[GTALUG] server question
D. Hugh Redelmeier
hugh at mimosa.com
Wed Jan 22 08:58:07 EST 2020
| From: John Sellens via talk <talk at gtalug.org>
| You want a server name (FQDN) that works internally, but not externally.
| Just stick it in DNS.
Right. Here's a way you could do it. Certainly not the only way.
I run BIND on a public IP address. But it is also on my LAN.
For the public, it could be considered authoritative for my domain and
is non-recursive (will only answer queries about my domain).
(For accuracy I have to state but you should ignore: it is actually a
"hidden master" (for performance reasons).)
For the LAN, it is recursive and answers all DNS queries. That means
it will ask other DNS servers about other domains. (It also caches
answers to reduce queries to other servers.) All hosts within my LAN
use it as their DNS server.
name.conf contains:
<<<<<<<<<<<<<<<<
// see http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3496441_2
// prevent cache-poisoning by outsiders using recursive queries
acl "inside" { 127.0.0.0/8; ::1; <MY-LAN-CIDR>; };
view "inside" {
match-clients { "inside"; };
recursion yes;
allow-query { inside; } ;
....
};
view "outside" {
match-clients { any; };
recursion no;
...
};
>>>>>>>>>>>>>>>>
If you want to have some names in your domain public, and some private to
your LAN, I think that you need two different zone files for that domain.
One for your LAN and one for your domain host (i.e. where queries about
your domain go).
One could put a whole zone inside the "inside" view and it would only be
resolved for queries from your LAN.
The limited zone file would be on you domain host.
I don't know whether you could split a zone between views. But if
your LAN DNS server is not answering queries from outside your LAN
that isn't an issue.
More information about the talk
mailing list