11-30-2015 05:07 AM
i've searching about this topic, and there are a few posts about it, but i'm still not sure what to do with the configuration in Infoblox to get it properly working. Just to refresh, there are a couple of views defined in Infoblox that i need to transfer correctly to an "standard" secondary server based on BIND. I've been playing with TSIG keys on both servers, but i don't fully understand what Infoblox traslates to its internal configuration, and seems a bit of strange mix with match-clients (out of order entries?), NS servers and allow-transfer clauses.
Could anyone post a skeleton, example, guide, whatever, that i could use as i guide to make this scenario work??? I've been told that this can't be done with Infoblox, but i refused to believe this...(
Thank you very much in advance,
12-02-2015 06:39 AM
The best way to think of 'views' is that they are 'virtual DNS servers'. When you have multiple views configured you now have multiple DNS servers listening on the same IP addresses. So you need a way to tell clients which server they need to talk to. thus you set things like match clients and match destination lists.
Now imagine that you have 2 DNS servers, both with views, that need to communicate with each other. Since they have the same IP addresses, you can't use any match lists because they just look the same. If you want to do zone are transfers to the secondaries, you have to find a way to make this work:
188.8.131.52 / view A / Zone A -> 184.108.40.206 / view A / Zone A
220.127.116.11 / view B / Zone B -> 18.104.22.168 / view B / Zone B
and get all the notifies to the right place.
So you can mostly solve this with TSIG keys, they become an additional method to identify a client and match it to the right view. But you still usually get burnt with the notify messages, because it can be hard to make sure they go to the right view.
it all depends on the configuration. if you are using BIND you have to confogure your server with multiple addresses and use the 'notify-source' with a different IP for each view.
Or you just wait for the SOA timers to pull a transfer at fixed intervals.
But 50% of the time you can't do this with infoblox, because we don't support 'notify-source' (and you have a messy config anyway because of all these extra ip addresses just to handle the view soup)
The question I usually ask is "Why are you even using views ? What problem were you trying to solve ?
12-04-2015 12:30 AM
Thank you for your reply...
we're using different views to get different addressing resolutions to a private group, as part of a security approach to administratively allow or deny access to some resources. It's not our idea, just the configuracion needed to access some external global resources. The problem arises because we have around 3 secondary servers, that now are trying to synchronize with the new infoblox and they fail, giving in inconsistencies. It's hard to believe that Infoblox, a reference in the market, it's not able to "cooperate" with the rest of DNS infrastructure when different views are used, nothing out of this world.
I don't know if someone could show some light with some kind of workaround or final solution, but it seems to me that is some kind of choice (ultimatum?) between Infoblox and other DNS systems, including BIND.
Am i right??? hard to believe...
12-23-2015 03:34 AM
I don't think the point is "the lack of cooperation of Infoblox". Infoblox DNS runs over BIND. Perhaps you're just facing a configuration problem. I have a similar customer using 7 different views with several BIND secondary name servers and there's a lot of work to do to get things working properly. We didn't use TSIG keys but the customer "schema" is equally complex.
Could you please detail the configuration you're trying to use? What kind of errors are you facing? What options are you using at the secondary name servers? Have you try enabling the query logging at infoblox to see the live action?
Please give us more detail so we can help you.