The schizophrenic DNS

Today I’d like to introduce a small, but pretty useful feature of nameservers using BIND as an example. Delivering different answers for different IP ranges. Sure, this might sound strange, but if you dig into that, it’s pretty useful.

Imagine: servers usually don’t just sit there directly connected to the Internet. Usually they are somewhere behind a firewall, a DMZ area having different IPs there. In other words, to communicate directly, servers would need to address the other ones with a different IP.

As we don’t want to use IPs for letting the servers talk to each other, we could configure /etc/hosts on every server or just maintain one nameserver zonefile – which is the easier way instead of hacking the hosts file on every machine.

To start with the nameserver fun, we need to have a look at its config which is usually named.conf. Let’s assume our DMZ is at 192.168.1.1-254. A proper ACL would look like that:

acl my-dmz {
    192.168.1.0/24;
 };

Having the ACL set up, we may now start doing ‘views’ which will contain our zone definitions and options. I guess it’s pretty easy to see that the ‘internal’ view will be visible to the my-dmz guys only allowing recursive queries while the other view will handle the rest:

view "internal" {
        match-clients { my-dmz; };
        recursion yes;
        notify no;

        zone "." in {
                type hint;
                file "/var/bind/root.cache";
        };

        zone "localhost" IN {
                type master;
                file "pri/localhost.zone";
                notify no;
        };

        zone "127.in-addr.arpa" IN {
                type master;
                file "pri/127.zone";
                notify no;
        };


        zone "example.com" {
                type master;
                file "/var/bind/pri/example.local.hosts";
        };

};

view "external" {
        match-clients { !my_dmz; any; };

        zone "example.com" {
                type master;
                file "/var/bind/pri/example.com.hosts";
        };
};

The zone-files contain for those two views don’t need to be in sync. Imagine that your internal network might name some printers just for the internal network. They wouldn’t be visible to the outside. In other words, our DNS is a little schizophrenic. A plus for security.

Author:

2 thoughts on “The schizophrenic DNS”

Leave a Reply

Your email address will not be published. Required fields are marked *