in the file named.conf must lead to zones in views. Therefore, you should modify the file named.conf.default-zones accordingly to what has been explained (you could include all the default zones in a general view allowing the access to any client, for instance).
- Backup the file:
sudo cp named.conf.default-zones named.conf.default-zones.20120825 - Modify it just adding the first 2 lines at the top and don't forget the closing }; at the bottom:
view "general" {
match-clients { any; };
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
}; - Now restart the DNS server:
sudo service bind9 restart - And make some queries to check it. From the private network (using a client with IP address 192.168.56.2) we can resolve www and ramses, getting their address in this network:
sergio@odin:~$ sudo ifconfig vboxnet0
vboxnet0 Link encap:Ethernet direcciónHW 0a:00:27:00:00:00
Direc. inet:192.168.56.2 Difus.:192.168.56.255 Másc:255.255.255.0
Dirección inet6: fe80::800:27ff:fe00:0/64 Alcance:Enlace
ACTIVO DIFUSIÓN FUNCIONANDO MULTICAST MTU:1500 Métrica:1
Paquetes RX:0 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:73 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:1000
Bytes RX:0 (0.0 B) TX bytes:13181 (13.1 KB)
sergio@odin:~$ nslookup
> server zeus
Default server: zeus
Address: 192.168.56.101#53
> www.yourcompany.com
Server: zeus
Address: 192.168.56.101#53
www.yourcompany.com canonical name = atila.yourcompany.com.
Name: atila.yourcompany.com
Address: 192.168.56.102
> ramses.yourcompany.com
Server: zeus
Address: 192.168.56.101#53
Name: ramses.yourcompany.com
Address: 192.168.56.103
> exit - However, from outside the private network we get the public IP address of www but not ramses, which wasn't in the public zone data file:
coord@mudel:~$ sudo ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:d3:f8:c1
inet addr:192.168.1.145 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fed3:f8c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
TX packets:598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1269977 (1.2 MiB) TX bytes:52897 (51.6 KiB)
coord@mudel:~$ nslookup
> server zeus
Default server: zeus
Address: 192.168.1.143#53
> www.yourcompany.com
Server: zeus
Address: 192.168.1.143#53
www.yourcompany.com canonical name = atila.yourcompany.com.
Name: atila.yourcompany.com
Address: 213.176.100.21
> ramses.yourcompany.com
Server: zeus
Address: 192.168.1.143#53
** server can't find ramses.yourcompany.com: NXDOMAIN
> exit
No comments:
Post a Comment