DNS BIND view Clause

This section describes the view clause available in BIND 9.x. The view clause allows BIND to provide different functionality based on the hosts accessing it. The view statement can take a serious number of statements shown below. Full list of statements. A view clause matches (is invoked) when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). All zones supported by each view clause must be defined with the view clause allowing a view to respond uniquely for each zone if required.

view Clause Syntax

The following statements are allowed within a view clause.

  additional-from-auth (yes | no) ; [ Opt, View ]
  additional-from-cache (yes | no) ; [ Opt, View ]
  allow-notify { address_match_list }; [ Opt, View, Zone ]
  allow-query { address_match_list }; [ Opt, View, Zone ]
  allow-recursion { address_match_list }; [ Opt, View ]
  allow-transfer { address_match_list }; [ Opt, View, Zone ]
  allow-update-forwarding { address_match_list }; [ Opt, View, Zone ]
  also-notify { ip_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  alt-transfer-source ( ipv4 | * ) [ port ( integer | * )]; [ Opt, View, Zone ]
  alt-transfer-source-v6 ( ipv6 | * ) [ port ( integer | * ) ]; [ Opt, View, Zone ]
  auth-nxdomain (yes | no); [ Opt, View ]
  cleaning-interval number; [ Opt, View ]
  dialup dialup_options; [ Opt, View, Zone ]
  disable-algorithms string { string; ... }; [ Opt, View ]
  dnssec-enable ( yes | no ); [ Opt, View ]
  dnssec-lookaside domain trust-anchor domain; [ Opt, View ]
  dnssec-must-be-secure domain ( yes | no); [ Opt, View ]
  dual-stack-servers [ port p_num ] { ( "id" [port p_num] | 
                ipv4 [port p_num] | ipv6 [port p_num] ); ... }; [ Opt, View ]
  edns-udp-size size_in_bytes; [ Opt, View ]
  files number_of_files ; [ Opt, View ]
  forward ( only | first ); [ Opt, View, Zone ]
  forwarders { ipv4_addr | ipv6_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  heartbeat-interval minutes; [ Opt, View ]
  hostname hostname_string; ; [ Opt, View ]
  ixfr-from-differences ( yes | no); [ Opt, View, Zone ]
  key-directory path_name; [ Opt, View, Zone ]
  lame-ttl number; [ Opt, View ]
  match-clients { address_match_list } ; [ View ]
  match-destinations { address_match_list } ; [ View ]
  match-recursive-only { address_match_list } ; [ View ]
  max-cache-size size_in_bytes ; [ Opt, View ]
  max-cache-ttl seconds; [ Opt, View ]
  max-journal-size size_in_bytes; [ Opt, View, Zone ]
  max-ncache-ttl seconds; [ Opt, View ]
  max-refresh-time seconds ; [ Opt, View, Zone ]
  max-retry-time seconds ; [ Opt, View, Zone ]
  max-transfer-idle-in minutes; [ Opt, View, Zone ]
  max-transfer-idle-out minutes; [ Opt, View, Zone ]
  max-transfer-time-in minutes; [ Opt, View, Zone ]
  max-transfer-time-out minutes; [ Opt, View, Zone ]
  min-refresh-time seconds ; [ Opt, View, Zone ]
  min-retry-time seconds ; [ Opt, View, Zone ]
  minimal-responses ( yes | no ) ; [ Opt, View ]
  multi-master ( yes | no ) ; [ Opt, View, Zone ]
  notify ( yes | no | explicit ); [ Opt, View, Zone ]
  notify-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  notify-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  preferred-glue ( A | AAAA) ; [ Opt, View ]
  provide-ixfr ( yes | no) ; [ Opt, View, server ]
  query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
  query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
  recursion ( yes | no ); [ Opt, View ]
  request-ixfr ( yes | no ); [ Opt, View, server ]
  root-delegation-only [ exclude { namelist } ] ; [ Opt, View ]
  rrset-order { order_spec ; [ order_spec ; ... ] ); [ Opt, View ]
  sig-validity-interval number ; [ Opt, View, Zone ]
  sortlist { address_match_list }; [ Opt, View ]
  sig-validity-interval days ; [ Opt, View, Zone ]
  transfer-format ( one-answer | many-answers ); [ Opt, View, server ]
  transfer-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  transfer-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  use-alt-transfer-source ( yes | no ); [ Opt, View, Zone ]
  zone-statistics ( yes | no ) ; [ Opt, View, Zone ]

view Clause Syntax

view "view_name" [class] {
  [ match-clients {  address_match_list } ; ]
  [ match-destinations { address_match_list } ; ]
  [ match-recursive-only { yes | no } ; ]
  // view statements
  // zone clauses
};

view_name (a quoted string) is the arbitrary but unique name of this view. A view clause matches (is invoked) when either or both of its match-clients and match-destinations statements match and when the match-recursive-only condition is met. If either or both of match-clients and match-destinations are missing they default to any (all hosts match). The zones that will be serviced by this view must be contained within this view.

The classic example quoted is an alternate implementation of a split or stealth DNS configuration on a single server so we will follow in well trodden steps (see also stealth examples):

'split' DNS using views

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  // other view statements as required
  zone "example.com" {
   type master;
   // private zone file including local hosts
   file "internal/master.example.com";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all other hosts
 // recursion not supported
 recursion no;
 // other view statements as required
 zone "example.com" {
   type master;
   // public only hosts
   file "external/master.example.com";
  };
  // add required zones
 };

Notes:

1. Depending on the required level of security the above configuration may be deemed vulnerable. If the file system is compromised then simple inspection of 'named.conf' will allow penetration of the 'veil of privacy'.
2. view is class dependent but the default class is IN (or 'in' - not case dependent) and has been omitted.
3. The zone files defined in each view do not need to be the same.
4. The required zone files may differ in each view e.g. there is no need to provide localhost zones in the "badguys" view.
5. The zone files for "example.com" are different allowing 'hiding' of non-public hosts in the "trusted" view.
6. Recursion has been removed in the "badguys" view for performance and security reasons.
7. 'slave' servers for each zone will see a single 'zone' based on their IP address i.e. "trusted" or "badguys". However if you multi-home or 'alias' the IP address on the 'slave' server you can get both views.

match-clients

 match-clients { address_match_element; ... };
 match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };

match-destinations

 match-destinations { address_match_element; ... };
 match-destinations { 192.168.0.3; };

match-recursive-only

 match-recursive-only (yes | no);
 match-recursive-only yes;

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.