My ISPconfig servers have a DMZ interface which has a (remote) DNS server. I'd prefer not to use this server as the primary DNS server for these machines, but it does hold an internal zone. I don't want to publicly expose the internal domain so I can't add the zone to the ISPconfig servers. The normal way of doing this is via a view in named.conf.options, but then all zones need to be in a view which means messing with ISPconfig bind which I'd rather avoid. zone entries don't support ACLs, so I think views is the only option to restrict client IP addresses for a zone. Until now I've put entries into hosts files, but this does not scale well.Do I have an option other than running redundant bind DNS servers on the DMZ as primary forward servers for the ISPconfig machines? I Guess I can then cache external requests on those two servers rather than on all the ISPconfig servers locally, but this isn't a current requirement. How do others solve this issue?
I use views, as you first mentioned. The configuration needed to integrate ISPConfig zones is trivial once you have your views setup, much easier than installing additional servers. The only named config file ISPConfig writes (apart from the zone files themselves) is named.conf.local, so just change where that is included to be inside your view statements. (eg. we have a view for authoritative server addrs, and include named.conf.local there; we have another view for recursive client lookups, and do not need to include it there as it will recurse the lookup to the authoritative view).