> This is just for local user, I am thinking to create a views for internal and external this way
> I can have different policy for each views, do you recommend that?
My preference is for completely separate internal and external services. However, needs must and Views is a perfectly good way to approach things.
> am I missing anything, in term of security or performance?
It's simple, simple is good :)
If you're running 9.4 you might add allow-query-cache to complement allow-recursion. e.g.
acl "internalnet" { 10.1.0.0/16; };
options {
...
allow-query { any; };
allow-recursion { internalnet; }
allow-query-cache { internalnet; }
...
};
I'd have the acl because it makes maintenance easier, and I'd have an acl for use with allow-transfer for the same reason.
> And finally that is how you do submitting?, within a single zone?
You don't need the first $ORIGIN, it's implicit from named.conf.
Otherwise it's fine. Sometimes it's better to make everything relative to the zone name, it just depends on what you use the zone for. Certainly nothing wrong with your usage here.
If you want more there's a guide here, you're not missing much though:
http://www.cymru.com/Documents/secure-bind-template.htmlChris