Thanks. But one more question. We keep our subdomains in one main db
file. Can we break out one subdomain into a separate db file while
leaving the main db file intact? Or will we have to break out all our
subdomains in order to do this?
Chris Buxton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Views are probably not the answer. Try allow-query instead:
>
> zone backup.example.com {
> type master;
> file "backup.db";
> allow-query { restricted_networks_ACL; };
> };
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On Sep 23, 2008, at 1:29 PM, Michele Chubirka wrote:
>
>> We have a dedicated, non-routable, private network for backups which
>> maps to a specific subdomain in our zone files, For example,
>> backup.example.com. We would like to prevent access to lookup records in
>> this subdomain from outside our network, but not the rest of the domain.
>> It isn't really practical for us to multi-home our DNS server onto this
>> network or to place a dedicated server there. Since all the hosts have
>> public interfaces as well, we had thought the best way to achieve this
>> would be with setting up views on our current BIND server, but since we
>> only want to restrict access to the subdomain, is this possible without
>> having two copies of the entire db file for each view? For example, we
>> would like to have an internal view which allowed access to
>> backup.example.com and an external view which allowed access to the rest
>> of the domain. Can I have a forward zone file for the subdomain with the
>> internal view config (also including the IN-ADDR.ARPA for the private IP
>> space)and leave it out of the external db file for the main zone,
>> example.com, without any delegation? We aren't trying to hand out
>> different IPs based upon match-clients, just block access to one
>> subdomain. Anyone have a better suggestion to accomplish this?
>>
>> view "backup" {
>> match-clients {restricted_networks_ACL;};
>>
>> zone "10.IN-ADDR.ARPA" in {
>> type master;
>> file "10.db"
>> notify yes;
>> };
>>
>> zone "backup.example.com" in {
>> type master;
>> file "backup.db"
>> notify yes;
>> };
>>
>> view "external" {
>> match-clients {any;};
>>
>> zone "routable_IP_space" in {
>> type master;
>> file "routeable.db"
>> notify yes;
>> };
>>
>> zone "example.com" in {
>> type master;
>> file "example.db"
>> notify yes;
>> };
>>
>>
>> --
>> Michele Chubirka
>> Senior Information Systems Engineer
>> Information Systems and Services
>> George Washington University
>> 202-994-5791
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkjZVXMACgkQOcbWp2QNGR/spgCgm7H68DK7r/9hR+SetPkLftrN
> EpsAn1H1RwoWxdfoNhQEzeY0D9CYd8kn
> =BB8H
> -----END PGP SIGNATURE-----
--
Michele Chubirka
Senior Information Systems Engineer
Information Systems and Services
George Washington University
202-994-5791
