Embed Size (px)
Citation preview
11/18/19
1
1
DNS & DNSSEC Workshop
18-21 Nov 2019Port Moresby, Papua New Guinea
1
22
Outline• DNS Overview
– Configuration– Forward DNS and Reverse DNS– Troubleshooting
• DNS Security Overview– DNS Transactions
• DNSSec– DNSSEC Signing– DNSSec Key Rollover
2
11/18/19
2
3
DNS OVERVIEWModule I:
3
44
Domain Name System• A lookup mechanism for translating objects into other
objects– Mapping names to numbers and vice versa
• A critical piece of the Internet infrastructure
4
4
11/18/19
3
5
IP Addresses vs Domain Names
The Internet
2001:0C00:8888::My Computer www.apnic.net2001:0400::
www.apnic.net202.112.0.462001:0400::
DNS
5
5
66
• A centrally-maintained file, distributed to all hosts on the Internet
• Issues with having just one file– Becomes huge after some time– Needs frequent copying to ALL hosts– Consistency– Always out-of-date– Name uniqueness– Single point of administration
Old Solution: hosts.txt
// hosts.txtSERVER1 128.4.13.9WEBMAIL 4.98.133.7FTPHOST 200.10.194.33
6
This feature still exists:[Unix] /etc/hosts
[Windows] c:\windows\hosts
6
11/18/19
4
77
DNS Features
Globally distributed
Loosely coherent Scalable
Reliable Dynamic
7
7
88
DNS Features• DNS is a client-server application
• Requests and responses are normally sent via UDP port 53• Occasionally uses TCP port 53 for very large requests,
– e.g. zone transfer from primary to secondary
8
8
11/18/19
5
9
Root.
.org .net .com .pg
.gov.pg
example.gov.pg
.gov
.as
.tv
.aux.y.z.a
www.example.gov.pg
a.b.c.d
e.f.g.h
i.j.k.l
m.n.o.pw.x.y.z.
p.q.r.s
“Ask a.b.c.d”“Ask e.f.g.h”
“Ask i.j.k.l”
“Go to m.n.o.p”
localdns
www.example. gov.pg?“go tom.n.o.p”
www.example.gov.pg?
www.example.gov.pg?
www.example.gov.pg?
www.example. gov.pg?
Querying the DNS – It’s all about IP!
9
9
10
The DNS Tree HierarchyRoot.
net jporg com arpa pg
whois
edu
bnu
iana
www www
…
www training
ws1 ws2
gov comnet
abc
www
apnictest
www
FQDN = Fully Qualified Domain Name
10
10
11/18/19
6
11
DNS Terminologies
11
11
1212
DNS Components• A “name space”
• Servers making that name space available
• Resolvers (clients) query the servers about the name space
12
11/18/19
7
1313
Domains• Domains are “namespaces”
• Everything below .com is in the com domain• Everything below apnic.net is in the apnic.net domain and
in the net domain
13
13
14
NET Domain
APNIC.NET Domain
AU Domain
www.def.edu.au?
Root.
net org com arpa au
whois
iana
wwwwww training
ws1 ws2
edu comnet
abc
www
apnic
def
www
Domains
14
14
11/18/19
8
1515
Delegation• Administrators can create subdomains to group hosts
– According to geography, organizational affiliation or any other criterion
• An administrator of a domain can delegate responsibility for managing a subdomain to someone else– But this isn’t required
• The parent domain retains links to the delegated subdomain– The parent domain “remembers” to whom the subdomain is
delegated
15
15
1616
Zones and Delegations• Zones are “administrative spaces”
• Zone administrators are responsible for a portion of a domain’s name space
• Authority is delegated from parent to child
16
16
11/18/19
9
17
NET Domain
APNIC.NETDomain
NET Zone
TRAINING.APNIC.NET Zone
APNIC.NET Zone doesn’t include TRAINING.APNIC.NETsince it has been “delegated”
APNIC.NET Zone
Root.
net org com arpa
whois
iana
wwwwww training
ns1 ns2
apnic
Zones
17
17
1818
Name Servers• Name servers answer ‘DNS’ questions
• Several types of name servers– Authoritative servers
• master (primary)• slave (secondary)
– Caching or recursive servers• also caching forwarders
• Mixture of functions
Primary
Secondary
18
18
11/18/19
10
1919
Root Servers• The top of the DNS hierarchy
• There are 13 root name servers operated around the world[a-m].root-servers.net
• There are more than 13 physical root name servers– Each rootserver has an instance deployed via anycast
19
19
2020
Root Servers
20
http://root-servers.org/
20
11/18/19
11
2121
Root Server Deployment at APNIC• Started in 2002, APNIC is committed to establish new root
server sites in the AP region
• APNIC assists in the deployment providing technical support.
• Deployments of F, K and I-root servers in – Singapore, Hong Kong, China, Korea, Thailand, Malaysia, Indonesia,
Philippines, Fiji, Pakistan, Bangladesh, Taiwan, Cambodia, Bhutan, and Mongolia
21
21
2222
Resolver• Or “stub” resolver
• A piece of software (usually in the operating system) which formats the DNS request into UDP packets
• A stub resolver is a minimal resolver that forwards all requests to a local recursive nameserver– The IP address of the local DNS server is configured in the resolver.
• Every host needs a resolver– In Linux, it uses /etc/resolv.conf
• It is always a good idea to configure more than one nameserver
22
22
11/18/19
12
23
Recursive Nameserver• The job of the recursive nameserver is
to locate the authoritative nameserver and get back the answer
• This process is iterative – starts at the root
• Recursive servers are also usually caching servers
• Prefer a nearby cache– Minimizes latency issues– Also reduces traffic on your external links
• Must have permission to use it– Your ISP’s nameserver or your own
23
Recursive/Caching Nameserver
23
2424
Authoritative Nameserver• A nameserver that is authorised to provide an answer for a
particular domain– Can be more than one auth nameserver
• Two types based on management method:– Primary (Master) and Secondary (Slave)
• Only one primary nameserver– All changes to the zone are done in the primary
• Secondary nameserver/s will retrieve the zonefile from the primary server– Slaves poll the master periodically
• Primary server can “notify” the slaves
24
Primary
Secondary
Secondary
24
11/18/19
13
2525
Resource Records• Entries in the DNS zone file
• Components:
Resource Record FunctionLabel Name substitution for FQDNTTL Timing parameter, an expiration
limitClass IN for Internet, CH for ChaosType RR Type (A, AAAA, MX, PTR) for
different purposesRDATA Anything after the Type identifier;
Additional data
25
25
2626
Common Resource Record TypesRR Type Name FunctionsA Address record Maps domain name to IP address
www.example.com. IN A 192.168.1.1
AAAA IPv6 address record Maps domain name to an IPv6 addresswww.example.com. IN AAAA 2001:db8::1
NS Name server record Used for delegating zone to a nameserverexample.com. IN NS ns1.example.com.
PTR Pointer record Maps an IP address to a domain name1.1.168.192.in-addr.arpa. IN PTR www.example.com.
CNAME Canonical name Maps an alias to a hostnameweb IN CNAME www.example.com.
MX Mail Exchanger Defines where to deliver mail for user @ domainexample.com. IN MX 10 mail01.example.com.
IN MX 20 mail02.example.com.
26
26
11/18/19
14
2727
Example: RRs in a zone fileapnic.net. 7200 IN SOA ns.apnic.net. admin.apnic.net. (
2019111801 ; Serial
12h ; Refresh 12 hours
4h ; Retry 4 hours
4d ; Expire 4 days
2h ; Negative cache 2 hours )
apnic.net. 7200 IN NS ns.apnic.net.
apnic.net. 7200 IN NS ns.ripe.net.
www.apnic.net. 3600 IN A 192.168.0.2
www.apnic.net 3600 IN AAAA 2001:DB8::2
Label TTL Class Type Rdata
27
27
28
Places where DNS data livesChanges do not propagate instantly
Registry DB
Master
Slave server
Slave
Cache server
Not going to net if TTL>0
Might take up to ‘refresh’ to get data from master
Upload of zone data is local policy
28
28
11/18/19
15
2929
Delegating a Zone• Delegation is passing of authority for a subdomain to
another party
• Delegation is done by adding NS records– Ex: if APNIC.NET wants to delegate TRAINING.APNIC.NET
training.apnic.net. NS ns1.training.apnic.net.training.apnic.net. NS ns2.training.apnic.net.
• Now how can we go to ns1 and ns2?– We must add a Glue Record
29
29
3030
Only this record needs glue
Glue Record• Glue is a ‘non-authoritative’ data
• Don’t include glue for servers that are not in the sub zones
training.apnic.net. NS ns1.training.apnic.net.training.apnic.net. NS ns2.training.apnic.net.
training.apnic.net. NS ns2.example.net.training.apnic.net. NS ns1.example.net.
ns1.training.apnic.net. A 10.0.0.1ns2.training.apnic.net. A 10.0.0.2
Glue Record
30
30
11/18/19
16
31
Delegating training.apnic.net. from apnic.net.
ns.training.apnic.net1. Setup minimum two servers2. Create zone file with NS records3. Add all training.apnic.net data
ns.apnic.net1. Add NS records and glue2. Make sure there is no other data
from the training.apnic.net. zone in the zone file
31
31
3232
Remember ...• Deploy multiple authoritative servers to distribute load and
risk– Put your name servers apart from each other
• Use cache to reduce load to authoritative servers and response times
• SOA timers and TTL need to be tuned to the needs of the zone – For stable data, use higher numbers
32
32
11/18/19
17
3333
Performance of DNS• Server hardware requirements• OS and the DNS server running• How many DNS servers?• How many zones are expected to load?• How large are the zones?• Zone transfers• Where are the DNS servers located?• Bandwidth
33
33
3434
Performance of DNS• Are these servers multihomed?
• How many interfaces are to be enabled for listening? • How many queries are expected to receive?
• Recursion
• Dynamic updates
• DNS notifications
34
34
11/18/19
18
35
35
35
36
DNS CONFIGURATIONModule 2:
36
11/18/19
19
3737
DNS Software• DNS BIND – authoritative + recursive server
• Unbound - caching DNS resolver• NSD – authoritative only nameserver
• Microsoft DNS – provided with the Windows Server
• Knot DNS – authoritative only nameserver
• PowerDNS – data storage backends
37
37
3838
BIND• Berkeley Internet Name Domain
• The most widely-used open source DNS software on the Internet– Current stable version is Bind 9.14.7 – Bind 9.15.5 is in development
• Maintained by the Internet Systems Consortium (ISC)
38
38
11/18/19
20
3939
Where to Get BIND• Download source from the ISC website
– http://www.isc.org
• Install from your distribution’s package managerapt-get install bind9yum install bind bind-utils
• Some packages may also be required – OpenSSL is a necessary for DNSSEC
39
39
4040
Unpacking BIND9• When installing BIND from source, decompress the gzip file
tar xvfz bind-9.<version>.tar.gzcd bind-9.<version>
• What's in there?– A lot of stuff (dig, libraries, etc)– Configure scripts– Administrator's Reference Manual (ARM)
40
40
11/18/19
21
4141
Building BIND9 from Source• Execute from the BIND 9 directory • Determine the appropriate includes and compiler settings
./configure --with-openssl
• Build and compilemake
• Install the BIND packagemake install
• Verify the installationwhich named
named -v
41
41
4242
Building BIND9 with Package Manager• Redhat/CentOS
yum –y install bind9
• Ubuntu / Debian
apt-get install bind9
42
42
11/18/19
22
4343
Location of Executables/usr/local/sbin
– named– dnssec-keygen, dnssec-makekeyset, dnssec-signkey, dnssec-
signzone– lwresd, named-checkconf, named-checkzone– rndc, rndc-confgen
/usr/local/bin– dig– host, isc-config.sh, nslookup– nsupdate
43
43
4444
Named Configuration• The BIND configuration file is called “named.conf”
– Default location is in /etc/named.conf– Run named with –c option to specify a different location
• Defines the zones and points to the corresponding zonefile
• Defines global options• Logging can be turned on for troubleshooting
44
44
11/18/19
23
4545
Named Configuration• BIND Configuration file
• Options statement contains all global configuration options to be used as defaults by named.
options {directory “/var/named/recursive”; };
• Zone statement defines the zones and any zone-specific optionzone “myzone.net” {
type master;file “db.myzone.net”; };
45
45
4646
Root Hints• Pointer to the root servers
• Root hints file come in many names – db.cache, named.root, named.cache, named.ca
• Get it from ftp://ftp.rs.internic.net/domain/
• Defined as follows in the config filezone “.” {
type hint;file “root.hints”; };
46
46
11/18/19
24
4747
What it looks like. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
; operated by WIDE
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
ftp://ftp.rs.internic.net/domain/
47
47
4848
Configuring a Recursive Server• The recursive server needs to know how to reach the top of the
DNS hierarchy
• It should also stop some queries such as those for localhost (127.0.0.1)
• The following files are required to run a recursive/caching server:– named.conf– root.hints– localhost zone (db.localhost)– 0.0.127.in-addr.arpa zone (db.127.0.0.1)– ::1 IPv6 reverse zone (db.ip6)
48
48
11/18/19
25
49
Zones in a Recursive Server• Loopback name in operating
systems– Queries for this shouldn't use
recursion– Configure a file to define the
localhost zone– Localhost will map to 127.0.0.1
and ::1
zone “localhost” {type master;file db.localhost; };
• Reverse zone for the loopback– maps 127.0.0.1 (and ::1) to
localhost
zone “0.0.127.in-addr.arpa” { type master;
file db.127.0.0.1;};
49
49
5050
Zones in a Recursive Server• Reverse zone for IPv6 link-local address
zone “8.B.D.0.1.0.0.2.ip6.arpa” {type master;file db.2001.db8;};
• Built-in empty zones will be created for RFC 1918, RFC 4193, RFC 5737 and RFC 6598
50
https://tools.ietf.org/html/rfc6303
50
11/18/19
26
51
Example named.confzone "0.0.127.in-addr.arpa." {
type master;
file ”db.127";
};
zone "8.B.D.0.1.0.0.2.ip6.arpa." {
type master;
file ”db.2001.db8";
};
options {
directory "/var/named/recursive";
recursion yes;
};
zone "." {
type hint;
file "named.root";
};
zone "localhost." {
type master;
file "localhost";
};
51
51
5252
Zone Files• Contain the resource records defined in a particular zone• begins with a Start of Authority Record (SOA)
@ SOA localhost. root.localhost. (2019111801 ;serial no.30m ;refresh15m ;retry1d ;expire30m ;negative cache ttl )
• Common Zone File directives– $ORIGIN– $INCLUDE– $TTL – @ represents the current origin
52
52
11/18/19
27
53
Start of Authority (SOA) record
• Serial Number – must be updated if any changes are made in the zone file
• Refresh – how often a secondary will poll the primary server to see if the serial number for the zone has increased
• Retry - If a secondary was unable to contact the primary at the last refresh, wait the retry value before trying again
• Expire - How long a secondary will still treat its copy of the zone data as valid if it can't contact the primary.
• Minimum TTL - The default TTL (time-to-live) for resource records
Domain_name. CLASS SOA hostname.domain.name. mailbox.domain.name( Serial Number
RefreshRetryExpireMinimum TTL )
53
53
5454
TTL Time Values • The right value depends on your domain• Recommended time values for TLD (based on RFC 1912)
Refresh 86400 (24h)Retry 7200 (2h)Expire 2592000 (30d)Min TTL 345600 (4d)
• For other servers – optimize the values based on– Frequency of changes– Required speed of propagation– Reachability of the primary server– (and many others)
54
54
11/18/19
28
5555
localhost zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (
2019111801 ; serial
1800 ; refresh
900 ; retry
69120 ; expire
1080 ; negative ttl
)
NS localhost.
A 127.0.0.1
AAAA ::1
55
55
5656
0.0.127.in-addr.arpa zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (2019111801 ; serial1800 ;refresh
900 ;retry69120 ;expire
1080 ;negative ttl)
NS localhost.1 PTR localhost.
56
56
11/18/19
29
5757
ip6.arpa zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (2019111801 ; serial1800 ;refresh
900 ;retry69120 ;expire
1080 ;negative ttl)
NS localhost.1 PTR localhost.
57
57
5858
Assembling the files• Create a directory in /var/named/ and copy the files
# mkdir recursive# ls
0.0.127.in-addr.arpa db.localhost root.hints
• The directory name and file names will be defined in named.conf
• Now create a named.conf file in the same directory
58
58
11/18/19
30
5959
Running the server• From the directory
named -g -c named.conf
where:-c path to the configuration file-g run in the foreground
59
59
6060
Testing the server% dig @127.0.0.1 www.google.com
; <<>> DiG 9.8.3-P1 <<>> www.google.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 213;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;www.google.com. IN A
;; ANSWER SECTION:www.google.com. 156 IN A 74.125.237.115www.google.com. 156 IN A 74.125.237.113www.google.com. 156 IN A 74.125.237.116www.google.com. 156 IN A 74.125.237.114www.google.com. 156 IN A 74.125.237.112
;; Query time: 27 msec;; SERVER: 127.0.0.1#53(203.119.98.119);; WHEN: Thu Jul 11 13:46:29 2013;; MSG SIZE rcvd: 112
60
60
11/18/19
31
61
61
61
62
TROUBLESHOOTING AND ACLModule 4:
62
11/18/19
32
6363
Why Troubleshoot?• What Can Go Wrong?
– Misconfigured zone– Misconfigured server– Misconfigured host– Misconfigured network
63
63
6464
Tools• BIND Logging Facility
• named's built-in options• ping and traceroute
• tcpdump and wireshark
• dig and nslookup
64
64
11/18/19
33
6565
The Best Way To Handle Mistakes• Assume You Will Make Them
• Prepare The Name Server via Logging
65
65
6666
BIND Logging• Telling named which messages to send
– category specification
• Telling named where to send messages– channel specification
66
66
11/18/19
34
6767
BIND channels• BIND can use syslog
• BIND can direct output to other files
channel my_dns_log {file "seclog" versions 3 size 10m;print-time yes;print-category yes;print-severity yes;severity debug 3;};
67
67
6868
BIND Categories• BIND has many categories
• Short descriptions of each can be found in the Administrator's Reference Manual (ARM)
category queries { my_dns_log; };
68
68
11/18/19
35
6969
So You've Set Up A Server• What tests should be done?
• Test if the server up– Is the (right) server running?– Is the machine set up correctly?
• Test if data is being served– Has the zone loaded?– Have zone transfers happened?
69
69
7070
Checking the Configuration• To see named start, use the -g flag
– Keeps named process in the foreground– Prints some diagnostics– But does not execute logging
• When satisfied (i.e. no errors), kill the process and start without –g flag to run in the background
• Other option– % named-checkconf (check for syntax only)
70
70
11/18/19
36
7171
Is the Server Running?• Make sure the server is running
– dig @127.0.0.1 version.bind chaos txt
• This makes the name server do the simplest lookup it can -its version string
• This also confirms which version you started– Common upgrade error: running the old version
71
71
7272
Is the Server Data Correct?• Check the serial number to make sure the zone has loaded
dig @127.0.0.1 <zone> soa
• Also test changed data in case you forgot to update the serial number
• In the secondary server, this check is made to see if the zone transferred
72
72
11/18/19
37
7373
Is the Server Reachable?• If the dig tests fail, its time to test the environment (machine,
network)
ping <server machine ip address>
• This tests basic network flow, common errors– Network interface not UP– Routing to machine not correct
• Pinging locally is useful– Confirms that the IP address is correctly configured
73
73
7474
Is the Server Listening?• If the server does not respond, but machine responds to
ping– look at system log files– telnet server 53– firewall running?
• Server will run even if it can't open the network port– logs will show this– telnet opens a TCP connection, tests whether port was opened at all
74
74
11/18/19
38
7575
Using the Tools• named itself
• Dig or nslookup• host diagnostics
• packet sniffers
75
75
7676
Built in to named• named -g to retain command line
named -g -c <conf file>
• named -d <level>– sets the debug output volume– <level>'s aren't strictly defined– -d 3 is popular, -d 99 gives a lot of detail
76
76
11/18/19
39
7777
dig• domain internet groper
• best tool for testing• shows query and response syntax
• Included in the software
77
77
7878
FlagsFlags Meaning
AA Authoritative answerRD Recursion desiredRA Recursion AvailableAD Authenticated Data (DNSSEC
only)CD
Status Response Code0 - NOERR No error1 - FORMERR Format error2 - SERVFAIL Nameserver unreachable3 - NXDOMAIN Domain name not existing4 - NOTIMPL Not implemented5 - REFUSED Request refused
78
78
11/18/19
40
7979
Non-BIND Tools• Tools to make sure the environment is right
– Tools to look at server machine– Tools to test network– Tools to see what messages are on the network
79
79
8080
ifconfig• Interface configuration
ifconfig -a
• An operating system utility that shows the status of interfaces
• Warning, during boot up, ifconfig may configure interfaces after named has started– named can't open delayed addresses
80
80
11/18/19
41
8181
ping• Checks routing, machine health
– Most useful if run from another host– Could be reason "no servers are reached"– Can be useful on local machine - to see if the interface is properly
configured
81
81
8282
traceroute• If ping fails, traceroute can help pinpoint where trouble lies
– the problem may be routing– if so - it's not named that needs fixing!– but it is important to know
82
82
11/18/19
42
8383
tcpdump and wireshark• Once confident in the environment, problems with DNS
setup may exist
• To see what is happening in the protocol, use traffic sniffers
• These tools can help debug "forwarding" of queries
83
83
8484
Address Match List• Elements:
– Individual IP addresses– Addresses or netmask pairs– Names of other ACLs– Key names
• Used for:– Restricting queries & zone xfer– Authorizing dynamic updates– Selecting interfaces to listen on– Sorting responses
84
84
11/18/19
43
8585
Notes on Address Match list• Elements must be separated by “ ; ”
• The list must be terminated with a “ ; ”• Elements of the address match list are checked
sequentially
• To negate elements of the address match list prepend them with “!”
• Use acl statement to name an address match list
• ACL must be defined before it can be used elsewhere
85
85
8686
Example: Address match lists• For network 192.168.0.0 255.255.255.0
{ 192.168.0.0/24; }
• For network plus loopback{ 192.168.0.0/24; 127.0.0.1; ::1; }
• Addresses plus key name{ 192.168.0.0/24; 127.0.0.1; example.com;}
86
86
11/18/19
44
8787
ACL Statement• Syntax:
acl <acl name> { address match list>};
• Example:
acl internal { 127.0.0.1; 192.168.0/24; };
acl dynamic-update { key dhcp.apnic.net; };
87
87
8888
Notes on ACL Statement• The ACL name need not be quoted
• There are four predefined ACLs:– any (Any IP address)– none (No IP address)– localhost (loopback, 127.0.0.1)– localnets (all networks that is directly connected to the server)
88
88
11/18/19
45
8989
Blackholeoptions {
blackhole { ACL-name or itemized list; };
};
89
89
9090
Allow-transferzone "myzone.example." {
type master;
file "myzone.example.";
allow-transfer { ACL-name or itemized list; };
};
90
90
11/18/19
46
9191
Allow-Queryzone "myzone.example." {
type master;
file "myzone.example.";
allow-query { ACL-name or itemized list; };
};
91
91
9292
Listen-onoptions {
listen-on port # { ACL-
name or itemized list;};
};
92
92
11/18/19
47
9393
Mastersmasters name { masters_list | ip_addr };
Ex:
masters nsX { 192.168.0.1; 2001:db8::1 ; };
zone “example.com” {
type slave;
masters { nsX; };
file “/link/to/db.example.com”;
};
93
93
9494
Summary• ACLs and Configuration options can be used to create
simple split DNS
• It is cumbersome and difficult to maintain
• Good operational practice suggests that ACLs and configuration options be reviewed regularly to ensure that they accurately reflect the desired behavior
94
94
11/18/19
48
9595
Views• a powerful new feature of BIND 9 that lets a name server
answer a DNS query differently depending on who is asking
• useful for implementing split DNS setup without having to run multiple servers
95
95
9696
Viewsview view_name[class] {match-clients { address_match_list } ;match-destinations {
address_match_list } ;match-recursive-only yes_or_no ;
[ view_option; ...][ zone_statement; ...]
};
96
96
11/18/19
49
9797
Example Configview "internal" {
// This should match our internal networks.match-clients { 10.0.0.0/8; };
// Provide recursive service to internal clients only.recursion yes;
// Provide a complete view of the example.com zone// including addresses of internal hosts.zone "example.com" {
type master;file "example-internal.db";
};};
97
97
9898
Example Config (2)view "external" {
// Match all clients not matched by the previous view.match-clients { any; };
// Refuse recursive service to external clients.recursion no;
// Provide a restricted view of the example.com zone// containing only publicly accessible hosts.zone "example.com" {
type master;file "example-external.db";
};};
98
98
11/18/19
50
99
99
99
