30.15. Using BIND Views
BIND version 9 introduced the concept of views, which are groups of zones that are visible only to certain DNS clients. Views can be used to hide internal zones from the Internet, to present the same zone in two different ways, or to stop non-local clients resolving non-hosted domains through your server. Every view has a unique name, and a list of matching IP addresses and IP networks that determines which clients and servers it is visible to.
When it detects that you are running BIND 9, several additional features are available in the module. You can create views, move zones from one view to another, and choose which view zones are created in. On the main page, each current view is represented by an icon under Existing Client Views heading and each zone icon has a label that indicates which view it is in.
If any views exist, then every zone must be in a view. If none are defined will Webmin allow the creation of zones outside views, as this is not supported by BIND. This includes the root zone, which must be available to a client for DNS requests for records in domains not hosted by this server to succeed. For this reason, it often makes sense to put the root zone in a view that is available to all clients.
To add a new view to your BIND configuration, the steps to follow are:
1. | On the module's main page, click on the Create a new view link in the Existing Client Views section. This will take you to a form for entering its details. |
2. | Enter a short alphanumeric name for the view (such as internal or everyone) into the View name field. Each view must have a unique name. |
3. | Leave the DNS records class field set to Default. |
4. | If the zones in this view are to be visible to everyone, set the Apply this view to clients field to All clients. Otherwise, choose Selected addresses, networks, and ACLs and enter a list of IP addresses, IP networks and BIND ACL names into the text box below. Only clients that match one of the entries in this list will have access to the view. |
5. | Click the Create button at the bottom of the form. You will be returned to the main page, which will include an icon for your new view. |
6. | Move any existing zones that you want to be in this view into it. A zone can be moved by clicking on its icon, then on Edit Zone Options, and then selecting the new view from the menu next to the Move to view button before clicking it. If this is your first view, all existing zones must be moved into it (or another view) before the new configuration will be accepted by BIND. |
7. | When you are done moving zones, click the Apply Changes button on the main page. |
Once a view has been created, you can change the list of addresses and networks that it matches by clicking on its icon on the main page and updating the Apply this view to clients field. Then hit the Save button followed by Apply Changes to make the new client list active.
A view can be deleted by clicking the Delete button on the same form. This will bring up a confirmation page that allows you to choose what should happen to the zones that it contains, if any. The available options are:
Delete totally All zones in the view are deleted, along with their records files.
Move out of views Zones in the view are moved out to the top level. This option should only be used when deleting the last view, for the reasons explained above.
When one or more views have been defined on your system, you can choose which one to use when adding new zones. This is done using the Create in view field on the master, slave, forward and root zone creation forms, which allows you to select a view from its menu. Naturally, there is no option for creating a zone outside of any views as this is not allowed by BIND.
One common use of views is hiding internal zones from clients outside your internal network. This is a good way of hiding the structure of your network and the hosts on it from potential attackers. To set it up, the steps to follow are:
1. | |
2. | |
3. | Move any zones that are for internal use only into the internal view. Zones for Internet domains such as example.com must not be put in this view, as that would make them inaccessible to the rest of the world. |
4. | Move all other zones (including the root zone) to the everyone view. |
Views can also be used to prevent clients outside your network looking up non-hosted domains on your server, as follows:
1. | Create a new view called internal that matches clients on your internal LAN. |
2. | Create a second view called everyone that matches all clients. |
3. | Move the root zone to the internal view, which will prevent the server from looking up records for non-local clients that require contact with the root servers. |
4. |