I would go back to set up multi-view on the on the firewall / gateway. Also there are multiple places you are doing this wrong. A rule of thumb, you need to keep the public IP address complete separated from the internal servers. Internal servers never need to know anything about their public IP address.
Here is what I would have from your config:
/etc/bind/domain.cl.external:
$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 100.100.100.100
IN MX 10 mail.domain.cl.
ns1 IN A 100.100.100.100
ns2 IN A 100.100.100.100
mail IN A 100.100.100.100
www IN A 100.100.100.100
ftp IN A 100.100.100.100
/etc/bind/domain.cl.internal:
$TTL 3600
domain.cl. IN SOA ns1.domain.cl. admin.domain.cl. (
2009210216 ; Serial
1H ; Refresh
2H ; Retry
4W ; Expire
2D ) ; Negative Cache TTL
;
IN NS ns1.domain.cl.
IN A 1.1.1.1
IN MX 10 mail.domain.cl.
ns1 IN A 1.1.1.1
ns2 IN A 1.1.1.1
mail IN A 2.2.2.2
www IN A 1.1.1.1
ftp IN A 1.1.1.1
/etc/named.conf:
view "private" {
match-clients { x.x.x.x/24; }; // what ever that match your entire private network. I assume the 1.1.1.1 and 2.2.2.2 are hosts in the same subnet.
recursion yes;
zone "domain.cl" {
type master;
// private zone file including local hosts
file "/etc/bind/domin.cl.internal";
};
zone "1.1.1.in-addr.arpa" {
type master;
file "/etc/bind/db.1";
};
// add required zones
};
view "public" {
match-clients {"any"; }; // all others hosts
// recursion not supported
recursion no;
};
zone "domain.cl" {
type master;
// public only hosts
file "/etc/bin/domain.cl.external";
allow-transfer { 111.111.111.111; };
};
// I don't even think you need this entire section. doesn't your ISP take care of this. BEGIN
zone "100.100.100.in-addr.arpa" {
type master;
file "/etc/bind/db.100";
allow-transfer { 111.111.111.111; };
};
// I don't even think you need this entire section. doesn't your ISP take care of this. END
};
include "/etc/bind/named.conf.local";
/etc/resolv.conf
nameserver 127.0.0.1
nameserver 111.111.111.111 (my isp dns) <- This is a fail safe in case the DNS dies you will still have Internet Access, but all of your internal services depended on DNS will fail. This may do more ham then good as you should never need to make your public IP know to internal servers. A better way is set up a internal slave DNS and replace this line.
named.conf.options
options {
directory "/var/cache/bind";
query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
111.111.111.111; // do not forward back to an internal server
};
auth-nxdomain yes;
allow-query { any; };
listen-on-v6 { any; };
};
************ IN THE ZIMBRA HOST *******************
/etc/resolv.conf
nameserver 1.1.1.1 (my zimbra dns)
nameserver 111.111.111.111 (my isp dns) <- this will definitely will do more ham than good.  |