Re: Running both a cache-only and an authoritative server on the same server

Thu, 17 Jun 2010 07:16:39 -0700 

On Thu, 17 Jun 2010, Torsten wrote:


Am Thu, 17 Jun 2010 13:35:38 +0100
schrieb Phil Mayers <p.may...@imperial.ac.uk>:


On 17/06/10 12:39, Jørn Skjerven wrote:

Hi!

I've tried to search the archive for for this, but could not find
anything relevant.

We currently run a server with an authoritative set for domains. We
want to use the same server as a cache-only DNS for other customers
as well.

Is it possible to achieve this in a single named.conf, or is it
recommended to run two instances of bind, each with a different
listen-on <ip> statement?


Sure. Use views:

view authoritative {
   recursion no;
   match-destinations { mycurrentip; };
   zone ...
};

view authoritative {
   recursion yes;
   match-destinations { myrecurseip; };
};




The important part seems to be "on a secondary IP" and afaik listen-on
statements don't work inside of view statements.

That leaves you with running two seperate instances of Bind on the same
server.


Ciao
Torsten


But match-clients does work in views

I set up an acl for my internal IPs as:
acl local-nets  {
                192.168.0.0/16;         // our known internal net
                127.0.0.1;              // localhost loopback
                ::1;                    // Localhost IPV6
                };
And one for the external:
acl isp-net     { 99.178.153.41; };     // our ATT-Uverse net

and then used views:
view "internal"         // only local hosts (match-clients) will see this view
{
match-clients   { local-nets; };
allow-recursion { local-nets; };

zone .....
[zone  ... ]
}

view "external" {                       // Primary nameserver for maplepark.com.
        allow-query { any; };
//      allow-recursion { none;}; // "additional-from-cache no;" will not work 
with this!
        recursion no;             //  So use this instead.
        additional-from-cache no; // 
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

zone .....
[zone  ... ]
}
and it has been working well. I do use all private addresses for my internal network and that does require a separate zone file. 

Dave

--
David Forrest                   e-mail   drf @ maplepark.com
Maple Park Development Corporation  http://xen.maplepark.com
St. Louis, Missouri    (Sent by ALPINE 2.01 FEDORA 11 LINUX)
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to