Previous Section
 < Day Day Up > 
Next Section


Split DNS: Views

BIND 9.x allows you to divide DNS space into internal and external views. This organization into separate views is referred to as split DNS. Such a configuration is helpful to manage a local network that is connected to a larger network, such as the Internet. Your internal view would include DNS information on hosts in the local network, whereas an external view would show only the part of the DNS space that is accessible to other networks. DNS views are often used when you have a local network that you want to protect from a larger network such as the Internet. In effect, you protect DNS information for hosts on a local network from a larger external network such as the Internet.

Internal and External Views

To implement a split DNS space, you need to set up different DNS servers for the internal and external views. The internal DNS servers will hold DNS information about local hosts. The external DNS server maintains connections to the Internet through a gateway as well as manages DNS information about any local hosts that allow external access, such as FTP or Web sites. The gateways and Internet-accessible sites make up the external view of hosts on the network. The internal servers handle all queries to the local hosts or subdomains. Queries to external hosts such as Internet sites are sent to the external servers, which then forward them on to the Internet. Queries sent to those local hosts that operate external servers such as Internet FTP and Web sites are sent to the external DNS servers for processing. Mail sent to local hosts from the Internet is handled first by the external servers, which then forward messages on to the internal servers. With a split DNS configuration, local hosts can access other local hosts, Internet sites, and local hosts maintaining Internet servers. Internet users, on the other hand, can access only those hosts open to the Internet (served by external servers) such as those with Internet servers like FTP and HTTP. Internet users can, however, send mail messages to any of the local hosts, internal and external.

You can also use DNS views to manage connections between a private network that may use only one Internet address to connect its hosts to the Internet. In this case, the internal view holds the private addresses (192.168...), and the external view connects a gateway host with an Internet address to the Internet. This adds another level of security, providing a result similar to IP masquerading (see Chapter 38).

Configuring Views

DNS views are configured with allow statements such as allow-query and allow-transfer. With these statements, you can specify the hosts that a zone can send and receive queries and transfers to and from. For example, the internal zone could accept queries from other local hosts, but not from local hosts with external access such as Internet servers. The local Internet servers, though, can accept queries from the local hosts. All Internet queries are forwarded to the gateway. In the external configuration, the local Internet servers can accept queries from anywhere. The gateways receive queries from both the local hosts and the local Internet servers.

In the following example, a network of three internal hosts and one external host is set up into a split view. There are two DNS servers: one for the internal network and one for external access, based on the external host. In reality these make up one network but they are split into two views. The internal view is known as mygolf.com, and the external as greatgolf.com. In each configuration, the internal hosts are designated in ACL labeled internals, and the external host is designated in ACL labeled externals. Should you want to designate an entire IP address range as internal, you could simply use the network address, as in 192.168.0.0/24. In the options section, allow-query, allow-recursion, and allow-transfers restrict access within the network.

Split View Example

The following example shows only the configuration entries needed to implement an internal view. In the mygolf.com zone, queries and transfers are allowed only among internal hosts. The global allow-recursion option allows recursion among internals.

Internal DNS server
Start example
acl internals { 192.168.0.1; 192.168.0.2; 192.168.0.3; };
acl externals {10.0.0.1;};
options {
        forward only;
        forwarders {10.0.0.1;}; // forward to external servers
        allow-transfer { none; }; // allow-transfer to no one by default
        allow-query { internals; externals; };// restrict query access
        allow-recursion { internals; }; // restrict recursion to internals
         }
zone "mygolf.com" {
        type master;
        file "mygolf";
        forwarders { };
       allow-query { internals; };
       allow-transfer { internals; }
       };
End example

In the configuration for the external DNS server, the same ACLs are set up for internals and externals. In the options statement, recursion is now allowed for both externals and internals. In the mygolf.com zone, queries are allowed from anywhere, and recursion is allowed for externals and internals. Transfers are not allowed at all.

External DNS server
Start example
acl internals { 192.168.0.1; 192.168.0.2; 192.168.0.3; };
acl externals {10.0.0.1;};
options {
         allow-transfer { none; }; // allow-transfer to no one
         allow-query { internals; externals; };// restrict query access
         allow-recursion { internals; externals }; // restrict recursion
         };
   
zone "greatgolf.com" {
         type master;
         file "greatgolf";
         allow-query { any; };
         allow-transfer { internals; externals; };
};
End example


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.