Split DNS sample config (was Re: iptables - lo interface problem)
Mike Burger
mburger at bubbanfriends.org
Tue Aug 24 12:29:27 UTC 2004
> > Happy to help.
> >
> > If you need an example of a split DNS config, let me know. I'm using
> > it, now, in lieu of the routing routing option.
> > --
> > Mike Burger
>
> Hi Mike,
>
> I would like to see the split-DNS config. This thread is very timely for
> me as I am setting up the exact arrangement in my network.
>
> Thanks,
> Travis Fraser
No problem, Travis.
Here is a pared down sample...I edited my own to remove my system/network
specific info, but it should do as a starting point. I'll paste it in,
for anyone who wants to see it up close, and attach it for those that
don't.
The stuff at the very top is all for logging (I like to split my DNS
logging out into various files, to keep them cleaner). I've commented
out the "size" variables for the logs, so that they don't just rotate
when they reach their size limits:
--------------------------------------------------------------------
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
auth-nxdomain yes;
};
logging {
channel my_syslog { file "/var/log/named/named.log" versions 25;
severity info;
print-category yes;
print-time yes;
};
channel my_lame { file "/var/log/named/lame.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_xfer { file "/var/log/named/xfer.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_update { file "/var/log/named/named.update" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_db { file "/var/log/named/db.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_query { file "/var/log/named/query.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_security { file "/var/log/named/security.log" versions
99;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_debug { file "/var/log/named/named.debug" versions 20;
severity dynamic;
print-category yes;
print-time yes;
// size 50M;
};
category security { my_security; };
category default { my_syslog; };
category queries { my_query; };
category lame-servers { my_lame; };
category update { my_update; };
// category db { my_db; };
category xfer-in { my_xfer; };
category xfer-out { my_xfer; };
// category packet { null; };
// category eventlib { my_syslog; };
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow {
localhost;
}
keys {
"key";
};
};
key "key" {
algorithm hmac-md5;
secret "<insert key string here";
};
//Split views set up, here
//
view "internal" {
// This should match out internal network
match-clients {
192.168.0.0/24;
127.0.0.1;
192.168.0.1;
};
// Provide recursive service to internal clients, only.
recursion yes;
// Provide a complete view of your local DNS zone
// including addresses of internal hosts.
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "named.rev.192.168.0";
allow-update { none; };
};
zone "your.domain.here" {
type master;
file "your.domain.here.internal.hosts";
};
zone "here.ip-range.reverse.internet.in-addr.arpa" {
type master;
file "/var/named/reverse.ip-range.here.rev";
};
zone "slave.zone.com" {
type slave;
masters {
ip.of.master;
};
file "slave.zone.com.hosts";
};
zone "another.master.zone.org" {
type master;
file "another.master.zone.org.hosts";
};
// End of internal view
view "external" {
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide restricted view of the bubbanfriends.org zone
// containing only publicly accessible hosts.
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "named.rev.192.168.0";
allow-update { none; };
};
zone "your.domain.here" {
type master;
file "your.domain.here.internal.hosts";
};
zone "here.ip-range.reverse.internet.in-addr.arpa" {
type master;
file "/var/named/reverse.ip-range.here.rev";
};
zone "slave.zone.com" {
type slave;
masters {
ip.of.master;
};
file "slave.zone.com.hosts";
};
zone "another.master.zone.org" {
type master;
file "another.master.zone.org.hosts";
};
};
// End of external view
--------------------------------------------------------------------
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request at bubbanfriends.org
with a message of:
subscribe
-------------- next part --------------
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
auth-nxdomain yes;
};
logging {
channel my_syslog { file "/var/log/named/named.log" versions 25;
severity info;
print-category yes;
print-time yes;
};
channel my_lame { file "/var/log/named/lame.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_xfer { file "/var/log/named/xfer.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_update { file "/var/log/named/named.update" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_db { file "/var/log/named/db.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_query { file "/var/log/named/query.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_security { file "/var/log/named/security.log" versions
99;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_debug { file "/var/log/named/named.debug" versions 20;
severity dynamic;
print-category yes;
print-time yes;
// size 50M;
};
category security { my_security; };
category default { my_syslog; };
category queries { my_query; };
category lame-servers { my_lame; };
category update { my_update; };
// category db { my_db; };
category xfer-in { my_xfer; };
category xfer-out { my_xfer; };
// category packet { null; };
// category eventlib { my_syslog; };
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow {
localhost;
}
keys {
"key";
};
};
key "key" {
algorithm hmac-md5;
secret "<insert key string here";
};
//Split views set up, here
//
view "internal" {
// This should match out internal network
match-clients {
192.168.0.0/24;
127.0.0.1;
192.168.0.1;
};
// Provide recursive service to internal clients, only.
recursion yes;
// Provide a complete view of your local DNS zone
// including addresses of internal hosts.
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "named.rev.192.168.0";
allow-update { none; };
};
zone "your.domain.here" {
type master;
file "your.domain.here.internal.hosts";
};
zone "here.ip-range.reverse.internet.in-addr.arpa" {
type master;
file "/var/named/reverse.ip-range.here.rev";
};
zone "slave.zone.com" {
type slave;
masters {
ip.of.master;
};
file "slave.zone.com.hosts";
};
zone "another.master.zone.org" {
type master;
file "another.master.zone.org.hosts";
};
// End of internal view
view "external" {
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide restricted view of the bubbanfriends.org zone
// containing only publicly accessible hosts.
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "named.rev.192.168.0";
allow-update { none; };
};
zone "your.domain.here" {
type master;
file "your.domain.here.internal.hosts";
};
zone "here.ip-range.reverse.internet.in-addr.arpa" {
type master;
file "/var/named/reverse.ip-range.here.rev";
};
zone "slave.zone.com" {
type slave;
masters {
ip.of.master;
};
file "slave.zone.com.hosts";
};
zone "another.master.zone.org" {
type master;
file "another.master.zone.org.hosts";
};
};
// End of external view
More information about the fedora-list
mailing list