local forwarder - advice needed

Discussion in 'Installation/Configuration' started by dmgeurts, Dec 28, 2020.

  1. dmgeurts

    dmgeurts Member

    My ISPconfig servers have a DMZ interface which has a (remote) DNS server. I'd prefer not to use this server as the primary DNS server for these machines, but it does hold an internal zone. I don't want to publicly expose the internal domain so I can't add the zone to the ISPconfig servers. The normal way of doing this is via a view in named.conf.options, but then all zones need to be in a view which means messing with ISPconfig bind which I'd rather avoid. zone entries don't support ACLs, so I think views is the only option to restrict client IP addresses for a zone.
    Until now I've put entries into hosts files, but this does not scale well.Do I have an option other than running redundant bind DNS servers on the DMZ as primary forward servers for the ISPconfig machines? I Guess I can then cache external requests on those two servers rather than on all the ISPconfig servers locally, but this isn't a current requirement.
    How do others solve this issue?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I use views, as you first mentioned. The configuration needed to integrate ISPConfig zones is trivial once you have your views setup, much easier than installing additional servers. The only named config file ISPConfig writes (apart from the zone files themselves) is named.conf.local, so just change where that is included to be inside your view statements. (eg. we have a view for authoritative server addrs, and include named.conf.local there; we have another view for recursive client lookups, and do not need to include it there as it will recurse the lookup to the authoritative view).
     
    ahrasis and dmgeurts like this.
  3. dmgeurts

    dmgeurts Member

    Fantastic. Now why didn't I think of that...?! Thank you!
     
  4. dmgeurts

    dmgeurts Member

    Just to let you know, all sorted now, thanks again.
     

Share This Page