On 17/09/2012 3:07 PM, Sean Cody wrote:
Another way of doing this, which would allow even more flexibility in configuring BIND for internal vs external access is to define two views:
view internal_resolver { match-clients { YOUR.SUB.NET.ADDR/CIDR; }; match-destinations { YOUR.SUB.NET.ADDR/CIDR; }; recursion yes; include "/etc/named.internal.zones"; };
view external_resolver { match-clients { any; }; recursion no; include "/etc/named.external.zones"; };
I agree this is a much better solution. It also allows a buy of flexibility for dealing with the same domain in different security domains (ie. serverA is 10/X inside and 4.5.6.7 outside). Keepin naming consistent across zones AND insuring internal resolvers for the same domain include external views as well is about 100 times easier to do with bind views.
In which version of BIND were views introduced? I wasn't aware of this feature, and I can think of something I implemented this spring that would likely have been MUCH easier to do with this feature. Does bind use the first matching view for a given client address, in cases where an address could match multiple "match-client" patterns?