Using Views with BIND 9 Part 2

Using Views with BIND 9 Part 2

BIND 9 gives us the ability to run a split DNS configuration on a single server, in this article we will go over the configuration of slave servers which will transfer the zones from the master while still maintaining its views.

Now before we go any further, if you do not have a working master server with views configured you will want to review part 1 here.

Configure the Slaves

slavedns01:/# cat /etc/issue
Debian GNU/Linux 5.0 \n \l
slavedns01:/# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 10.0.0.12
netmask 255.255.255.0
gateway 10.0.0.1

auto eth0:0
iface eth0:0 inet static
address 10.0.0.14
netmask 255.255.255.0
slavedns01:/# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.local";
slavedns01:/# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
//     0.0.0.0;
// };

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
};
slavedns01:/# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

acl master { 10.0.0.11/32; };

acl internals { !10.0.0.1/32; 10.0.0.0/24; localhost; };

acl externals { 10.0.0.1/32; any; };

view "internal" {
match-clients { internals; };
query-source address 10.0.0.12 ;
transfer-source 10.0.0.12 ;
allow-recursion { any; };
zone "allanglesit.net" {
type slave;
file "/var/cache/bind/internal/db.example.org";
masters { 10.0.0.11; };
allow-notify { master; };
};
zone "0.0.10.in-addr.arpa" {
type slave;
file "/var/cache/bind/internal/db.reverse.10.0.0";
masters { 10.0.0.11; };
allow-notify { master; };
};
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
};

view "external" {
match-clients { externals; };
query-source address 10.0.0.14 ;
transfer-source 10.0.0.14 ;
allow-recursion { none; };
zone "example.org" {
type slave;
file "/var/cache/bind/external/db.example.org";
masters { 10.0.0.11; };
allow-notify { master; };
};
};

Now as I mentioned in part 1, we are using 2 slave servers, however I won’t go into how to configure the second one, as it is exactly the same as the first one, with the exception of the IP addresses.  So now lets go through some of the configurations in a little more detail.

First thing we will talk about is the network configuration.  For each view we will need a different IP address, so that we can transfer the zone from the correct view.  We do this using aliases or sub-interfaces.  Below is where we have defined the interface (eth0) and the alias (eth0:0).

auto eth0
iface eth0 inet static
address 10.0.0.12
netmask 255.255.255.0
gateway 10.0.0.1

auto eth0:0
iface eth0:0 inet static
address 10.0.0.14
netmask 255.255.255.0

Now when configuring the internals acl in the /etc/bind/named.conf.local you will notice that I have included the 10.0.0.0/24 while excluding 10.0.0.1.  This is due to my external DNS queries being NAT’d through my firewall, which essentially appears as if they are coming from the firewall’s internal interface.  This acl is later called as part of the match-clients statement in the view.  Additionally you will need to specify both the query-source address and the transfer-source these parameters will ensure that the requests come from the correct IP when transferring the zones from the master.

acl internals { !10.0.0.1/32; 10.0.0.0/24; localhost; };

acl externals { 10.0.0.1/32; any; };

view "internal" {
match-clients { internals; };
query-source address 10.0.0.12 ;
transfer-source 10.0.0.12 ;
allow-recursion { any; };

This should complete the configuration of your split DNS using BIND 9 views.