Re: question about views

[Chris Buxton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Views are probably not the answer. Try allow-query instead:

zone backup.example.com {
        type master;
        file "backup.db";
        allow-query { restricted_networks_ACL; };
};

Chris Buxton
Professional Services
Men & Mice

On Sep 23, 2008, at 1:29 PM, Michele Chubirka wrote:

> We have a dedicated, non-routable, private network for backups which
> maps to a specific subdomain in our zone files, For example,
> backup.example.com. We would like to prevent access to lookup  
> records in
> this subdomain from outside our network, but not the rest of the  
> domain.
> It isn't really practical for us to multi-home our DNS server onto  
> this
> network or to place a dedicated server there. Since all the hosts have
> public interfaces as well, we had thought the best way to achieve this
> would be with setting up views on our current BIND server, but since  
> we
> only want to restrict access to the subdomain, is this possible  
> without
> having two copies of the entire db file for each view? For example, we
> would like to have an internal view which allowed access to
> backup.example.com and an external view which allowed access to the  
> rest
> of the domain. Can I have a forward zone file for the subdomain with  
> the
> internal view config (also including the IN-ADDR.ARPA for the  
> private IP
> space)and leave it out of the external db file for the main zone,
> example.com, without any delegation? We aren't trying to hand out
> different IPs based upon match-clients, just block access to one
> subdomain. Anyone have a better suggestion to accomplish this?
>
>  view "backup" {
>       match-clients {restricted_networks_ACL;};
>
>       zone "10.IN-ADDR.ARPA" in {
>               type master;
>               file "10.db"
>               notify yes;
>       };
>
>       zone "backup.example.com" in {
>               type master;
>               file "backup.db"
>               notify yes;
>       };
>
> view "external" {
>       match-clients {any;};
>
>       zone "routable_IP_space" in {
>               type master;
>               file "routeable.db"
>               notify yes;
>       };
>
>       zone "example.com" in {
>               type master;
>               file "example.db"
>               notify yes;
>       };
>               
>
> -- 
> Michele Chubirka
> Senior Information Systems Engineer
> Information Systems and Services
> George Washington University
> 202-994-5791
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjZVXMACgkQOcbWp2QNGR/spgCgm7H68DK7r/9hR+SetPkLftrN
EpsAn1H1RwoWxdfoNhQEzeY0D9CYd8kn
=BB8H
-----END PGP SIGNATURE-----