Package: bind9 Version: 1:9.7.3.dfsg-1+b1 Severity: wishlist Tags: patch In certain environments (especially virtualized ones) it is necessary to run a local recursive BIND9 server which is authoritative for some internal domains and forwards others to an external DNS server obtained from DHCP.
For example, in Amazon's EC2 virtual hosting environment, the ".internal" and ".amazonaws.com" domains should be forwarded to some Amazon DNS server passed in via DHCP, but that DNS server's address is not strictly fixed (172.16.0.23 right now, I think). I have attached an ISC dhclient exit hook script which makes it possible to configure a BIND9 server for that scenario. The script should be installed as: /etc/dhcp/dhclient-exit-hooks.d/bind9 Each time the DHCP client updates its current DHCP lease, it will automatically write out a new /var/run/bind/forwarders_*.conf file named for the network interface on which the lease was obtaned. This config file will contain the list of recursive DNS servers specified via DHCP. For example, here is my /var/run/bind/forwarders_eth0.conf from EC2: forwarders { 172.16.0.23; }; I then include the appropriate file in my BIND9 config file: zone "amazonaws.com" IN { type forward; forward only; include "/var/run/bind/forwarders_eth0.conf"; }; zone "internal" IN { type forward; forward only; include "/var/run/bind/forwarders_eth0.conf"; }; zone "10.in-addr.arpa" IN { type forward; forward only; include "/var/run/bind/forwarders_eth0.conf"; }; Please consider including this script into the BIND9 package. Cheers, Kyle Moffett
#! /bin/bash # # Script fragment to pass DHCP-obtained resolvers off to BIND9 # # Licensed under the GNU GPL. See /usr/share/common-licenses/GPL. # # Tips: # * Be careful about changing the environment since this is sourced # * This script fragment uses bash features ## Only handle certain operations, and only if it's a successful one case "$1:$reason" in (0:BOUND|0:RENEW|0:REBIND|0:REBOOT|0:TIMEOUT) : ;; (*) return 0; esac bind_fwd_conf="/var/run/bind/forwarders_${interface}.conf" ## Generate a new forwarders file and fix permissions mkdir -p --mode=0755 '/var/run/bind' bind_fwd_temp="$(mktemp "${bind_fwd_conf}.XXXXXX")" chown 0:0 "${bind_fwd_temp}" chmod 644 "${bind_fwd_temp}" ## Populate it from DHCP data echo 'forwarders {' >>"${bind_fwd_temp}" for nameserver in ${new_domain_name_servers}; do echo " ${nameserver};" >>"${bind_fwd_temp}" done echo '};' >>"${bind_fwd_temp}" ## Don't do anything unless the DHCP data changed. If this runs before /usr ## is mounted then the /usr/bin/cmp command might fail, but it's perfectly ## OK to if /usr/bin/cmp -q "${bind_fwd_conf}" "${bind_fwd_temp}" 2>/dev/null; then\ rm -f "${bind_fwd_temp}" return 0 fi ## The forwarders list has changed, so we should replace the file mv -f "${bind_fwd_temp}" "${bind_fwd_conf}" ## We're done unless we can reload BIND [ -x /usr/sbin/named ] || return 0 [ -x /etc/init.d/bind9 ] || return 0 ## Reload BIND9 and finish /etc/init.d/bind9 reload || true return 0