Saturday, March 5, 2016

domain name system - BIND9 DNS with external view inside the internal view



I'm planning a new BIND9 DNS Server with a special kind of view.



We a have a lot of external zones and public IPv4 addresses. To keep things simple we have a subzone of our external domain just for the internal scope; something like: local.example.com




Our goal is to keep things simple and don't hassle with different example.com zone from the internal and external views.



To do that I must restrict only the local.example.com zone for internal clients. But internal clients should resolve the external addresses to, since we have internal clients with public IPv4 addresses.



Think the internal zone as a set of a Venn Diagram. The external set is inside the internal set, so all zones should be in the internal scope too and unmodified.



The main question can be summarised in this one: can I point the same db zone files in the internal and the external views?


Answer



Just use an acl to limit queries to your internal zone.




acl internal-networks {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};

zone "internal.example.com" {
type master;
file "internal.example.com";
allow-query { internal-networks; };

};


You can add additional IP addresses to the internal-networks acl. It doesn't matter if they are publicly routable or not; whatever you add there can query the zone.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...