Comments on Two-in-one DNS server with BIND9

It works wonders, i've been using this feature for about 2 years now and it's made things a lot easier now that we have internal and external dns running on the same servers. The only caveat is you have to maintain 2 trees zone files.

Hi, first of all I would like to thank you for your great posting. I had the same problem and it was a great help to me.

But I think including the external zone is not a good idea, since the name server now answers all internal queries with two different IP adresses: The internal address (since the requesting client is within acl internal) as well as the included address from the external zone file.

Or did I get it wrong?

Regards,Grischa

Reverse zone files or file for the preceeding example.com file is not mentioned in this how-to.  I can only infer that either a reverse zone file for a external view is not necessary.  I would however think that for proper resolution of dns names that one would include a "db.192.0.2" reverse zone file.  Was the fact that reverse files are not mentioned in this how-to due to an assumption by the author that those using this how-to would know to have reverse zone files for each forward zone file refered to in the named.conf.local file?

Well reverse lookups should be made. Not properly setting up the reverse dns records is the first common mistake named in rfc1912 (http://tools.ietf.org/html/rfc1912) 

 I really think that this should be added to the howto or at least mention that it's nececery to do this so that the unknowing will not make this mistake.

For Ubuntu you will want to install the "bind9" package.  "apt-get install bind" fetches bind 8.4x which will not support views.

Hello all!

Currently, I am steel looking for a solution

After doing this all, I added a slave in my DNS and there is a great problem of security.

Look!

The problem is when the server's master tranfers zones files to the server's slave.

Explanation :


I configured 2 DNS servers 1 master and 1 slave.

I used the views to allow external users to have a limited use of my servers and internal users differents views.

Everything works fine except that :

When master is transferring zones files to the slave.

This happens because the server's slave is multi-site (internal and external views)

Problem :

I note that both zones files (for external and internal view), which normally are different in master's server for a domain come together and identical in the two different files names that I gave.

So after a transfer I optain 2 files identiques, containing the fusion of zone file in internal and external view.

example:

first:
Master (Fichier1_zone_int, Fichier1_zone_ext) with different contents,
Second:
when I get zone transfer

finally:
Slave(Fichier1_zone_int + Fichier1_zone_ext, Fichier1_zone_int + Fichier1_zone_ext) with the same content.

Can anyone help me solve this problem? 


If someone from the outside use the slave's server as dns server resolution, the establishment of the views have not served because it has access to all hosts on the LAN.

because the zone file is merged

Someone to help me please.
thank you

guytools,

Your problem is documented in the FAQ:

https://www.isc.org/node/282

You can transfer multiple views to slaves by using keys.

Thank you very much for this how-to.  I was looking at other ones and trying to learn out how to use views, but you made it very simple.

Hi there,

I've followed your tutorial to the T!  But for some unknown reason, if I use the "view" option, the DNS server will NOT server DNS records for the  zones.

I then proceeded to remove the "view" configuration and just serve up the same zone file, but only the internal one, and it served the request.

Is there something that I have missed that would be the problem?

I am running Ubuntu 10.04 LTS with BIND 9.7.0

Check /etc/bind/named.conf to see if it is still including /etc/bind/named.conf.default-zones. If so, this will be throwing an error because once you start using views you can't have any zones defined outside a view.

The default zones are only needed internally, so you can cut and paste that import command to the bottom of your internal zone definition.

you can also use http://www.zonefile.org to create a zone file. You can change most values or leave it default if you're not so skilled. ;)

I agree. I have used this guide but the $include directive will return both IPs defined in the internal and external zones. Is their a way to only return one? specifically on the internal host. External hosts can get only the external IP, not both.

can bind be configured for two different servers ( one windows server and one linux server ) with multiple domains in both and 1 static ip. 

Thanks,it was useful.

I want to thank you for the excellent guide. I am working on implementing it on a CentOS 7.3 system with Virtualmin web panel. And looking at the configuration that I have by default ... I only have the following:

/etc/named.conf (I don't have a named.conf.local) ... Do I just put the contents listed in your tutorial in the named.conf.local into the named.conf file? Because if I just create a blank named.conf.local (where would I tell BIND there is a .local file of the named.conf file?)

Just a little confused on how I can use this setup on my system. Thank you kindly! Any feedback would be greatly appreciated.

Again... Excellent Tutorial... can't wait to use this setup :)

I used this for my internal and external ips for my domain. Worked super, but...

I dont know why the internal domainnames and ip ends up on the public dns, any ideas how to "block" the internal domainnames/ips from getting out ?

to use split dns on self hosted webserver (e.g using virtualmin/ispconfig) do we need also our own nameservers?

Thank you so much for this informative and useful excellent tech infos about bind acl and view

But in this way, the internals to reach the mail server o any other public server need to exit to internet and return inside going through firewalls, proxies, etc. ?

Hello,

foubd this by search google (Beyond BIND dns).

Learning LPIC-1-3 my Tut couldn't explain it in 3 week like you've done in 130 min !!!

What about you kick-ass some noob LPIC-Tutors?

Besides that:

Maybe you want to show us this  in VBox with 2 Bind9 and BEYOND BIND9 maybe also with some other DNS-Servers?

By the way, the Tut still could not explain the DHCP-Merging with Bind, also a topic, but really imNho Linux must get beyond ISC!

Maybe they were good, but this horrible Syntax is from 19xx! Can't think it will help a futuure world of 205x->  ....

Still many thanks for your Time and knowledge exposed

Thanks for this excellent and detailed how-to. I am trying to follow your guide to implement a DNS server in a home network that has one static IP provided by my ISP. The router they have given does not allow for NAT loopback. So, when within the LAN, the external IP cannot be accessed. There is only one server that functions for email, web, and DNS (also configured through ISP config following the tutorial on this site). Let us say the server is server.example.com

What I want to achieve is that when I am on the local network, server.example.com should resolve to the LAN address of the server (say 192.168.1.5). When I am on an external network, server.example.com should resolve to the static IP given by my ISP. The ISP router will then forward the relevant ports from the static IP to the internal IP of the server (192.168.1.5).

I read that this is possible through a split brain DNS set up. So I have tried to implement it on my home server by defining two views - internal and external. Internal contains computers on the LAN while external contains the static IP records (A, NS, MX and so on). However, this set up does not work. When I run the dig command on the local lan from a computer (called wk1 to the server), dig reports 0 answers.

What am I getting wrong? And is a split brain DNS really the answer to the problem that I am trying to solve?

Thanks in advance for your response