Difference between revisions of "DNS server split howto"

(Created page with "Category:Linux Let's use "'''smartcards.vehco.com'''" domain as example. * The DNS will handle both internal and external requests (Intranet / Internet). * The DNS wil...")
 
Line 7: Line 7:
  
  
 +
In the following example I'll be using:
 +
* INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
 +
* EXTERNAL zone: smartcards.vehco.com
 +
* DNS server name: smartcard-gw
 +
* LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
 +
* VPN Network: 172.16.60.0/24
  
=Setup=
 
  
<syntaxhighlight lang="bash">
 
apt-get install bind9 dnsutils bind9-doc
 
</syntaxhighlight>
 
  
  
 +
=Technical key points=
  
=Primary master=
 
  
A DNS primary master is the main DNS for your local domain (ex: smartcards.local).
+
* '''No reverse for the external zone'''
  
  
These are the steps to do:
+
* Do NOT follow external queries to the LAN
* '''Set the external DNS''' to use by your server
 
**File: /etc/bind/named.conf.options
 
  
* '''Declare the new domain''' to manage
 
** File: /etc/bind/named.conf.local
 
  
* Create a '''dedicated configuration file''' for the new domain
+
* External requests can be forwarded to a 3rd party DNS
** New file: /etc/bind/smartcards.local
 
  
* Adjust the '''reverse zone'''
 
** File: /etc/bind/named.conf.local
 
** Rename and adjust file: /etc/bind/db.192
 
  
 +
* The External zone configuration only contains:
 +
** Domain definition "''smartcards.vehco.com''"
 +
** Shared resources, if any
  
==Set the external DNS==
 
  
This is the list of DNS your server will use to populate its own cache.
 
  
  
The external DNS can either be your ISP's DNS or Google's servers.
+
=Declare the new zones=
  
!! Mind the order !!
+
Here you'll declare both your '''zones''' and the '''reverse zone'''.
First DNS have a higher priority.
 
  
  
  
Edit configuration file:
+
Reset and edit configuration file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/named.conf.options
+
cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
 +
vim /etc/bind/named.conf.local
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Uncomment and adjust the file content
+
Here we will create:
 +
* '''ACL filters''' => source IP @ filter
 +
* '''DNS views''' => actions to perform depending on the ACL results
  
<syntaxhighlight lang="bash">
 
[...]
 
forwarders {
 
    # Your ISP DNS IP’s
 
    182.176.39.23;
 
    182.176.18.13;
 
  
    # Google's DNS
+
 
    8.8.8.8;
+
Uncomment and adjust the file content:
    8.8.4.4;
+
 
 +
<syntaxhighlight lang="apache">
 +
// definition of LAN
 +
acl internal-networks {
 +
  localhost; # Allow loopback
 +
  localnets; # All networks that are configured on the interfaces
 +
  172.16.50.0/24; # LAN
 +
  172.16.60.0/24; # VPN LAN
 +
};
 +
 
 +
// External DNS to use
 +
acl dns-slaves {
 
};
 
};
[...]
 
</syntaxhighlight>
 
  
  
 +
// INTERNAL zone
 +
view "internal" {
 +
  match-clients { internal-networks; }; # Apply settings to LAN only
 +
  recursion yes; # Allow recursive queries on LAN
  
==Declare the new domain==
+
  // ---------------------------------------------------
 +
  // DNS server defaults
 +
  //
 +
  // keep these lines from the "default-zones" configuration
 +
  //----------------------------------------------------
 +
  // prime the server with knowledge of the root servers
 +
  zone "." {
 +
type hint;
 +
file "/etc/bind/db.root";
 +
  };
 +
  // be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
 +
  zone "localhost" {
 +
type master;
 +
file "/etc/bind/db.local";
 +
  };
 +
  zone "127.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.127";
 +
  };
 +
  zone "0.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.0";
 +
  };
 +
  zone "255.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.255";
 +
  };
  
Edit configuration file:
+
  // End of "default-zones"
 +
  //----------------------------------------------------
  
<syntaxhighlight lang="bash">
+
 
vim /etc/bind/named.conf.local
+
  // Custom network
</syntaxhighlight>
+
  //----------------------------------------------------
 +
  // DNS main zone (IP to name)
 +
  zone "smartcards.vehco.com" IN {
 +
          type master;
 +
  file "/etc/bind/internal.smartcards.vehco.com";
 +
          allow-transfer {
 +
                  none;
 +
          };
 +
          allow-update {
 +
                  none;
 +
          };
 +
  };
 +
 +
  // DNS Reverse (Name to IP)
 +
  zone "50.16.172.in-addr.arpa" {
 +
type master;
 +
file "/etc/bind/db.172";
 +
        allow-transfer {
 +
              none;
 +
        };
 +
        allow-update {
 +
                none;
 +
        };
 +
  };
 +
};
  
  
Uncomment and adjust the file content
+
view "external" {
 +
  match-clients {
 +
    !localnets; # Do not allow local network ("localnets")
 +
    any; # "any" = any other network that is not a view member
 +
  };
 +
  recursion no; # No recursivity for external clients
  
<syntaxhighlight lang="bash">
+
  zone "smartcards.vehco.com" {
zone "smartcards.local" {
+
    type master;
type master;
+
    file "/etc/bind/external.smartcards.vehco.com";
        file "/etc/bind/smartcards.local";
+
    allow-transfer { dns-slaves; };
 +
  };
 
};
 
};
</syntaxhighlight>
 
  
  
  
==Domain configuration file==
 
  
 +
=Zone configuration (name to IP @)=
 +
 +
This is the actual magic of the DNS split horizon!
 +
 +
 +
 +
==Create zone files==
  
Create the domain configuration file from a local template:
+
Create both zones from the local template:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
cp /etc/bind/db.local /etc/bind/smartcards.local
+
cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
 +
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Edit configuration file:
+
''Note''
 +
 
 +
You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"
 +
 
 +
 
 +
 
 +
==Configure INTERNAL zone==
 +
 
 +
 
 +
Edit INTERNAL configuration file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/bind/smartcards.local
+
vim /etc/bind/internal.smartcards.vehco.com
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 112: Line 188:
 
Adjust the file content
 
Adjust the file content
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 +
;
 +
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
 
;
 
;
; BIND data file for smartcards.local (you can use mywebsite.com)
+
$TTL 604800
 +
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
 +
20140806
 +
604800
 +
86400
 +
2419200
 +
604800 )
 
;
 
;
$TTL    604800
 
@      IN      SOA    smartcard-gw.smartcards.local. root.smartcards.local. (
 
                      20140603        ; Serial
 
                                        ; As the serial be changed everytime you edit this file
 
                                        ; it is recommended to use the pattern "yyyyMMdd"
 
                        604800        ; Refresh
 
                          86400        ; Retry
 
                        2419200        ; Expire
 
                        604800 )      ; Negative Cache TTL
 
  
 
;  
 
;  
 +
; Local resolution of the FQDN 'smartcards.vehco.com'
 +
;
 +
smartcards.vehco.com  CNAME smartcard-gw
 +
 
; DNS server declaration
 
; DNS server declaration
; Each NS must point to an A record, not a CNAME.  
+
; Each NS must point to an A record, not a CNAME.
 
; This is where the Primary and Secondary DNS servers are defined
 
; This is where the Primary and Secondary DNS servers are defined
 
;
 
;
@               IN     NS     smartcard-gw.smartcards.local.
+
@               IN     NS     smartcard-gw
smartcard-gw    IN      A       172.16.50.2
+
smartcard-gw         IN     A      172.16.50.2
 
 
;
 
; -- alternative --
 
; To declare a server a specific domain only
 
;
 
;website.com      IN      NS      smartcard-gw.website.com.
 
;website.com     IN      A      172.16.50.2
 
 
 
  
 
;
 
;
; Gateway (router)
+
; Gateway declaration
 
;
 
;
cisco-router     IN     A      172.16.50.1
+
cisco-router         IN     A      172.16.50.1
  
 
;
 
;
Line 162: Line 233:
  
  
Notes:
+
==Configure EXTERNAL zone==
  
* Don't forget to adjust the serial every-time you edit the file !
+
Edit EXTERNAL configuration file:
  
* NS = Name server
+
<syntaxhighlight lang="bash">
 +
vim /etc/bind/external.smartcards.vehco.com
 +
</syntaxhighlight>
  
* A = IP v4 entry
 
  
* AAAA = IP v6 entry
+
Adjust the file content
  
* CNAME = Alias to a previous A or AAAA entry
+
<syntaxhighlight lang="apache">
 +
;
 +
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
 +
;
 +
$TTL 604800
 +
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
 +
20140604
 +
604800
 +
86400
 +
2419200
 +
604800 )
 +
:
  
 +
; DNS server declaration
 +
; Each NS must point to an A record, not a CNAME.
 +
; This is where the Primary and Secondary DNS servers are defined
 +
;
 +
@               IN    NS     smartcard-gw
 +
smartcard-gw          IN    A      172.16.50.2
 +
</syntaxhighlight>
  
  
==Reverse zone file==
+
As you can see the "external" is rather short ! :-)
  
  
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
 
  
  
===Declare reverse zone===
+
=Reverse zone (IP @ to name)=
  
 +
Now that the zone is setup and resolving names to IP Adresses a '''Reverse zone''' is also required. A Reverse zone allows DNS to resolve an address to a name.
  
Edit configuration file:
 
  
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.local
 
</syntaxhighlight>
 
 
 
Add the following reverse
 
 
<syntaxhighlight lang="bash">
 
# Our reverse zone
 
# Server IP 172.16.50.2
 
zone "50.16.172.in-addr.arpa" {
 
        type master;
 
        file "/etc/bind/db.172";
 
};
 
</syntaxhighlight>
 
  
  
Line 212: Line 286:
  
  
===Configure reverse zone===
+
==Configure reverse zone==
  
  
Line 229: Line 303:
  
  
The content is basically the same as /etc/bind/smartcards.local:
+
The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com:
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
;
 
;
Line 263: Line 338:
  
  
Notes:
 
  
* Don't forget to adjust the serial every-time you edit the file !
+
=Take changes into account=
 
 
* You only need to put the last byte value in the reverse
 
 
 
* PTR = redirection to A entry
 
 
 
 
 
 
 
==Take changes into account==
 
  
  
Line 280: Line 346:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
 
==Use the local DNS server as default one==
 
 
Now that your server is ready to be used, you have to use it !!
 
 
* All the clients will get their configuration from DHCP (see [[DHCP server]]).
 
 
* On the local server, you have to edit your current IP settings
 
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/network/interfaces
 
</syntaxhighlight>
 
 
 
Adjust it like that:
 
 
<syntaxhighlight lang="bash">
 
# The primary network interface [static IP]
 
auto eth0
 
iface eth0 inet static
 
        address 172.16.50.2
 
        netmask 255.255.255.0
 
        gateway 172.16.50.1
 
        network 172.16.50.0
 
        broadcast 172.16.50.255
 
 
        # Local DNS server on 172.16.50.2 as default. Then the DNS server itself will forward the requests to external DNS servers.
 
        dns-nameservers 172.16.50.2
 
        dns-search smartcards.local
 
        dns-domain smartcards.local
 
</syntaxhighlight>
 
 
 
Don't forget to reboot to take on your configuration changes !
 
 
 
 
==Test your configuration==
 
 
 
===Test on SERVER side===
 
 
 
Run the following commands to check your configuration. All commands should output '''OK''' or be a ping success. :)
 
 
 
Check the local zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone smartcards.local /etc/bind/zones/smartcards.local
 
named-checkzone smartcards.local /etc/bind/zones/db.172
 
</syntaxhighlight>
 
 
 
Check the reverse zone:
 
 
<syntaxhighlight lang="bash">
 
named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172
 
</syntaxhighlight>
 
 
 
 
Now you can try to ping the router and a client:
 
 
<syntaxhighlight lang="bash">
 
ping cisco-router
 
ping smartcard-prod-00
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping dev.daxiongmao.eu
 
</syntaxhighlight>
 
 
 
===Test on CLIENT side===
 
 
 
Try to access ping the DNS server name from a client:
 
 
<syntaxhighlight lang="bash">
 
ping smartcard-gw
 
</syntaxhighlight>
 
 
 
Now you can try to ping a website:
 
 
<syntaxhighlight lang="bash">
 
ping tcl.fr
 
</syntaxhighlight>
 
 
 
 
 
==DNS server logs==
 
 
Logs are in '''/var/log/syslog'''
 
  
  
Line 433: Line 397:
 
service bind9 restart
 
service bind9 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
 
 
 
 
=Disable IPv6 DNS requests=
 
 
You can still be listening on your local IPv6 interface, however '''if your router is not IPv6 compatible you should disable IPv6 requests'''. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:
 
 
<syntaxhighlight lang="bash">
 
error (network unreachable) resolving './DNSKEY/IN': 2001:: ...
 
</syntaxhighlight>
 
 
 
Edit the configuration file:
 
<syntaxhighlight lang="bash">
 
vim /etc/default/bind9
 
</syntaxhighlight>
 
 
 
Add / update the options:
 
<syntaxhighlight lang="bash">
 
OPTIONS="-4"
 
</syntaxhighlight>
 
 
 
That means if the host is capable of IPv4 then IPv4 should be preferred.
 
 
 
Restart the service and check your logs.
 
 
 
 
 
=Disable DNS SEC=
 
 
DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.
 
 
But... enabling '''DNS SEC can lead to security error and forward blocking''' if you don't have a proper certificate.
 
 
 
I don't have enough time to setup the correct certificate so I disabled DNS-SEC.
 
 
 
'''Edit configuration file''':
 
<syntaxhighlight lang="bash">
 
vim /etc/bind/named.conf.options
 
</syntaxhighlight>
 
 
 
Disable the DNS-SEC options:
 
<syntaxhighlight lang="bash">
 
dnssec-enable no;
 
dnssec-validation no;
 
</syntaxhighlight>
 
 
 
Restart the service and check your logs.
 
 
 
 
 
 
 
 
 
 
=Sources=
 
 
You can find a lot of information about DNS on the web. I used the following tutorials:
 
 
* https://help.ubuntu.com/community/BIND9ServerHowto
 
 
* https://help.ubuntu.com/14.04/serverguide/dns-references.html#dns-record-types
 
 
* https://help.ubuntu.com/14.04/serverguide/dns-configuration.html
 
 
* http://blog.bobbyallen.me/2013/09/19/setting-up-internal-dns-on-ubuntu-server-12-04-lts/
 
 
* http://doc.ubuntu-fr.org/bind9  (in French)
 
 
 
Bug fixes:
 
 
* no forwarding due to DNS-SEC errors (broken trust chain): http://pewetheb.blogspot.se/2013/11/named-error-broken-trust-chain.html
 

Revision as of 14:24, 22 August 2014


Let's use "smartcards.vehco.com" domain as example.

  • The DNS will handle both internal and external requests (Intranet / Internet).
  • The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.


In the following example I'll be using:

  • INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
  • EXTERNAL zone: smartcards.vehco.com
  • DNS server name: smartcard-gw
  • LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
  • VPN Network: 172.16.60.0/24



Technical key points

  • No reverse for the external zone


  • Do NOT follow external queries to the LAN


  • External requests can be forwarded to a 3rd party DNS


  • The External zone configuration only contains:
    • Domain definition "smartcards.vehco.com"
    • Shared resources, if any



Declare the new zones

Here you'll declare both your zones and the reverse zone.


Reset and edit configuration file: 

cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
vim /etc/bind/named.conf.local


Here we will create:

  • ACL filters => source IP @ filter
  • DNS views => actions to perform depending on the ACL results


Uncomment and adjust the file content: 

// definition of LAN
acl internal-networks {
  localhost;			# Allow loopback
  localnets;			# All networks that are configured on the interfaces
  172.16.50.0/24;		# LAN
  172.16.60.0/24;		# VPN LAN
};

// External DNS to use
acl dns-slaves {
};


// INTERNAL zone
view "internal" {
  match-clients { internal-networks; };		# Apply settings to LAN only
  recursion yes;				# Allow recursive queries on LAN

  // ---------------------------------------------------
  // DNS server defaults 
  //
  // keep these lines from the "default-zones" configuration
  //----------------------------------------------------
  // prime the server with knowledge of the root servers
  zone "." {
 	type hint;
	file "/etc/bind/db.root";
  };
  // be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
  zone "localhost" {
	type master;
	file "/etc/bind/db.local";
  };
  zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
  };
  zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
  };
  zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
  };

  // End of "default-zones"
  //----------------------------------------------------


  // Custom network
  //----------------------------------------------------
  // DNS main zone (IP to name)
  zone "smartcards.vehco.com" IN {
          type master;
 	  file "/etc/bind/internal.smartcards.vehco.com";
          allow-transfer {
                  none;
          };
          allow-update {
                  none;
          };
  };
 
  // DNS Reverse (Name to IP)
  zone "50.16.172.in-addr.arpa" {
	type master;
	file "/etc/bind/db.172";
        allow-transfer {
               none;
        };
        allow-update {
                none;
        };
  };
};


view "external" {
  match-clients { 
    !localnets;				# Do not allow local network ("localnets")
    any;				# "any" = any other network that is not a view member
  };
  recursion no;				# No recursivity for external clients

  zone "smartcards.vehco.com" {
    type master;
    file "/etc/bind/external.smartcards.vehco.com";
    allow-transfer { dns-slaves; };
  };
};




=Zone configuration (name to IP @)=

This is the actual magic of the DNS split horizon!



==Create zone files==

Create both zones from the local template:

<syntaxhighlight lang="bash">
cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com


Note

You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"


Configure INTERNAL zone

Edit INTERNAL configuration file: 

vim /etc/bind/internal.smartcards.vehco.com


Adjust the file content 

;
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140806
			604800
			86400
			2419200
			604800 )
;

; 
; Local resolution of the FQDN 'smartcards.vehco.com'
;
smartcards.vehco.com  CNAME smartcard-gw

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2

;
; Gateway declaration
;
cisco-router         IN     A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Configure EXTERNAL zone

Edit EXTERNAL configuration file: 

vim /etc/bind/external.smartcards.vehco.com


Adjust the file content 

;
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140604
			604800
			86400
			2419200
			604800 )
:

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2


As you can see the "external" is rather short ! :-)



Reverse zone (IP @ to name)

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.



Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.


Configure reverse zone

Now create the /etc/bind/db.172 file: 

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file: 

vim /etc/bind/db.172


The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com: 

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Take changes into account

service bind9 restart



Add new hostname

This is how we had a new host-name into the network:


Update LOCAL zone

Edit local zone: 

vim /etc/bind/smartcards.local


Add a A or AAAA entry: 

my-new-host       IN      A       172.16.50.60


Update REVERSE zone

Edit local zone: 

vim /etc/bind/db.172


Add a A or AAAA entry: 

60       IN      PTR     my-new-host.smartcards.local.


Restart service

service bind9 restart
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=DNS_server_split_howto&oldid=1413"