Using Views with BIND 9

Using Views with BIND 9

In almost all organizations the network infrastructure needs to be designed in such a way as to allow both internal and external name resolution authoritatively.  In most organizations this has been accomplished by having separate internal and external servers.  Clearly this way is functional and simpler, however it is also wasteful considering how little resources DNS actually requires.  BIND 9 gives us a new method to manage these types of configurations.  The idea is that you can create a view which will reference specific zones based on the network location that you are coming from.

This is how the series will be broken down.

Part 1 Configuring the master server.

Part 2 Configuring the slave server(s).

Environment Details

-1 Master (does not service requests from clients)

-2 Slaves (which service requests from clients)

-Service both Internal and External requests (allowing recursion on Internal Requests only)

 

Configure the Master

masterdns01:/# cat /etc/issue
Debian GNU/Linux 5.0 \n \l
masterdns01:/# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.0.11
netmask 255.255.255.0
gateway 10.0.0.1
masterdns01:/# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.local";
masterdns01:/# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
//      0.0.0.0;
// };

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
};
masterdns01:/# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

acl internal-slaves { 10.0.0.12/32; 10.0.0.13/32; };
acl external-slaves { 10.0.0.14/32; 10.0.0.15/32; };

acl internal { !10.0.0.1/32; !10.0.0.13/32; !10.0.0.15/32; 10.0.0.0/24; localhost; };
acl external { 10.0.0.1/32; 10.0.0.13/32; 10.0.0.15/32; any; };

view "internal" {
match-clients { internals; };
allow-recursion { any; };
zone "example.org" {
type master;
file "/etc/bind/internal/db.example.org";
allow-transfer { internal-slaves; };
};
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/internal/db.reverse.10.0.0";
allow-transfer { internal-slaves; };
};
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
};

view "external" {
match-clients { externals; };
allow-recursion { none; };
zone "example.org" {
type master;
file "/etc/bind/external/db.example.org";
allow-transfer { external-slaves; };
};
};

masterdns01:/# cat /etc/bind/internal/db.example.org
;BIND db file for example.org INTERNAL
;
$TTL 1d
;
@       IN      SOA     masterdns01.example.org.        hostmaster@example.org. (
110223001       ;serial number YYMMDDNNN
8h              ;refresh
2h              ;retry
2d              ;expire
6h              ;min ttl
)
IN      NS      masterdns01.example.org.
IN      NS      slavedns01.example.org.
IN      NS      slavedns02.example.org.

$ORIGIN example.org.

masterdns01     IN      A       10.0.0.11
slavedns01      IN      A       10.0.0.12
slavedns02      IN      A       10.0.0.13
www             IN      A       10.0.0.51
server          IN      A       10.0.0.55

masterdns01:/# cat /etc/bind/external/db.example.org
;BIND db file for example.org EXTERNAL
;
$TTL 1d
;
@       IN      SOA     masterdns01.example.org.        hostmaster@example.org. (
110223001       ;serial number YYMMDDNNN
8h              ;refresh
2h              ;retry
2d              ;expire
6h              ;min ttl
)
IN      NS      ns1.example.org.
IN      NS      ns2.example.org.

$ORIGIN example.org.

ns1             IN      A       1.1.1.1
ns2             IN      A       1.1.1.2
www             IN      A       1.1.1.3
masterdns01:/# cat /etc/bind/internal/db.reverse.10.0.0
;BIND db file for 10.0.0 INTERNAL
;
$TTL 1d
;
@       IN      SOA     masterdns01.example.org.        hostmaster@example.org. (
110223001       ;serial number YYMMDDNNN
8h              ;refresh
2h              ;retry
2d              ;expire
6h              ;min ttl
)
IN      NS      masterdns01.example.org.
IN      NS      slavedns01.example.org.
IN      NS      slavedns02.example.org.

11      IN      PTR     masterdns01
12      IN      PTR     slavedns01
13      IN      PTR     slavedns02
51      IN      PTR     www
55      IN      PTR     server

So to look a little bit closer at the setup of the view itself…

Below you will see an excerpt of the /etc/bind/named.conf.local

Some important things to note.  You might notice that I have excluded some individual IP addresses from the internal acl (10.0.0.1, 10.0.0.13, and 10.0.0.15), I do this by including an exclamation point prior to the IP address.  This is common in Unix and it is interpreted as a negative of whatever it is combined with so != is “not equal”.  Now the reasoning is quite simple, one device is the firewall, since my external DNS traffic is NAT’d through the firewall, the external queries actually end up coming from the internal interface of the firewall (from the perspective of the DNS server).  The other two devices are the slaves, if you do not exclude these then you will end up downloading your internal zones into all of your views on the slave servers rendering your views nearly worthless.

acl internal { !10.0.0.1/32; !10.0.0.13/32; !10.0.0.15/32; 10.0.0.0/24; localhost; };
acl external { 10.0.0.1/32; 10.0.0.13/32; 10.0.0.15/32; any; };

view "internal" {
match-clients { internals; };
allow-recursion { any; };

In part 2 we will be configuring the slave servers.