Bind 9.3 on CentOS 5 Split DNS

[cyberslugg]

Hello,

yes, I know there is a world of split DNS guides out there, and lots of great information, unfortunately, none of them seem to take into account the changes that seem to be in bind 9.3 ... named.conf file?

I'm certainly not a power use, but after reading probably 15 to 20 guides (zimbra site, zimbra forums, howtoforge, centos site, .... and many more) on installing zimbra on centos I have hit the wall on bind and split dns.

everything I find is talking about an older version of bind as far as I can tell. I have a fresh clean install, up-to-date of CentOS and it happily tells me that Bind 9.3.6-4.... is installed and ready to go. However, that's about as far as it goes.... none of the instructions on any of the guides seem to apply to editing the files to properly deal with the split dns setup.

I found a report on some site, don't recall which one, where people were listing the fact that the named.conf file is not part of the bind 9.3 install... and a discussion on that issue, some calling it a bug, some calling it a feature... fun fun, very little help.

Anyway... I can happily follow a guide and I'm sure there must be one out there, so please, point me in the right direction, I think my head might pop off if I keep going ...this has actually been on going for a week and a half now....

Still believing.....

[Matuscak]

Count me in the "Bug" camp on why Red Hat (or is it CentOS?) decided it was even remotely smart to not include a template named.conf in the recent distributions.

As for split DNS, you create that with bind views. The first thing to do is get named running with a single database., then change named.conf to incorporate views based on originating IP addresses. Creating that database can also be a bit of an exercise, for a simple start look for h2n. It takes a host file and blows it out into bind format files.

[uxbod]

On a Centos 5.4 install I have the following installed

Code:

bind-utils-9.3.6-4.P1.el5_4.2
bind-chroot-9.3.6-4.P1.el5_4.2
bind-9.3.6-4.P1.el5_4.2
bind-libs-9.3.6-4.P1.el5_4.2

You would ideally want to install the chroot package from a security perspective. Once that is done all the main config files will reside under /var/named/chroot/etc. Here is a simple split view templated

Code:

acl "dns_slaves" {
        XXX.XXX.XXX.XXX;
        XXX.XXX.XXX.XXX;
};

acl "trusted" {
        192.168.1.0/24;                         # network address of your local LAN
        127.0.0.1;                              # allow loop back
        localnets;
};

options {                                       # this section sets the default options
        directory "/var/named";                 # directory where the zone files will reside
        listen-on {
                XXX.XXX.XXX.XXX;                 # IP address of the local interface to listen
                127.0.0.1;                      # ditto
        };
        pid-file "/var/run/named/named.pid";
        auth-nxdomain no;                       # conform to RFC1035
        recursion no;                           # disallow recursive queries unless over-ridden below
        version "0";                            # obscures version reporting - can't hurt

        allow-transfer { dns_slaves; };
        allow-query { trusted; };
        allow-query-cache { trusted; };
};

logging {
        category lame-servers { null; };
};

controls {
        inet 127.0.0.1 allow { localhost; }
        keys { rndc-key; };
};

view "internal" {

        match-clients { trusted; };             # match hosts in acl "trusted" above
        allow-query { any; };                   # allow anyone to issue queries
        recursion yes;                          # allow recursive queries
        notify no;                              # disable AA notifies
        additional-from-auth yes;
        additional-from-cache yes;

        zone "." {
                type hint;
                file "data/static/named.ca";
        };

        zone "localhost" {
                type master;
                file "data/static/localhost.zone";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "data/static/127.zone";
        };

        zone "1.168.192.in-addr.arpa" {
                type master;
                file "data/internal/1.168.192.zone";
        };

        zone "XXXXXXXXXX.XXX" {
                type master;
                file "data/internal/XXXXXXXXXX.XXX.zone";
        };

};

view "external" {

        match-clients { any; };
        recursion no;
        allow-transfer { dns_slaves; };
        additional-from-auth no;
        additional-from-cache no;

        zone "." in {
                type hint;
                file "data/static/named.ca";
        };

        zone "XXXXXXXXXX.XXX" {
                type master;
                file "data/external/XXXXXXXXXX.XXX.zone";
                allow-query { any; };
        };

};

view "chaos" chaos {

        match-clients { any; };
        recursion no;

        zone "." {
                type hint;
                file "/dev/null";
        };

        zone "bind" {
                type master;
                file "data/static/db.bind";

                allow-query { trusted; };
                allow-transfer { none; };
        };

};

[Klug]

In order to have a "simple" split-domain (as "simple" I mean "only a couple records"), using dnsmasq is much easier...

[cyberslugg]

This is some good informaiton.

Uxbod, I have the same bind installs listed as you when I check. I can also see the chroot folder structure under /var/named/chroot/.... But there are no files to work with, I'm guessing that means there is another package I need to run? That or I've simply gone cross eyed and can no long make any sense of the computer screens in front of me

Klug, this particular install is only going to deal with one resolution, but in the future we are looking to encourage our clients to move to a ZCS solution for there offices. We are competing with a local Tel Co that is pitching hosted Exchange.... Zimbra is much better . There may be up to 5 to deal with for some offices... i'm guessing that is pushing it for dnsmasq? I've seen the name around a bit, but didnt' go down that road since so much info in the guides were directly speaking to bind.

Matuscak, the change certainly doesn't seem to have made anything easier... maybe there is a wonderfully glorious reason for the switch, and in my uneducated state I am simply missing it, but whatever the case it just left me confused.

I'm going to go at this again to day with your suggestions and added info. I'll be intouch...

[uxbod]

You are not missing anything as no samples are provided

[phoenix]

Quote:

Originally Posted by Matuscak

Count me in the "Bug" camp on why Red Hat (or is it CentOS?) decided it was even remotely smart to not include a template named.conf in the recent distributions.

As for split DNS, you create that with bind views. The first thing to do is get named running with a single database., then change named.conf to incorporate views based on originating IP addresses. Creating that database can also be a bit of an exercise, for a simple start look for h2n. It takes a host file and blows it out into bind format files.

You could also install Webmin and use that to manage Bind or you could get rid of the bloated and buggy Bind and use Power DNS server and recursor with PDNS-admin to manage it - it's fast, secure, less buggy and simple to set-up.