Warning
At this time, zones published on the NS1 Managed DNS or NS1 Managed DNS for China networks cannot be associated with a DNS view.
A DNS view — sometimes referred to as split-horizon or split-view DNS — is a configuration that allows you to respond to the same DNS query differently depending on the source of the query. It enables you to serve one version of zone data to one group of clients and another version to a different group of clients. For example, you can create an internal view (e.g., “corporate”) and an external (e.g., “public”) view, attaching ACLs that point IP addresses within your organization to the internal view and all other clients to the external view. With this configuration, you can allow your internal or corporate users to view internal-only resources not viewable to the public audience.
DNS views specify one or more zones and one or more access control lists (ACLs). In the NS1 Connect platform, an ACL is a list of clients organized based on specified attributes — such as their source or destination IP address, TSIG key, or GSS-TSIG identity. The ACL is attached to a DNS view configured to allow or deny the clients listed in the ACL access for queries, zone transfers, and updates.
Note
Fully qualified domain name (FQDN) vs. zone name
On the NS1 platform, a zone is a container for records. When creating a zone, you must specify the FQDN. Additionally, you can specify a unique name for a zone. There can be multiple names — therefore, different sets of records — associated with a single FQDN. For example, you can create a zone named ‘example-internal’ and another zone named ‘example-external’ both serving the same FQDN (e.g., example.com). This allows you to apply advanced configurations where clients querying the same FQDN may receive different answers based on their source IP address and other query elements.
Each DNS view specifies at least one access control list (ACL) and at least one zone (by zone name). Follow the instructions below to create and link each of these components in the NS1 portal.
An ACL is a named object associated with one or more IP addresses, TSIG keys, and/or GSS-TSIG identities (service principles). The list is processed from top to bottom such that “items” of the same type (i.e., IPs, TSIG keys, or GSS-TSIG identities) are processed using a logical “or” statement. Items of different types are processed using logical “and” statements.
-
Navigate to DNS > ACLs.
-
Click the + button to launch the Create ACL menu.
-
Enter a name for the ACL (e.g., “internal_org”).
-
Next to Add items, add one or more of the objects below in the order they should be processed. After each entry, click Add.
Warning
You must add items in the order in which they should be processed. From top to bottom, objects of the same type (i.e., IP addresses, TSIG keys, or GSS-TSIG identity) are processed using logical “or” statements. Items of different types are processed as logical “and” statements.
-
IPv4 address - Specify one or more client IPv4 addresses, CIDR blocks, or ranges. Alternatively, you can negate a rule (i.e., specify an IP address/subnet/range that should be denied access in the ACL) using a preceding exclamation point “!” before the IP. For example, !1.0.1.100-1.0.1.200 indicates this range should not be included in the ACL.
-
TSIG key - From the drop-down menu, select an existing TSIG key or select Create TSIG key. Enter the name for the TSIG key, select the appropriate algorithm, and enter the unique secret generated via third-party. Note that you can specify the same TSIG key for multiple ACLs.
Note
The only way to enable TSIG for primary zones hosted by NS1 is to associate the zone with a DNS view. The NS1 DNS views functionality required to allow TSIG authentication is only available for zones in Cloud-Managed DDI networks. This is not supported for zones published to NS1 Managed DNS networks.
-
GSS-TSIG identities - (Kerberos service principal name) Enter the Kerberos Principals Name. This is a service principal that will be able to provide dynamic updates to the NS1 DNS server. Refer to this article for more information about configuring DDNS from a Microsoft AD server to the NS1 DNS server. For insecure updates, enter “*” as the GSS-TSIG identity. For secure updates, enter an exact-match identity or a wildcard identity, for example, “*@DDI.TEST” or “CLIENT$@DDI.TEST” where “CLIENT” is the name of a client machine. Once complete, click Add to add the GSS-TSIG key to the list.
-
-
After adding all items to the list in the correct processing order, click Save ACL.
-
Navigate to DNS > Views.
-
Click the + button to display the Create View menu.
-
Enter a name for the view.
-
Enter a preference number for the view. The preference determines the order in which views are processed when there are multiple views on the same network. Since the rules are "first match," a lower preference means the view's ACLs are evaluated before those of other views with higher preference numbers.
-
Optionally, associate this view with a DNS network (publishing network) by typing it into the field and selecting it from the list.
Note
Leave this field blank if you are not ready to publish the view. When you are ready to publish, edit the view and add at least one network to which the view should be published.
-
Next to ACLs, select Update and enter one or more ACLs to specify which clients or keys should have read-and-write access to the zones associated with this view. Similarly, select Read and enter one or more ACLs to specify which clients or keys should have read-only access to the zones associated with this view.
-
Arrange the ACLs to specify the ACL rule order.
Note
ACLs within a DNS view are processed from top to bottom to find the "first match."
-
Under Zones, add the existing zone(s) you want to associate with this view. Skip this step if you still need to create the zone(s).
After creating the DNS view, you can associate new and existing zones with it during zone creation or by editing the zone settings.
Note
This option is recommended if you have multiple zones pointing to the same FQDN and want to associate each of those zones with a DNS view.
Follow the instructions for creating a new zone. When creating the zone, specify an existing DNS view and create a unique zone name. Then, repeat the process of creating another zone pointing to the same FQDN but specifying a different DNS view and applying a unique zone name. This configuration allows you to control which set of zone data is returned to a specific group of clients.
Follow the instructions for editing zone settings, specifying a DNS view with which to associate the existing zone.