view function of bind 9

Tim ignored_mailbox at yahoo.com.au
Fri Apr 6 08:40:24 UTC 2007


On Fri, 2007-04-06 at 15:40 +0800, edwardspl at ita.org.mo wrote:
> There are two of DNS Server machines ( Mater and Salve ).

I think that if you're setting up slave servers using views, you *might*
need to have two slave servers.  A slave for the internal view inside
the internal network, and a slave for the external view that is actually
on the outside network.  For what it's worth, I can't see any point for
having a slave server for an external query *inside* the LAN, and vice
versa - it couldn't be queried.

There's definitely no point in having an internal slave of the external
master, and vice versa, they'd be giving you the wrong answers.  The
slaves wouldn't use views, either.  Being inside or outside of the
network prevents the opposite from quering it.  A server using views is
one that sits in the middle.  It acts like two independent servers.

A general idea how DNS views would be used:


     The internet (with an external DNS slave server somewhere
          |        on it, completely remote from your network)
          |
          |
  External network
          |
          |
      /---+----\
      | modem/ |
      | router |
      \-+-+-+--/
        | | |                           Internal network below here
        | | |                           /------------------------\         
        | | \---------------------------+ router/firewall/switch |
        | |                             \--+---+---+---+---------/
        | |                                |   |   |   |
        | |     /-------------------\      |   |   |   |   
        | |     | Master DNS server  |     |   |   |   |
        | |     | using views        |     |   |   |   |   /----------\
        | |     |                    |     |   |   |   |   | an       |
        | \-----+ ext IP             |     |   |   |   \---+ internal |
        |       |             int IP +-----/   |   |       | PC       |
        |       \--------------------/         |   |       \----------/
        |                                      |   |
        |    /-------------\                   |   |    /-----------\
        |    | external    |                   |   |    | internal  |
        |    | slave DNS   |                   |   \----+ slave DNS |
        |    | server with |                   |        | server    |
        \----| ext IP      |                   |        \-----------/
             \-------------/                   |
                                               |    /----------\
                                               |    | internal |
                                               \----+ PC       |
                                                    \----------/
                                                  

Your external DNS servers (master and slave) aren't really a part of
your LAN.  They're isolated from it as much as possible.  The
modem/router (whether two separate device, or an all-in-one) manages
piping external addresses through to equipment with real external
internet public IP addresses or through to internal addresses using NAT
(it *needs* to be a configurable device).  The DNS server using views,
in the middle, provides different IP address answers to the same domain
names, depending on which side the query comes from.  You might also
have the webserver on the same box, responding to connections to it from
either side, not really caring which is which.

There's almost no point in having an external slave server within your
own network, whichever side of the external/internal border it is.  A
slave is to provide an alternative machine to answer queries, if your
master is inaccessible to the WWW, due to network issues, the slave will
be, too.  About its only value is testing and education.

NB:  "ext" being an abbreviation for "external",
     likewise with "int" for "internal".

> So, I need to config the DNS ( include the view function and Master /
> Salve ) as the following ( SURE ) : 
> 1, Transfer Master Internal Zone file to Salve Internal Zone.
> 2, Transfer Master External Zone file to Salve External Zone.

When you set up a slave server, like the example I gave before, it gets
the records it needs from its master, and acts as the slave, straight
away (well, you do have to restart the slave DNS server, to get it
notice the changes to its configuration).

> Do you think may it to do the following :
> 
> 1, Transfer Master Internal Zone file to Salve External Zone.
> 2, Transfer Master External Zone file to Salve Internal Zone.

You're setting yourself up for a headache...

> PS : Internal Zone use Private IP ( For Clients ) , External Zone use
> Public ( For Internet Servers ), right ?

Yes, that's how views work.

-- 
(This box runs FC6, my others run FC4 & FC5, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.





More information about the fedora-list mailing list