Does MiaB support multiple DNS views. As in one for Internal use and one for External with ACL IP address control as to what systems see which?
My searching on this topic has come up empty, but my search foo is always week.
This is critical for my network. E.G., some zone files are for Internal systems only.
Thank you.
No, Mail-in-a-Box uses NSD as an authoritative DNS server, and NSD doesn’t have such a feature. Even if it did, supporting it would likely be beyond the scope of the Mail-in-a-Box project.
As far as I know, “views” is a feature specific to BIND 9. So, I suggest setting that up on a separate server and using Mail-in-a-Box solely for email, aka “Advanced Usage with External DNS”.
I vaguely recall migrating from BIND 8 to 9 and the joy of rearchitecting my setup to shift to views. Good thing my IETF work had/has me connected with the ISC people! You mean views are not widely supported? 
But, as I think about it, MiaB IS running on Ubuntu in which I should find BIND 9. So the question shifts:
Can I run BIND 9 on the same server I am running MiaB? That is NOT use MiaB’s included NSD DNS.
I am sure I will have to figure out Ubuntu things for running BIND on it from what I have done for decades on CentOS, but I suspect I will find some decent guides on that.
Hmmm, I wouldn’t recommend it.
Mail-in-a-Box is designed to function more like an appliance than a traditional Ubuntu server setup, where you install and configure all the necessary components yourself. Even if you manage to get it working, you would be running an unsupported modification that is likely to break in one way or another when you upgrade Mail-in-a-Box using the update script.
Therefore, I recommend using Mail-in-a-Box in one of its two supported DNS modes: either as an authoritative DNS server using NSD, paired with a Split-Horizon DNS setup on an external recursive resolver; or by using Mail-in-a-Box entirely with external DNS, which also should be hosted on an external server or VM.
It is already present, but both are used.
MiaB is using NSD to serve DNS records related to the domains it serves. Next to that, Bind is used as a local DNS resolver.
While bind does support views, and you might well be able to configure it to your liking, its configuration will probably be overwritten on mailinabox upgrade. Something to keep in mind.
Yes, but only as a local resolver for services on localhost. To use Views for a split-DNS setup with ACLs, BIND would need to be accessible to client devices over the network, but port 53 is already in use by NSD.
In theory, you could of course bind NSD to a different network interface or simply disable the NSD service, since you’d be running BIND as authoritative name server. However, making such major changes, essentially replacing NSD with BIND, is almost certain to cause issues. And I’d bet those issues would be more trouble than just reverting a few lines of configuration after an update. 
I’m also a bit surprised that someone using Mail-in-a-Box would ask about such a specific use case. In fact, I think DNS Views are a pretty niche feature, even in enterprise environments. The few enterprises I know that use them rely on commercial tools like Infoblox. I’ve never seen Views used in SOHO environments, where I’d typically expect something like Mail-in-a-Box, and I’ve certainly never seen them on an authoritative nameserver for a public zone. But that’s just a side note.
Wait, wait, wait…
I got to MiaB when asking Google for a DNS server in a box! I need to upgrade my DNS BEFORE tackling my mail server.
It seems like MiaB is NOT a fully functional DNS server from comments above.
I have been running my own DNS and mail since '95 when I was connected with a dedicated dialin link at 32bps (RUSTnet), then in '98 I moved to UUnet with bonded ADSL lines for 128bps!
I guess because I have been a part of IETF since '93 and have always tried to eat our own dog food…
So this brings me back to my challenge with DNS. I just pulled an old Zotac Zboxnano out of my stash and will see about putting Almalinux 9 on it (CentOS replacement).
MiaB looks great for my mail replacement. Besides all my thousands of emails/day on 3 domains, it is just my wife and daughter (7GB of mail store on server). I am tired of patching that system. But DNS upgrading is more urgent.
Any recommendations for DNS-in-a-box?
Just point your domains at the registrar to MIAB. read the setup instructions. Glue records, etc. MIAB is a fully-flegged DNS server. You can host multiple domains as well but all outgoing mail will go via your primary domain with the glue records. All other domains do not require glue records at registrar.
It is functional enough for its target audience.
Also, It is meant to run on aserver wit a publicy routable, static IP address, preferably on a VPS.
If you’re behind a NAT with a dynamic IP address, don’t even try to run it at home, becuase you’ll run into issues with both authoritative DNS and the email server.
Let me explain how a “normal” homeuser would set things up:
local-data: "plex.mydomain.tld 3600 IN A 192.168.194.101"
local-data: "cloud.mydomain.tld 3600 IN A 10.0.10.11"
local-data: "chat.mydomain.tld 3600 IN A 10.0.10.11"
local-data: "office.mydomain.tld 3600 IN A 10.0.10.11"
local-data: "searx.local.mydomain.tld 3600 IN A 192.168.110.2"
local-data: "wiki.local.mydomain.tld 3600 IN A 192.168.110.2"
local-data: "tandoor.local.mydomain.tld 3600 IN A 192.168.110.2"
local-data: "git.local.mydomain.tld 3600 IN A 192.168.110.2"
local-data: "pve01.local.mydomain.tld 3600 IN A 192.168.196.101"
local-data: "pve02.local.mydomain.tld 3600 IN A 192.168.196.102"
local-data: "pve03.local.mydomain.tld 3600 IN A 192.168.196.103"
etc...
That’s it, no need for Views.
Maybe this is worth a look: Technitium DNS Server | An Open Source DNS Server For Privacy & Security
Or PowerDNS with GitHub - PowerDNS-Admin/PowerDNS-Admin: A PowerDNS web interface with advanced features
I’m not sure if the above have a similar feature to Views in BIND 9, though.
For home users who just need a few local records. and can’t or don’t want to use DNS on their router, popular alternatives to Unbound on pfSense would be Pi-hole or AdGuard. However, you can also set up plain Unbound or DNSmasq in a container or VM.
And, of course you could also run a fully-fledged Bind instance locally, even as an autorative server for local zones such as local.yourdomain.com. And you could then use Views to return different IP addresses to different devices in different subnets. I just don’t see an actual use case for something like that in a home network. But it can be done, just not directly on the Mail in a Box server.
I had “just” found Technitium; a couple things to run it on AlmaLinux9. Does not support views and would have to figure that out. It has “Conditional Forwarding” to an internal DNS server.
I think I looked at PowerDNS last year or so. Need to find my notes on it.
Yes, I have been running full BIND here for over 20 years, but then people like Cricket Liu (BIND book) are colleagues of mine. I am checking with a couple of them about Technitium.
Thanks for the pointers.
Personally, I wouldn’t use Views on a public-facing server to set up split-brain DNS for my home network, as I would be worried it could cause security issues. Btw, that’s also why the enterprises I know don’t use it that way. They only use it internally, and mostly with commercial tools like Infoblox.
I mentioned Cricket Liu? Like co-founder of Infobox…
It has been years since we crossed paths, but BIND9 with IP addressing ACLs and proper SELinux security just does what is needed. But then Enterprises don’t want to edit zone files, and Infobox did a great job for them.
Oh, and I mentioned the GENERATE function in zone files? Neat if you use it right for your reverse zones. But my Enterprise colleagues rightly won’t touch it.
DNS is a lot of fun. Talking to people that walk around with the code for it in their heads is a lot of fun. Making new RR for it is also fun (Got 2 in the works in final IESG review; and we are adding CBOR content which will be interesting).
GUIs is what day-to-day admins know to use. Stay away for Geany and text zone files!
One person I REALLY trust wrt DNS has said for the 90 domains he is responsible for, only one is still stuck on BIND9. All others are on NSD. That is all the recommendation I need for it.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.