Difference between revisions of "DNS server split howto"

(Created page with "Category:Linux Let's use "'''smartcards.vehco.com'''" domain as example. * The DNS will handle both internal and external requests (Intranet / Internet). * The DNS wil...")
 
 
(2 intermediate revisions by the same user not shown)
Line 7: Line 7:
  
  
 +
In the following example I'll be using:
 +
* INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
 +
* EXTERNAL zone: smartcards.vehco.com
 +
* DNS server name: smartcard-gw
 +
* LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
 +
* VPN Network: 172.16.60.0/24
  
=Setup=
 
  
<syntaxhighlight lang="bash">
 
apt-get install bind9 dnsutils bind9-doc
 
</syntaxhighlight>
 
  
  
 +
=Technical key points=
  
=Primary master=
 
  
A DNS primary master is the main DNS for your local domain (ex: smartcards.local).
+
* '''No reverse for the external zone'''
  
  
These are the steps to do:
+
* Do NOT follow external queries to the LAN
* '''Set the external DNS''' to use by your server
 
**File: /etc/bind/named.conf.options
 
  
* '''Declare the new domain''' to manage
 
** File: /etc/bind/named.conf.local
 
  
* Create a '''dedicated configuration file''' for the new domain
+
* External requests can be forwarded to a 3rd party DNS
** New file: /etc/bind/smartcards.local
 
  
* Adjust the '''reverse zone'''
 
** File: /etc/bind/named.conf.local
 
** Rename and adjust file: /etc/bind/db.192
 
  
 +
* The External zone configuration only contains:
 +
** Domain definition "''smartcards.vehco.com''"
 +
** Shared resources, if any
  
==Set the external DNS==
 
  
This is the list of DNS your server will use to populate its own cache.
 
  
  
The external DNS can either be your ISP's DNS or Google's servers.
+
=Declare the new zones=
  
!! Mind the order !!
+
Here you'll declare both your '''zones''' and the '''reverse zone'''.
First DNS have a higher priority.
 
  
  
  
Edit configuration file:
+
Reset and edit configuration file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/named.conf.options
+
cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
 +
vim /etc/bind/named.conf.local
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Uncomment and adjust the file content
+
Here we will create:
 +
* '''ACL filters''' => source IP @ filter
 +
* '''DNS views''' => actions to perform depending on the ACL results
 +
 
 +
 
 +
 
 +
Uncomment and adjust the file content:
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
[...]
+
// definition of LAN
forwarders {
+
acl internal-networks {
    # Your ISP DNS IP’s
+
  localhost; # Allow loopback
    182.176.39.23;
+
  localnets; # All networks that are configured on the interfaces
    182.176.18.13;
+
  172.16.50.0/24; # LAN
 +
  172.16.60.0/24; # VPN LAN
 +
};
  
    # Google's DNS
+
// External DNS to use
    8.8.8.8;
+
acl dns-slaves {
    8.8.4.4;
 
 
};
 
};
[...]
 
</syntaxhighlight>
 
  
  
 +
// INTERNAL zone
 +
view "internal" {
 +
  match-clients { internal-networks; }; # Apply settings to LAN only
 +
  recursion yes; # Allow recursive queries on LAN
  
==Declare the new domain==
+
  // ---------------------------------------------------
 +
  // DNS server defaults
 +
  //
 +
  // keep these lines from the "default-zones" configuration
 +
  //----------------------------------------------------
 +
  // prime the server with knowledge of the root servers
 +
  zone "." {
 +
type hint;
 +
file "/etc/bind/db.root";
 +
  };
 +
  // be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
 +
  zone "localhost" {
 +
type master;
 +
file "/etc/bind/db.local";
 +
  };
 +
  zone "127.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.127";
 +
  };
 +
  zone "0.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.0";
 +
  };
 +
  zone "255.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.255";
 +
  };
  
Edit configuration file:
+
  // End of "default-zones"
 +
  //----------------------------------------------------
  
<syntaxhighlight lang="bash">
+
 
vim /etc/bind/named.conf.local
+
  // Custom network
</syntaxhighlight>
+
  //----------------------------------------------------
 +
  // DNS main zone (IP to name)
 +
  zone "smartcards.vehco.com" IN {
 +
          type master;
 +
  file "/etc/bind/internal.smartcards.vehco.com";
 +
          allow-transfer {
 +
                  none;
 +
          };
 +
          allow-update {
 +
                  none;
 +
          };
 +
  };
 +
 +
  // DNS Reverse (Name to IP)
 +
  zone "50.16.172.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.172";
 +
        allow-transfer {
 +
              none;
 +
        };
 +
        allow-update {
 +
                none;
 +
        };
 +
  };
 +
};
  
  
Uncomment and adjust the file content
+
view "external" {
 +
  match-clients {
 +
    !localnets; # Do not allow local network ("localnets")
 +
    any; # "any" = any other network that is not a view member
 +
  };
 +
  recursion no; # No recursivity for external clients
  
<syntaxhighlight lang="bash">
+
  zone "smartcards.vehco.com" {
zone "smartcards.local" {
+
    type master;
type master;
+
    file "/etc/bind/external.smartcards.vehco.com";
        file "/etc/bind/smartcards.local";
+
    allow-transfer { dns-slaves; };
 +
  };
 
};
 
};
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 93: Line 154:
  
  
==Domain configuration file==
 
  
 +
=Zone configuration (name to IP @)=
 +
 +
This is the actual magic of the DNS split horizon!
 +
 +
 +
 +
==Create zone files==
  
Create the domain configuration file from a local template:
+
Create both zones from the local template:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
cp /etc/bind/db.local /etc/bind/smartcards.local
+
cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
 +
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Edit configuration file:
+
''Note''
 +
 
 +
You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"
 +
 
 +
 
 +
 
 +
==Configure INTERNAL zone==
 +
 
 +
 
 +
Edit INTERNAL configuration file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/smartcards.local
+
vim /etc/bind/internal.smartcards.vehco.com
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 112: Line 189:
 
Adjust the file content
 
Adjust the file content
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 +
;
 +
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
 
;
 
;
; BIND data file for smartcards.local (you can use mywebsite.com)
+
$TTL 604800
 +
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
 +
20140806
 +
604800
 +
86400
 +
2419200
 +
604800 )
 
;
 
;
$TTL    604800
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
 
                      20140603        ; Serial
 
                                        ; As the serial be changed everytime you edit this file
 
                                        ; it is recommended to use the pattern "yyyyMMdd"
 
                        604800        ; Refresh
 
                          86400        ; Retry
 
                        2419200        ; Expire
 
                        604800 )      ; Negative Cache TTL
 
  
 
;  
 
;  
 +
; Local resolution of the FQDN 'smartcards.vehco.com'
 +
;
 +
smartcards.vehco.com  CNAME smartcard-gw
 +
 
; DNS server declaration
 
; DNS server declaration
; Each NS must point to an A record, not a CNAME.  
+
; Each NS must point to an A record, not a CNAME.
 
; This is where the Primary and Secondary DNS servers are defined
 
; This is where the Primary and Secondary DNS servers are defined
 
;
 
;
@               IN     NS     smartcard-gw.smartcards.local.
+
@               IN     NS     smartcard-gw
smartcard-gw    IN     A      172.16.50.2
+
smartcard-gw         IN     A     172.16.50.2
  
 
;
 
;
; -- alternative --
+
; Gateway declaration
; To declare a server a specific domain only
 
 
;
 
;
;website.com      IN      NS      smartcard-gw.website.com.
+
cisco-router         IN     A      172.16.50.1
;website.com      IN      A      172.16.50.2
 
 
 
 
 
;
 
; Gateway (router)
 
;
 
cisco-router     IN     A      172.16.50.1
 
  
 
;
 
;
Line 162: Line 234:
  
  
Notes:
+
==Configure EXTERNAL zone==
  
* Don't forget to adjust the serial every-time you edit the file !
+
Edit EXTERNAL configuration file:
  
* NS = Name server
+
<syntaxhighlight lang="bash">
 +
vim /etc/bind/external.smartcards.vehco.com
 +
</syntaxhighlight>
  
* A = IP v4 entry
 
  
* AAAA = IP v6 entry
+
Adjust the file content
  
* CNAME = Alias to a previous A or AAAA entry
+
<syntaxhighlight lang="apache">
 +
;
 +
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
 +
;
 +
$TTL 604800
 +
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
 +
20140604
 +
604800
 +
86400
 +
2419200
 +
604800 )
 +
:
  
 +
; DNS server declaration
 +
; Each NS must point to an A record, not a CNAME.
 +
; This is where the Primary and Secondary DNS servers are defined
 +
;
 +
@               IN    NS     smartcard-gw
 +
smartcard-gw          IN    A      172.16.50.2
 +
</syntaxhighlight>
  
  
==Reverse zone file==
+
As you can see the "external" is rather short ! :-)
  
  
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
 
  
  
===Declare reverse zone===
+
=Reverse zone (IP @ to name)=
  
 +
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
  
Edit configuration file:
 
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.local
 
</syntaxhighlight>
 
  
 
Add the following reverse
 
 
<syntaxhighlight lang="bash">
 
# Our reverse zone
 
# Server IP 172.16.50.2
 
zone "50.16.172.in-addr.arpa" {
 
        type master;
 
        file "/etc/bind/db.172";
 
};
 
</syntaxhighlight>
 
  
  
Line 212: Line 287:
  
  
===Configure reverse zone===
 
  
 
+
Create the /etc/bind/db.172 file:
Now create the /etc/bind/db.172 file:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 229: Line 302:
  
  
The content is basically the same as /etc/bind/smartcards.local:
+
The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com:
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
;
 
;
Line 263: Line 337:
  
  
Notes:
 
  
* Don't forget to adjust the serial every-time you edit the file !
+
=Take changes into account=
 
 
* You only need to put the last byte value in the reverse
 
 
 
* PTR = redirection to A entry
 
 
 
 
 
 
 
==Take changes into account==
 
  
  
Line 280: Line 345:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
 
==Use the local DNS server as default one==
 
 
Now that your server is ready to be used, you have to use it !!
 
 
* All the clients will get their configuration from DHCP (see [[DHCP server]]).
 
 
* On the local server, you have to edit your current IP settings
 
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/network/interfaces
 
</syntaxhighlight>
 
 
 
Adjust it like that:
 
 
<syntaxhighlight lang="bash">
 
# The primary network interface [static IP]
 
auto eth0
 
iface eth0 inet static
 
        address 172.16.50.2
 
        netmask 255.255.255.0
 
        gateway 172.16.50.1
 
        network 172.16.50.0
 
        broadcast 172.16.50.255
 
 
        # Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
 
        dns-nameservers 172.16.50.2
 
        dns-search smartcards.local
 
        dns-domain smartcards.local
 
</syntaxhighlight>
 
 
 
Don't forget to reboot to take on your configuration changes !
 
 
 
 
==Test your configuration==
 
 
 
===Test on SERVER side===
 
 
 
Run the following commands to check your configuration. All commands should output '''OK''' or be a ping success. :)
 
 
 
Check the local zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone smartcards.local /etc/bind/zones/smartcards.local
 
named-checkzone smartcards.local /etc/bind/zones/db.172
 
</syntaxhighlight>
 
 
 
Check the reverse zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
 
</syntaxhighlight>
 
 
 
 
Now you can try to ping the router and a client:
 
 
<syntaxhighlight lang="bash">
 
ping cisco-router
 
ping smartcard-prod-00
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping dev.daxiongmao.eu
 
</syntaxhighlight>
 
 
 
===Test on CLIENT side===
 
 
 
Try to access ping the DNS server name from a client:
 
 
<syntaxhighlight lang="bash">
 
ping smartcard-gw
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping tcl.fr
 
</syntaxhighlight>
 
 
 
 
 
==DNS server logs==
 
 
Logs are in '''/var/log/syslog'''
 
  
  
Line 388: Line 351:
 
=Add new hostname=
 
=Add new hostname=
  
 
+
Same as "simple zone", see [[DNS server unique zone#Add new hostname]]
This is how we had a new host-name into the network:
 
 
 
 
 
==Update LOCAL zone==
 
 
 
 
 
Edit local zone:
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/smartcards.local
 
</syntaxhighlight>
 
 
 
 
 
Add a A or AAAA entry:
 
 
 
<syntaxhighlight lang="bash">
 
my-new-host      IN      A      172.16.50.60
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Update REVERSE zone==
 
 
 
 
 
Edit local zone:
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/db.172
 
</syntaxhighlight>
 
 
 
 
 
Add a A or AAAA entry:
 
 
 
<syntaxhighlight lang="bash">
 
60      IN      PTR    my-new-host.smartcards.local.
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Restart service==
 
 
 
<syntaxhighlight lang="bash">
 
service bind9 restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
=Disable IPv6 DNS requests=
 
 
 
You can still be listening on your local IPv6 interface, however '''if your router is not IPv6 compatible you should disable IPv6 requests'''. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:
 
 
 
<syntaxhighlight lang="bash">
 
error (network unreachable) resolving './DNSKEY/IN': 2001:: ...
 
</syntaxhighlight>
 
 
 
 
 
Edit the configuration file:
 
<syntaxhighlight lang="bash">
 
vim /etc/default/bind9
 
</syntaxhighlight>
 
 
 
 
 
Add / update the options:
 
<syntaxhighlight lang="bash">
 
OPTIONS="-4"
 
</syntaxhighlight>
 
 
 
 
 
That means if the host is capable of IPv4 then IPv4 should be preferred.
 
 
 
 
 
Restart the service and check your logs.
 
 
 
 
 
 
 
 
 
=Disable DNS SEC=
 
 
 
DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.
 
 
 
But... enabling '''DNS SEC can lead to security error and forward blocking''' if you don't have a proper certificate.
 
 
 
 
 
I don't have enough time to setup the correct certificate so I disabled DNS-SEC.
 
 
 
 
 
'''Edit configuration file''':
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
</syntaxhighlight>
 
 
 
 
 
Disable the DNS-SEC options:
 
<syntaxhighlight lang="bash">
 
dnssec-enable no;
 
dnssec-validation no;
 
</syntaxhighlight>
 
 
 
 
 
Restart the service and check your logs.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
=Sources=
 
 
 
You can find a lot of information about DNS on the web. I used the following tutorials:
 
 
 
* https://help.ubuntu.com/community/BIND9ServerHowto
 
 
 
* https://help.ubuntu.com/14.04/serverguide/dns-references.html#dns-record-types
 
 
 
* https://help.ubuntu.com/14.04/serverguide/dns-configuration.html
 
 
 
* http://blog.bobbyallen.me/2013/09/19/setting-up-internal-dns-on-ubuntu-server-12-04-lts/
 
 
 
* http://doc.ubuntu-fr.org/bind9  (in French)
 
 
 
 
 
Bug fixes:
 
 
 
* no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html
 

Latest revision as of 15:27, 22 August 2014


Let's use "smartcards.vehco.com" domain as example.

  • The DNS will handle both internal and external requests (Intranet / Internet).
  • The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.


In the following example I'll be using:

  • INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
  • EXTERNAL zone: smartcards.vehco.com
  • DNS server name: smartcard-gw
  • LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
  • VPN Network: 172.16.60.0/24



Technical key points

  • No reverse for the external zone


  • Do NOT follow external queries to the LAN


  • External requests can be forwarded to a 3rd party DNS


  • The External zone configuration only contains:
    • Domain definition "smartcards.vehco.com"
    • Shared resources, if any



Declare the new zones

Here you'll declare both your zones and the reverse zone.


Reset and edit configuration file: 

cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
vim /etc/bind/named.conf.local


Here we will create:

  • ACL filters => source IP @ filter
  • DNS views => actions to perform depending on the ACL results


Uncomment and adjust the file content: 

// definition of LAN
acl internal-networks {
  localhost;			# Allow loopback
  localnets;			# All networks that are configured on the interfaces
  172.16.50.0/24;		# LAN
  172.16.60.0/24;		# VPN LAN
};

// External DNS to use
acl dns-slaves {
};


// INTERNAL zone
view "internal" {
  match-clients { internal-networks; };		# Apply settings to LAN only
  recursion yes;				# Allow recursive queries on LAN

  // ---------------------------------------------------
  // DNS server defaults 
  //
  // keep these lines from the "default-zones" configuration
  //----------------------------------------------------
  // prime the server with knowledge of the root servers
  zone "." {
 	type hint;
	file "/etc/bind/db.root";
  };
  // be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
  zone "localhost" {
	type master;
	file "/etc/bind/db.local";
  };
  zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
  };
  zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
  };
  zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
  };

  // End of "default-zones"
  //----------------------------------------------------


  // Custom network
  //----------------------------------------------------
  // DNS main zone (IP to name)
  zone "smartcards.vehco.com" IN {
          type master;
 	  file "/etc/bind/internal.smartcards.vehco.com";
          allow-transfer {
                  none;
          };
          allow-update {
                  none;
          };
  };
 
  // DNS Reverse (Name to IP)
  zone "50.16.172.in-addr.arpa" {
	type master;
	file "/etc/bind/db.172";
        allow-transfer {
               none;
        };
        allow-update {
                none;
        };
  };
};


view "external" {
  match-clients { 
    !localnets;				# Do not allow local network ("localnets")
    any;				# "any" = any other network that is not a view member
  };
  recursion no;				# No recursivity for external clients

  zone "smartcards.vehco.com" {
    type master;
    file "/etc/bind/external.smartcards.vehco.com";
    allow-transfer { dns-slaves; };
  };
};



Zone configuration (name to IP @)

This is the actual magic of the DNS split horizon!


Create zone files

Create both zones from the local template: 

cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com


Note

You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"


Configure INTERNAL zone

Edit INTERNAL configuration file: 

vim /etc/bind/internal.smartcards.vehco.com


Adjust the file content 

;
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140806
			604800
			86400
			2419200
			604800 )
;

; 
; Local resolution of the FQDN 'smartcards.vehco.com'
;
smartcards.vehco.com  CNAME smartcard-gw

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2

;
; Gateway declaration
;
cisco-router         IN     A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Configure EXTERNAL zone

Edit EXTERNAL configuration file: 

vim /etc/bind/external.smartcards.vehco.com


Adjust the file content 

;
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140604
			604800
			86400
			2419200
			604800 )
:

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2


As you can see the "external" is rather short ! :-)



Reverse zone (IP @ to name)

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.



Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.



Create the /etc/bind/db.172 file: 

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file: 

vim /etc/bind/db.172


The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com: 

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Take changes into account

service bind9 restart



Add new hostname

Same as "simple zone", see DNS server unique zone#Add new hostname

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=DNS_server_split_howto&oldid=1415"