Trumphurst Ltd. - BIND setup to provide different views on the DNS

/etc/named.conf

// Access lists for my office networks
acl trumphurst {
	192.168.1.0/24; localhost;
};

acl gigabit {
	192.168.3.0/24; 
};

// Access list for the WLAN network
acl moors {
	192.168.2.0/24; 192.168.0.0/24;
};

// My secondary nameserver
acl secondary {
	72.29.23.66;
};

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	forward first;	// BIND should try my ISP's name servers before going to the root servers
	forwarders {	// My ISP's name servers
		217.146.99.22;
		217.146.107.3;
	};
	allow-transfer { localhost; };	// By default, noone is allowed to download the whole DNS structure
	// Lookups by local machines for external ones will be dealt with by us, but
	// lookups for external machines made by external machines won't
	allow-recursion { trumphurst; gigabit; moors; };
	// By default, don't tell the secondary name server of any changes
	notify no;
};

// This turns off the annoying log entries BIND makes if it finds broken name servers on the 'Net
logging {
	category lame-servers { null; };
};

// Shared keys for automatic updates by the DHCP server
controls {
	inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

// This is how my local office network sees the DNS
view trumphurst {
	match-clients { trumphurst; };	// Trumphurst network only

	// Return multiple A records in this order. As trumphurst is 192.168.1, it will get 
	// 192.168.1 A records first, and use them, saving us having to route them
	sortlist {
		{ 192.168.1/24; };
		{ 192.168.3/24; };
		{ 192.168.2/24; };
	};

	// This is the zone file for the trumphurst network
	zone "moorsbroadband.net" IN {
		type master;
		file "moorsbroadband.trumphurst";
		allow-update { localhost; };
	};

	// Reverse zone file for all our internal networks
	zone "168.192.in-addr.arpa" IN {
		type master;
		file "named.trumphurst";
		allow-update { localhost; };
	};

I've left out the standard stuff which comes installed with BIND - root nameservers, localhost and localdomain, etc.

};

// This is how my main office computer sees the DNS
view gigabit {
	match-clients { gigabit; };
	sortlist {
		{ 192.168.3/24; };
		{ 192.168.1/24; };
		{ 192.168.2/24; };
	};

The rest of this view is the same as the trumphurst one.

};

// This is how the WLAN clients see the network
view moors {
	match-clients { moors; };
	sortlist {
		{ 192.168.2/24; };
	};

	// Same domain name, but a different zone file
	zone "moorsbroadband.net" IN {
		type master;
		file "moorsbroadband.moors";
		allow-update { localhost; };
	};

	// Same reverse domain, but a different zone file
	zone "168.192.in-addr.arpa" IN {
		type master;
		file "named.moors";
		allow-update { localhost; };
	};

I've left out the standard stuff again.

};

// This is how external clients see the network
view external {
	match-clients { any; };

	// Same domain name, but a different zone file
	zone "moorsbroadband.net" IN {
		type master;
		file "moorsbroadband.external";
		allow-update { localhost; };
		// Allow my secondary name server to transfer the whole zone
		allow-transfer { secondary; };
		// Notify the secondary name server when anything changes
		notify yes;
	};
	// No reverse lookup - my ISP does the reverse lookup for my public IP address

I've left out the standard stuff again.

moorsbroadband.external

This is the external view of the DNS. @ is a special character which is the current zone name (moorsbroadband.net). The NS records point to ourselves, and the seconday name server. Likewise the MX records.

$TTL	86400
@		IN SOA	@       webmaster.moorsbroadband.net. (
					47		; serial
					12H		; refresh
					15M		; retry
					1W		; expiry
					1D )		; minimum

@	        IN NS	@
		IN NS	jumbocruiser.com.
		IN A	217.146.123.216
		IN MX	10 mail
		IN MX	20 jumbocruiser.com.

server		CNAME	moorsbroadband.net.
mail		CNAME	moorsbroadband.net.
www		CNAME	moorsbroadband.net.

moorsbroadband.moors

This is the WLAN's view of the same domain. It's similar, except there are no secondary name or mail servers (if the box is down, the users can't see the name server anyway), the A address is the local one, and the ADSL router/firewall is included.

$TTL	86400
@		IN SOA	@       webmaster.moorsbroadband.net. (
					44		; serial
					12H		; refresh
					15M		; retry
					1W		; expiry
					1D )		; minimum

@	        IN NS	@
		IN A	192.168.2.1
		IN MX	10 mail

server		CNAME	moorsbroadband.net.
mail		CNAME	moorsbroadband.net.
www		CNAME	moorsbroadband.net.
router		CNAME	moorsbroadband.net.
firewall	IN A	192.168.2.5

named.trumphurst

I haven't included most of the moorsbroadband.trumphurst zone file, as it is much the same, except that it has records for everything on my internal network. One interesting point is that it has lots of different A records for the Unix box (one for each network).

			NS	moorsbroadband.net.
			A	192.168.0.1
			A	192.168.1.1
			A	192.168.2.1
			A	192.168.3.1
			MX	10 mail.moorsbroadband.net.

These will all be returned on every lookup, but the order is determined by the sortlist directives in named.conf, so each different network will get the IP address which is on the same network first in the list.

named.moors

This is the reverse lookup zone for the WLAN (for translating IP addresses back to names). It has only two entries, the Unix box itself, and the ADSL firewall/router.

$ORIGIN .
$TTL 86400	; 1 day
168.192.in-addr.arpa	IN SOA	moorsbroadband.net. webmaster.moorsbroadband.net. (
				1997022729 ; serial
				28800      ; refresh (8 hours)
				14400      ; retry (4 hours)
				3600000    ; expire (5 weeks 6 days 16 hours)
				86400      ; minimum (1 day)
				)
			NS	router.
$ORIGIN 2.168.192.in-addr.arpa.
1			PTR	router.
5			PTR	firewall.

The named.trumphurst zone file is similar, but with a lot more entries. It is the one which is dynamically updated by DHCP.