BIND views : running ISPc in a port forwarded environment

Discussion in 'Feature Requests' started by benbalbo, Dec 12, 2005.

  1. benbalbo

    benbalbo New Member

    I had a look to see if this is covered, but can't find anything.

    One of my ISPConfig installs is running on a server on a DSL line in a DMZ. All incoming requests on publicIP are directed to privateIP.

    This works fine when browsing to a site from outside the office, but internally, we need to connect to privateIP instead of publicIP - the router doesn't support loop-back.

    What I'd like to do is configure BIND to use views in order to serve privateIPs for internal requests.

    Given the relative complexity of this, I think I'll have to do this manually (or even run a separate internal DNS on a different box) but thought I might suggest this as a feature for future versions of ISPConfig.

    It would require a mapping system so ISPConfig is aware that forwards to (for example) so internal requests can receive the 192.x.x.x address. Mapping should only be done if running in a DMZ setup such as this,
  2. falko

    falko Super Moderator Howtoforge Staff

    This isn't covered by ISPconfig yet, but you can change the named.conf manually (there's a section in it where you can make manual changes that won't be overwritten by ISPConfig).
  3. benbalbo

    benbalbo New Member

    True - but this would have to be updated manually for every domain added through ISPConfig.

    I like the fact that you said "yet" though :)
  4. tekin

    tekin New Member

    I agree, this would be a most useful feature, I have a similar setup and don't want to be manually editing named.conf every time I add a new website.

    Is this feature likely to be added soon?
  5. todvard

    todvard New Member

    Here is a small workaround how i could get "views" working in Bind. I am not a php programmer, so i decided to use bash scripts to achieve my purpose. Here is a mini howto in 7 steps for Debian (3.1) Sarge:

    1. Stop ISPConfig and bind
    /etc/init.d/ispconfig_server stop
    /etc/init.d/bind9 stop
    2. We will split /etc/bind/named.conf into 3 parts: /etc/bind/named.conf, /etc/bind/named.conf.inside, /etc/bind/named.conf.outside

    named.conf should looks like this:
    options {
            pid-file "/var/run/bind/run/";
            directory "/etc/bind";
            auth-nxdomain no;
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
            // query-source address * port 53;
    // a caching only nameserver config
    // My script is generating a hunge amount notes in your log file.
    // If you want it to be forwarded to separate log file uncomment
    // the following lines. Don't forget to create /var/log/named folder, 
    // or /var/lib/named/var/log/named if you are using bind in chroot
    // enviroment.
    //logging {
    //        channel "default_log_channel" {
    //                file "/var/log/named/bind.log" versions 8 size 2m;
    //                print-category  yes;
    //                print-time      yes;
    //        };
    //        category "default" {
    //                "default_log_channel";
    //        };
            category lame-servers { null; };
    acl loopback    { 127/8; };
    acl rfc1918     { 10/8; 172.16/12; 192.168/16; };
    view "inside" {
            match-clients { loopback; rfc1918; };
            recursion yes;
            notify no;
    zone "." {
            type hint;
            file "db.root";
    zone "" {
            type master;
            file "db.local";
    include "/etc/bind/named.conf.inside";
    view "outside" {
            match-clients { any; };
            recursion no;
            allow-query { any; };
    include "/etc/bind/named.conf.outside";
    named.conf.inside will be generated automatically by ISPConfig, named.conf.outside will be generated by our script.
    Read the commented part in named.conf file, if you want to forward log events to different file.

    3. we have to change the way how ISPconfig is generating named.conf. Create backup first:
    cp /root/ispconfig/isp/conf/named.conf.master /root/ispconfig/isp/conf/named.conf.master.orig
    Modify /root/ispconfig/isp/conf/named.conf.master to looks like this:
    <!-- BEGIN DYNAMIC BLOCK: named_reverse -->
    zone "{ZONE}" {
            type master;
            file "pri.{ZONE}";
    <!-- END DYNAMIC BLOCK: named_reverse -->
    <!-- BEGIN DYNAMIC BLOCK: named -->
    zone "{DOMAIN}" {
            type master;
            file "pri.{DOMAIN}";
    <!-- END DYNAMIC BLOCK: named -->
    <!-- BEGIN DYNAMIC BLOCK: named_slave -->
    zone "{DOMAIN}" {
            type slave;
            file "sec.{DOMAIN}";
            masters { {MASTERS}; };
    <!-- END DYNAMIC BLOCK: named_slave -->
    4. Create a bash script /usr/local/sbin/
    #! /bin/sh
    exit 0
    mv $WORKDIR/named.conf.outside $WORKDIR/named.conf.outside~
    # This is a dirty hack to find zone files leading with pri. and not ending with ~
    for name in `cd /etc/bind; ls | grep -e '^pri.' | grep -v "~" | cut -c5-`
    echo $name
    cp $WORKDIR/out.pri.$name $WORKDIR/out.pri.$name~
    cat $WORKDIR/pri.$name | sed 's/!!!INTERNAL_IP!!!/!!!EXTERNAL_IP!!!/g' > $WORKDIR/out.pri.$name
    cat >> $WORKDIR/named.conf.outside <<EOF
    zone "$name" {
       type master;
       file "out.pri.$name";
        allow-query { any; };
        allow-transfer {
    /etc/init.d/bind9 reload
    Don't forget to replace in code:
    !!!INTERNAL_IP!!! - with your ISPConfig servers internal IP address (eg.:
    !!!EXTERNAL_IP!!! - with your servers external IP address (eg:
    !!!TRANSFER_ALLOW_DNS_IP!!! - add in all server IPs followed by semicolon whom you want to allow transfer zone files (eg. secondary DNS servers, NIS test server IPs, etc.).

    !!!!When you are done comment out "exit 0" in third row of the file.!!!

    5. Include this line into crontab
    */2 *   * * *   root    /usr/local/sbin/ 1>/dev/null 2>/dev/null

    6. Start ISPConfig and bind
    /etc/init.d/ispconfig_server start
    /etc/init.d/bind9 start

    7. Log in as admin user into ISPConfig and go to Management >> Settings >> DNS. Change "named.conf" setting from "/etc/bind/named.conf" to "/etc/bind/named.conf.inside"

    Thats it. Drawbacks, my script isn't handling hosted secondary name servers, but i think it can be easily epanded. The hack to find the file names isn't to elegant, if someone can came out with a better solution i'll be very happy.

    Last edited: Feb 13, 2006

Share This Page