View Clause
From: https://www.zytrax.com/books/dns/ch7/statements.html
DNS BIND view Clause
This section describes the view clause available in BIND 9.x. The view clause
allows BIND to provide different functionality based on the hosts accessing it.
The view statement can take a serious number of statements shown below. Full
list of statements. A view clause matches (is invoked) when either or both of
its match-clients and match-destinations statements match and when the
match-recursive-only condition is met. If either or both of match-clients and
match-destinations are missing they default to any (all hosts match). All zones
supported by each view clause must be defined with the view clause allowing a
view to respond uniquely for each zone if required.
view Clause Syntax
The following statements are allowed within a view clause.
additional-from-auth (yes | no) ; [ Opt, View ]
additional-from-cache (yes | no) ; [ Opt, View ]
allow-notify { address_match_list }; [ Opt, View, Zone ]
allow-query { address_match_list }; [ Opt, View, Zone ]
allow-recursion { address_match_list }; [ Opt, View ]
allow-transfer { address_match_list }; [ Opt, View, Zone ]
allow-update-forwarding { address_match_list }; [ Opt, View, Zone ]
also-notify { ip_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
alt-transfer-source ( ipv4 | * ) [ port ( integer | * )]; [ Opt, View, Zone ]
alt-transfer-source-v6 (ipv6 | *) [port (integer | *)]; [Opt, View, Zone]
auth-nxdomain (yes | no); [ Opt, View ]
cleaning-interval number; [ Opt, View ]
dialup dialup_options; [ Opt, View, Zone ]
disable-algorithms string { string; ... }; [ Opt, View ]
dnssec-enable ( yes | no ); [ Opt, View ]
dnssec-lookaside domain trust-anchor domain; [ Opt, View ]
dnssec-must-be-secure domain ( yes | no); [ Opt, View ]
dual-stack-servers [ port p_num ] { ( "id" [port p_num] |
ipv4 [port p_num] | ipv6 [port p_num] ); ... }; [ Opt, View ]
edns-udp-size size_in_bytes; [ Opt, View ]
files number_of_files ; [ Opt, View ]
forward ( only | first ); [ Opt, View, Zone ]
forwarders { ipv4_addr | ipv6_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
heartbeat-interval minutes; [ Opt, View ]
hostname hostname_string; ; [ Opt, View ]
ixfr-from-differences ( yes | no); [ Opt, View, Zone ]
key-directory path_name; [ Opt, View, Zone ]
lame-ttl number; [ Opt, View ]
match-clients { address_match_list } ; [ View ]
match-destinations { address_match_list } ; [ View ]
match-recursive-only ( yes | no ) ; [ View ]
max-cache-size size_in_bytes ; [ Opt, View ]
max-cache-ttl seconds; [ Opt, View ]
max-journal-size size_in_bytes; [ Opt, View, Zone ]
max-ncache-ttl seconds; [ Opt, View ]
max-refresh-time seconds ; [ Opt, View, Zone ]
max-retry-time seconds ; [ Opt, View, Zone ]
max-transfer-idle-in minutes; [ Opt, View, Zone ]
max-transfer-idle-out minutes; [ Opt, View, Zone ]
max-transfer-time-in minutes; [ Opt, View, Zone ]
max-transfer-time-out minutes; [ Opt, View, Zone ]
min-refresh-time seconds ; [ Opt, View, Zone ]
min-retry-time seconds ; [ Opt, View, Zone ]
minimal-responses ( yes | no ) ; [ Opt, View ]
multi-master ( yes | no ) ; [ Opt, View, Zone ]
notify ( yes | no | explicit ); [ Opt, View, Zone ]
notify-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
notify-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
preferred-glue ( A | AAAA) ; [ Opt, View ]
provide-ixfr ( yes | no) ; [ Opt, View, server ]
query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; [ Opt, View ]
recursion ( yes | no ); [ Opt, View ]
request-ixfr ( yes | no ); [ Opt, View, server ]
root-delegation-only [ exclude { namelist } ] ; [ Opt, View ]
rrset-order { order_spec ; [ order_spec ; ... ] ); [ Opt, View ]
sig-validity-interval number ; [ Opt, View, Zone ]
sortlist { address_match_list }; [ Opt, View ]
sig-validity-interval days ; [ Opt, View, Zone ]
transfer-format ( one-answer | many-answers ); [ Opt, View, server ]
transfer-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
transfer-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
use-alt-transfer-source ( yes | no ); [ Opt, View, Zone ]
zone-statistics ( yes | no ) ; [ Opt, View, Zone ]
view Clause Syntax
view "view_name" [class]
{
[ match-clients { address_match_list } ; ]
[ match-destinations { address_match_list } ; ]
[ match-recursive-only { yes | no } ; ]
// view statements
// zone clauses
};
view_name (a quoted string) is the arbitrary but unique name of this view. A
view clause matches (is invoked) when either or both of its match-clients and
match-destinations statements match and when the match-recursive-only condition
is met. If either or both of match-clients and match-destinations are missing
they default to any (all hosts match). The zones that will be serviced by this
view must be contained within this view.
view Clause Example
The classic example quoted is an alternate implementation of a split or stealth
DNS configuration on a single server so we will follow in well trodden steps -
see also stealth examples:
'split' DNS using views
view "trusted"
{
match-clients { 192.168.23.0/24; }; // OUR NETWORK
recursion yes;
// OTHER VIEW STATEMENTS AS REQUIRED
zone "example.com"
{
type master;
// PRIVATE ZONE FILE INCLUDING LOCAL HOSTS
file "internal/master.example.com";
};
// ADD REQUIRED ZONES
};
view "badguys"
{
match-clients {"any"; }; // ALL OTHER HOSTS
recursion no; // RECURSION NOT SUPPORTED
zone "example.com" // OTHER VIEW STATEMENTS AS REQUIRED
{
type master;
file "external/master.example.com"; // PUBLIC ONLY HOSTS
};
// ADD REQUIRED ZONES
};
Notes:
- Depending on the required level of Security the above configuration may be
deemed vulnerable. If the file system is compromised then simple inspection of
'named.conf' will allow penetration of the 'veil of privacy'.
- view clauses have many interesting uses beyond that illustrated here. This
configuration shows a 'view' clause being used to implement a Split Horizon DNS
whereby different IPs are returned based on geographic (or other) criteria.
- view clauses are processed in the order in which they appear in the
named.conf file. Thus, in the example above the 'badguys' view clause matching
condition (any) also satisfies the 'trusted' view matching condition. However,
since 'trusted' appears first its matching condition is the first to be
satisfied and view matching stops.
- While the example shows two view clauses any number of view clauses may be
present.
- If none of the matching conditions in view clauses matches then BIND will
return a server error.
- view is class dependent but the default class is IN (or 'in' - not case
dependent) and has been omitted.
- While it may seem like a statement of the obvious, the zone files defined in
each view for the same domain name do not need to be the same, nor do all zones
defined in one view require to be present in all views. For example, it is
possible to have private zones that are only visible within an Intranet or
private network.
- The required zone files may differ in each view, for example, there is no
need to provide localhost zones in the "badguys" view.
- The zone files for "example.com" are different allowing 'hiding' of
non-public hosts in the "trusted" view.
- Recursion has been removed in the "badguys" view for performance and
Security reasons.
- 'slave' servers for each zone will see a single 'zone' based on their IP
address, for instance, "trusted" or "badguys". However, if you multi-home or
'alias' the IP address on the 'slave' server you could get both views.
- Slave DNS Servers with View Clause When using a Slave server with view
clauses it is important to recall that, even when NOTIFY is used, the Slave
always initiates the zone tranfer operation using an INCOMING DNS operation (TCP
on Port 53 normally). To ensure the correct zone file is transferred the
match-clients and/or match-destinations statements associated with the views
must ensure that the requesting Slave server's IP is directed to the view
containing the zone file that should be tranferred.
Note: Early versions of BIND 9 allowed default zones to be defined outside the
scope of view clauses. Current versions of BIND will refuse to load such
configurations. If incoming queries are not matched to a particular view then
Server Error is typically returned. To avoid such problems the last view defined
should use:
match-clients {any};
// or if you enjoy living dangerously omit the statment
/ / (see defaults below)
match-clients
match-clients { address_match_element; ... };
match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };
# the above could be re-written as
match-clients { 10/8;172.16/16;!192.168/16; };
# (More info on IP Prefix notation)
A view clause matches when either or both of its match-clients and
match-destinations statements match and when the match-recursive-only condition
is met. If either or both of match-clients and match-destinations are missing
they default to any (all hosts match). The match-clients statement defines the
address_match_list for the source IP address of the incoming messages. Any IP
which matches will use the defined view clause. This statement may only be used
in a view clause.
match-destinations
match-destinations { address_match_element; ... };
match-destinations { 192.168.0.3; };
A view clause matches when either or both of its match-clients and
match-destinations statements match and when the match-recursive-only condition
is met. If either or both of match-clients and match-destinations are missing
they default to any (all hosts match). The match-destination statement defines
the address_match_list for the destination IP address of the incoming messages.
Any IP which matches will use the defined view clause. This statement may only
be used in a view clause.
match-recursive-only
match-recursive-only (yes | no);
match-recursive-only yes;
A view clause matches when either or both of its match-clients and
match-destinations statements match and when the match-recursive-only condition
is met. If either or both of match-clients and match-destinations are missing
they default to any (all hosts match). The match-recursive-only can be used in
conjunction with match-clients and match-destinations or on its own if that is
sufficient differentiation. The default is no. This statement may only be used
in a view clause.
