Two reasons:

1) No public network usage for those with private IPs

2) I have a zone that I only want accessible to Linode users in the same data center, so I only allow query from 192.168.0.0/16

Your request is quite unclear... What are you trying to achieve?

I have bind running on one of my Linodes, with my other 2 Linode's configured to query it over the private network. There shouldn't be a problem doing that.

I have this setup:

fm1     604800  IN      A       192.168.138.xxx
fm2     604800  IN      A       192.168.131.xxx
fremont 604800  IN      NS      fm2
fremont 604800  IN      NS      fm1

However, if people do not run their own local Bind servers, and instead use the default Linode resolvers, they just get a timeout when querying hosts within my "fremont" subdomain.

Ah I see... Sounds like you need to configure split-horizon DNS.

With split horizon, a different RR will be returned to clients depending on their IP address. You will want a private view (192.168.0.0/16) and a public view (everyone else) which returns the private address to private clients, and the public addresses to everyone else.

There's plenty of information on Google if you search for "split horizon dns" or "split view dns"

I don't see how that would work. My domain has public DNS servers, so all requests will be from public IPs. Or are you suggesting I glue some local addresses?

One way would be to set up the fremont subdomain using the standard IP address, but configure the DNS server to refuse to serve anything in the subdomain unless the request came from the linode fremont IP range (or from the default resolvers).

It won't be perfect, but it'll handle most cases.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Why are you serving private IP addresses then?

If you want any clients who can utilize the private range (to use the free bandwidth etc), then you need to give them the private range when they ask.

But any public clients who can't see the private network will need to be given the public IP addresses.

Maybe I'm not understanding your issue correctly.

What are you actually trying to achieve? And what is your setup? I feel we only have half the story.

I'm trying to make it so anyone can access *.barkerjr.net, but only folks in fremont can access *.fremont.barkerjr.net. So, I give ns1, ns2, etc (public IP) to barkerjr.net, then fm1, fm2, etc (private IP) to fremont.barkerjr.net.

In theory, the resolver should ask ns1/2 for *.fremont.barkerjr.net and ns1/2 should provide the private ip for fm1/2. The resolver should then query the private ip of fm1/2 and get what it wants.

That's the optimal way to do this, I think. But I will try sweh's approach for the time being and change my acl to allow 74.207.224.0/19 and use my ns1/2 for all.

The problem is that no one can reach the private IPs unless they have a private IP address of their own _and_ are resolving directly (either using your DNS server or running their own resolver).

Once the traffic leaves the private network (eg hitting the default DNS resolvers) then your idea can not work.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Yeah, that's the point of this thread, really. The optimal way to do this is to give the default resolvers private IPs, too. I'm assuming that 99% of linodes use the default resolvers or run their own, so this would then work for most everyone.