A dual-view DNS

       451 words, 3 minutes

I’m hosting my whole IT services (OSI Layer 7) that’s no news. I configured my DNS server for both outside and inside requests. Depending on who asks, it doesn’t answer the same thing. This is what BIND views are for.

Here’s how I configured my DNS server.

Installation

Install a NetBSD machine.

Use the default chroot room or create you’re own:

# cp -pr /var/chroot/named /home/dns  
# cp -p /etc/named.conf /home/dns/etc/  
# cp -p /etc/namedb/* /home/dns/etc/namedb/

Modify the rc.conf file:

named=YES  
named_chrootdir="/home/dns"

Configuration

I’ll show the relevant parts of the named.conf for the various features.

The directory value of the options section won’t change as I’ll chroot the DNS daemon.

The name server control utility

Create the key file:

# rndc-confgen -a -t /home/dns -u named -r /dev/urandom  
wrote key file "/etc/rndc.key"  
wrote key file "/home/dns/etc/rndc.key"

I used /dev/urandom because my VM didn’t have enough entropy at that time.

Better logs

Logs are really helpful when something goes wrong.
So we’d better have nice logs:

logging {
        channel general {
                syslog          LOCAL0;
                severity        dynamic;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };

        category default        { general; };
        category queries        { null; };
        category lame-servers   { null; };
}

Views

Create the “network zones” using the acl keyword. Those will help us describe who are inside clients and other IP that we trust or allow to do special things (like zone transfers).

acl tumfatig.local {
        127.0.0.1;
        10.0.0.0/24;
        10.15.5.0/24;
};

Inside clients

Inside users will require general DNS resolution (from here and outside) ; they will be allow to make recursive requests. They also will be given private IP address for my IT services.

Create the inside view and define the zone files:

view "LAN" {
        match-clients           { tumfatig.local; };

        zone "." {
(...)

        zone "tumfatig.local" {
                type master;
                file "LAN.tumfatig.local";
        };

        zone "tumfatig.net" {
                type master;
                file "LAN.tumfatig.net";
        };

        zone "carnat.net" {
                type master;
                file "LAN.carnat.net";
        };

        zone "10.IN-ADDR.ARPA" {
                type master;
                file "10.in-addr.arpa";
        };
};

The others

Every other people and servers may ask my DNS for public name resolution on the domains I host. But my DNS shall not answer to any other request.

Create the outside view and define the zone files:

view "Internet" {
        additional-from-auth    no;
        additional-from-cache   no;
        recursion               no;

        zone "tumfatig.net" {
                type            master;
                file            "tumfatig.net";
                allow-transfer  { gandi.net; };
        };

        zone "carnat.net" {
                type            master;
                file            "carnat.net";
                allow-transfer  { gandi.net; };
        };
};

Zone files

Edit the various zone files according to what BIND is supposed to answer.
The localhost and 127 can be used as templates.

Reboot and/or start the daemon with the /etc/rc.d/named script.
And watch the logs ;-)

That’s all folks!

Source

Related posts: