Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What does 'match-destinations' match?

1 view
Skip to first unread message

Walkenhorst, Benjamin

unread,
Sep 30, 2004, 7:50:23 AM9/30/04
to
Hello everyone,

I see that you can define a view not only by the clients that get
to see it, but also by setting 'match-destinations', which takes an
address match list.
But what does it refer to?
The address of the nameserver or the destination of the query?
I've gone over the Bind9 Administrator's Reference Manual thoroughly,
I've read IBM's documentation and I've been asking google exhaustively.
I've found some examples where match-destinations was used, but I couldn't
see what it was to match.
I have the suspicion that this refers to the nameserver's address rather than
the address of the host queried for - since the nameserver doesn't have a way of
knowing beforehand what address the query will resolve to; if I'm right, I think this
is useful in situations where a nameserver has more than one IP (like a public IP and
another IP on a private network, which is also the situation of choice to use views).
_Am_ I right?


Thank you very much,
Benjamin Walkenhorst

Jim Reid

unread,
Sep 30, 2004, 1:59:01 PM9/30/04
to
>>>>> "Benjamin" == Walkenhorst, Benjamin <Benjamin.W...@telekom.de> writes:

Benjamin> Hello everyone, I see that you can define a view not
Benjamin> only by the clients that get to see it, but also by
Benjamin> setting 'match-destinations', which takes an address
Benjamin> match list. But what does it refer to? The address of
Benjamin> the nameserver or the destination of the query?

Aren't these the same thing? Isn't the destination of a DNS query the
IP address of some name server?

When a view is differentiated using a match-destinations{} ACL, it's
the destination address of the query that gets used for selection.
Typically, this would be used on a multi-homed name server, perhaps
one that runs on a bastion host at the edge of the network. ie One
interface is connected to the internet and another connects to the
internal net.

This is just another way of distinguishing clients. Instead of using
the address(es) they send their queries from, it uses the address(s)
they send them to.

David Botham

unread,
Sep 30, 2004, 3:16:41 PM9/30/04
to
bind-use...@isc.org wrote on 09/30/2004 01:44:11 PM:
> >>>>> "Benjamin" == Walkenhorst, Benjamin
<Benjamin.W...@telekom.de> writes:
>
> Benjamin> Hello everyone, I see that you can define a view not
> Benjamin> only by the clients that get to see it, but also by
> Benjamin> setting 'match-destinations', which takes an address
> Benjamin> match list. But what does it refer to? The address of
> Benjamin> the nameserver or the destination of the query?
>
> Aren't these the same thing? Isn't the destination of a DNS query the
> IP address of some name server?

I think Benjamin might have ment something more like the object of the
query, i.e. looking at ip address returned in an A RR. However, I think
Benjamin would realize, after thinking it over, that this method would not
work for quiries for SOA, TXT, and other RR's who's RDATA is not a
"destination"...


Dave...

>


[clip...]


Brian Katzung

unread,
Sep 30, 2004, 3:44:52 PM9/30/04
to
Walkenhorst, Benjamin wrote:

> I see that you can define a view not only by the clients that get
> to see it, but also by setting 'match-destinations', which takes an
> address match list.


> But what does it refer to?

> The address of the nameserver or the destination of the query?
> I've gone over the Bind9 Administrator's Reference Manual thoroughly,
> I've read IBM's documentation and I've been asking google exhaustively.
> I've found some examples where match-destinations was used, but I couldn't
> see what it was to match.
> I have the suspicion that this refers to the nameserver's address rather than
> the address of the host queried for - since the nameserver doesn't have a way of
> knowing beforehand what address the query will resolve to; if I'm right, I think this
> is useful in situations where a nameserver has more than one IP (like a public IP and
> another IP on a private network, which is also the situation of choice to use views).
> _Am_ I right?

Yes, that's correct. Thus you can have a single server that serves the
public view to the world (maybe domain.com, www.domain.com,
mail.domain.com, etc) and the private view to an internal network
(host1, host2, printer1, printer2, server1, etc).

I much prefer this approach to match-clients because an administrator
(or anybody else) on the internal network can easily verify how a public
query would resolve by overriding the default name server and giving the
public query interface. External queries to the inside interface are
simply blocked at a firewall like any other service.

Another potential scenario might be multiple businesses sharing office
space and a LAN. Each could have a separate interface alias on the name
server and would only see their own views by default but could see
others if they needed to.

- Brian


0 new messages