LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Non Authoritative Zone when using particular View w/ BIND (https://www.linuxquestions.org/questions/linux-server-73/non-authoritative-zone-when-using-particular-view-w-bind-4175465008/)

buee 06-06-2013 01:58 PM
Non Authoritative Zone when using particular View w/ BIND
 
I recently set up two nameservers, of course, master (ns1) and slave (ns2). My servers are 192.168.168.16 and .17 and they're both running BIND9. Everything worked fine, zone transfers were working, queries, etc. I went to implement views as I have some domains that will need to be queried from the internet, but I'd also like to address my internal machines and only have them respond to internal queries. I threw in a generic "lr" domain to represent my internal machines and of course have my 192.168.168 network for PTR records which should also be internal, then I set the default zones, 0, 127, and 255 up for internal view only. Here's the config:

Code:
acl internal {
192.168.168.0/24;
10.254.254.2;
localhost;
};
view "internal" {
match-clients {
    internal;
    };
recursion yes;
also-notify {
    192.168.168.17;
    };
zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
    };
zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
    };
zone "168.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/192.168.168.rev";
    };
zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
    };
zone "localhost" {
    type master;
    file "/etc/bind/db.local";
    };
zone "mylocalnet" {
    type master;
    file "/var/lib/bind/mylocalnet.internal.hosts";
    };
};

view "public" {
match-clients {
    any;
    };
recursion no;
also-notify {
    192.168.168.17;
    };
zone "external" {
    type master;
    file "/var/lib/bind/external.public.hosts";
    };
};
Now, when the external zone (in public view) attempts to transfer, I get the following in the logs:

Code:
Jun  5 13:44:25 ns2 named[26887]: zone external/IN/public: refresh: non-authoritative answer from master 192.168.168.16#53 (source 0.0.0.0#0)
When the mylocalnet zone (in internal) attempts to transfer, it transfers flawlessly.

If I take the external zone and put it in the internal view, it transfers fine as well. It seems that only zones in the public view will not transfer.

Here's the config of the slave:

Code:
acl internal {
192.168.168.0/24;
10.254.254.2;
localhost;
};
view "internal" {
recursion yes;
allow-transfer {
    192.168.168.16;
    };
match-clients {
    192.168.168.0/24;
    10.254.254.2;
    };
allow-notify {
    192.168.168.16;
    };
zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
    };
zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
    };
zone "168.168.192.in-addr.arpa" {
    type slave;
    masters {
        192.168.168.16;
        };
    file "/var/lib/bind/192.168.168.rev";
    };
zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
    };
zone "localhost" {
    type master;
    file "/etc/bind/db.local";
    };
zone "mylocalnet" {
    type slave;
    masters {
        192.168.168.16;
        };
    file "/var/lib/bind/mylocalnet.internal.hosts";
    };
};
view "public" {
recursion no;
allow-transfer {
    192.168.168.16;
    };
allow-notify {
    192.168.168.16;
    };
zone "external" {
    type slave;
    masters {
        192.168.168.16;
        };
    file "/var/lib/bind/external.public.hosts";
    };
};
Anyone know what I'm doing wrong?

firask317 06-10-2013 08:11 PM
Hello,

I think this will solve your problem:

Code:
view "nameservers" {
match-clients {
192.168.168.17;
};

recursion yes;
also-notify {
    192.168.168.17;
    };

zone "168.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/192.168.168.rev";
    };

zone "mylocalnet" {
    type master;
    file "/var/lib/bind/mylocalnet.internal.hosts";
    };

zone "external" {
    type master;
    file "/var/lib/bind/external.public.hosts";
    };

};


acl internal {
192.168.168.0/24;
10.254.254.2;
localhost;
};
view "internal" {
match-clients {
    internal;
    };

//... Define your internal zones here

};

view "public" {
match-clients {
    any;
    };

//... Define your external zones here

};

This way your secondary name server will see all zones. You had a problem because based on the IP address of the secondary nameserver, the view would be "internal" and your "external" zone is not defined there.

Hope this will solve the problem.
Regards,
Firas


All times are GMT -5. The time now is 05:22 PM.