Package: bind9
Version: 1:9.7.3.dfsg-1+b1
Severity: wishlist
Tags: patch
In certain environments (especially virtualized ones) it is necessary to
run a local recursive BIND9 server which is authoritative for some
internal domains and forwards others to an external DNS server obtained
from DHCP.
For example, in Amazon's EC2 virtual hosting environment, the ".internal"
and ".amazonaws.com" domains should be forwarded to some Amazon DNS
server passed in via DHCP, but that DNS server's address is not strictly
fixed (172.16.0.23 right now, I think).
I have attached an ISC dhclient exit hook script which makes it possible
to configure a BIND9 server for that scenario. The script should be
installed as:
/etc/dhcp/dhclient-exit-hooks.d/bind9
Each time the DHCP client updates its current DHCP lease, it will
automatically write out a new /var/run/bind/forwarders_*.conf file named
for the network interface on which the lease was obtaned. This config
file will contain the list of recursive DNS servers specified via DHCP.
For example, here is my /var/run/bind/forwarders_eth0.conf from EC2:
forwarders {
172.16.0.23;
};
I then include the appropriate file in my BIND9 config file:
zone "amazonaws.com" IN {
type forward;
forward only;
include "/var/run/bind/forwarders_eth0.conf";
};
zone "internal" IN {
type forward;
forward only;
include "/var/run/bind/forwarders_eth0.conf";
};
zone "10.in-addr.arpa" IN {
type forward;
forward only;
include "/var/run/bind/forwarders_eth0.conf";
};
Please consider including this script into the BIND9 package.
Cheers,
Kyle Moffett
#! /bin/bash
#
# Script fragment to pass DHCP-obtained resolvers off to BIND9
#
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Tips:
# * Be careful about changing the environment since this is sourced
# * This script fragment uses bash features
## Only handle certain operations, and only if it's a successful one
case "$1:$reason" in
(0:BOUND|0:RENEW|0:REBIND|0:REBOOT|0:TIMEOUT)
: ;;
(*)
return 0;
esac
bind_fwd_conf="/var/run/bind/forwarders_${interface}.conf"
## Generate a new forwarders file and fix permissions
mkdir -p --mode=0755 '/var/run/bind'
bind_fwd_temp="$(mktemp "${bind_fwd_conf}.XXXXXX")"
chown 0:0 "${bind_fwd_temp}"
chmod 644 "${bind_fwd_temp}"
## Populate it from DHCP data
echo 'forwarders {' >>"${bind_fwd_temp}"
for nameserver in ${new_domain_name_servers}; do
echo " ${nameserver};" >>"${bind_fwd_temp}"
done
echo '};' >>"${bind_fwd_temp}"
## Don't do anything unless the DHCP data changed. If this runs before /usr
## is mounted then the /usr/bin/cmp command might fail, but it's perfectly
## OK to
if /usr/bin/cmp -q "${bind_fwd_conf}" "${bind_fwd_temp}" 2>/dev/null; then\
rm -f "${bind_fwd_temp}"
return 0
fi
## The forwarders list has changed, so we should replace the file
mv -f "${bind_fwd_temp}" "${bind_fwd_conf}"
## We're done unless we can reload BIND
[ -x /usr/sbin/named ] || return 0
[ -x /etc/init.d/bind9 ] || return 0
## Reload BIND9 and finish
/etc/init.d/bind9 reload || true
return 0
