mail us  |  mail this page

products  |  company  |  support  |  downloads  |  isp services  |  contact us

ZYTRAX OPEN LOGO

DNS BIND view Clause

This section describes the view clause available in BIND 9.x. The view clause allows BIND to provide different functionality based on the hosts accessing it. The view statement can take a serious number of statements shown below. Full list of statements. A view clause matches (is invoked) when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). All zones supported by each view clause must be defined with the view clause allowing a view to respond uniquely for each zone if required.

view Clause Syntax

  additional-from-auth (yes | no) ; [ Opt, View ]
  additional-from-cache (yes | no) ; [ Opt, View ]
  allow-notify { address_match_list }; [ Opt, View, Zone ]
  allow-query { address_match_list }; [ Opt, View, Zone ]
  allow-recursion { address_match_list }; [ Opt, View ]
  allow-transfer { address_match_list }; [ Opt, View, Zone ]
  allow-update-forwarding { address_match_list }; [ Opt, View, Zone ]
  also-notify { ip_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  alt-transfer-source ( ipv4 | * ) [ port ( integer | * )]; [ Opt, View, Zone ]
  alt-transfer-source-v6 ( ipv6 | * ) [ port ( integer | * ) ]; [ Opt, View, Zone ]
  auth-nxdomain (yes | no); [ Opt, View ]
  cleaning-interval number; [ Opt, View ]
  dialup dialup_options; [ Opt, View, Zone ]
  disable-algorithms string { string; ... }; [ Opt, View ]
  dnssec-enable ( yes | no ); [ Opt, View ]
  dnssec-lookaside domain trust-anchor domain; [ Opt, View ]
  dnssec-must-be-secure domain ( yes | no); [ Opt, View ]
  dual-stack-servers [ port p_num ] { ( "id" [port p_num] | 
                ipv4 [port p_num] | ipv6 [port p_num] ); ... }; [ Opt, View ]
  edns-udp-size size_in_bytes; [ Opt, View ]
  files number_of_files ; [ Opt, View ]
  forward ( only | first ); [ Opt, View, Zone ]
  forwarders { ipv4_addr | ipv6_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  heartbeat-interval minutes; [ Opt, View ]
  hostname hostname_string; ; [ Opt, View ]
  ixfr-from-differences ( yes | no); [ Opt, View, Zone ]
  key-directory path_name; [ Opt, View, Zone ]
  lame-ttl number; [ Opt, View ]
  match-clients { address_match_list } ; [ View ]
  match-destination { address_match_list } ; [ View ]
  match-recursive-only { address_match_list } ; [ View ]
  max-cache-size size_in_bytes ; [ Opt, View ]
  max-cache-ttl seconds; [ Opt, View ]
  max-journal-size size_in_bytes; [ Opt, View, Zone ]
  max-ncache-ttl seconds; [ Opt, View ]
  max-refresh-time seconds ; [ Opt, View, Zone ]
  max-retry-time seconds ; [ Opt, View, Zone ]
  max-transfer-idle-in minutes; [ Opt, View, Zone ]
  max-transfer-idle-out minutes; [ Opt, View, Zone ]
  max-transfer-time-in minutes; [ Opt, View, Zone ]
  max-transfer-time-out minutes; [ Opt, View, Zone ]
  min-refresh-time seconds ; [ Opt, View, Zone ]
  min-retry-time seconds ; [ Opt, View, Zone ]
  minimal-responses ( yes | no ) ; [ Opt, View ]
  multi-master ( yes | no ) ; [ Opt, View, Zone ]
  notify ( yes | no | explicit ); [ Opt, View, Zone ]
  notify-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  notify-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  preferred-glue ( A | AAAA) ; [ Opt, View ]
  provide-ixfr ( yes | no) ; [ Opt, View, server ]
  query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
  query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
  recursion ( yes | no ); [ Opt, View ]
  request-ixfr ( yes | no ); [ Opt, View, server ]
  root-delegation-only [ exclude { namelist } ] ; [ Opt, View ]
  rrset-order { order_spec ; [ order_spec ; ... ] ); [ Opt, View ]
  sig-validity-interval number ; [ Opt, View, Zone ]
  sortlist { address_match_list }; [ Opt, View ]
  sig-validity-interval days ; [ Opt, View, Zone ]
  transfer-format ( one-answer | many-answers ); [ Opt, View, server ]
  transfer-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  transfer-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  use-alt-transfer-source ( yes | no ); [ Opt, View, Zone ]
  zone-statistics ( yes | no ) ; [ Opt, View, Zone ]

view Clause Syntax

view "view_name" [class] {
  [ match-clients {  address_match_list } ; ]
  [ match-destinations { address_match_list } ; ]
  [ match-recursive-only { yes | no } ; ]
  // view statements
  // zone clauses
};

view_name (a quoted string) is the arbitrary but unique name of this view. A view clause matches (is invoked) when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). The zones that will be serviced by this view must be contained within this view.

The classic example quoted is an alternate implementation of a split or stealth DNS configuration on a single server so we will follow in well trodden steps (see also stealth examples):

'split' DNS using views

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  zone "example.com" {
   type master;
   // private zone file including local hosts
   file "internal/master.example.com";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all others hosts
 // recursion not supported
 recursion no;
 };
 zone "example.com" {
   type master;
   // public only hosts
   file "external/master.example.com";
  };
  // add required zones
 };

Notes:

  1. Depending on the required level of security the above configuration may be deemed vulnerable. If the file system is compromised then simple inspection of 'named.conf' will allow penetration of the 'veil of privacy'.
  2. view is class dependent but the default class is IN (or 'in' - not case dependent) and has been omitted.
  3. The zone files defined in each view do not need to be the same.
  4. The required zone files may differ in each view e.g. there is no need to provide localhost zones in the "badguys" view.
  5. The zone files for "example.com" are different allowing 'hiding' of non-public hosts in the "trusted" view.
  6. Recursion has been removed in the "badguys" view for performance and security reasons.
  7. 'slave' servers for each zone will see a single 'zone' based on their IP address i.e. "trusted" or "badguys". However if you multi-home or 'alias' the IP address on the 'slave' server you can get both views.

match-clients

 match-clients { address_match_element; ... };
 match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };

A view clause matches when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). The match-clients statement defines the address_match_list for the source IP address of the incoming messages. Any IP which matches will use the defined view clause. This statement may only be used in a view clause.

match-destinations

 match-destinations { address_match_element; ... };
 match-destinations { 192.168.0.3; };

A view clause matches when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). The match-destinations statement defines the address_match_list for the destination IP address of the incoming messages. Any IP which matches will use the defined view clause. This statement may only be used in a view clause.

match-recursive-only

 match-recursive-only (yes | no);
 match-recursive-only yes;

A view clause matches when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). The match-recursive-only can be used in conjunction with match-clients and match-destinations or on its own if that is sufficient differentiation. The default is no. This statement may only be used in a view clause.


Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

web zytrax.com



Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux

Applications

OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

printer friendly

Print Page

SPF Record Conformant Domain Logo

Copyright © 1994 - 2008 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		site by zytrax
Hosted by super.net.sg		 web-master at zytrax
Page modified: July 06 2006.