BIND 9.2.1 - experiments on stubs and listen-to
Joseph S D Yao
jsdy at center.osis.gov
Fri Dec 13 23:02:50 UTC 2002
On Thu, Dec 12, 2002 at 02:44:22PM +1100, Mark_Andrews at isc.org wrote:
...
> > First experiment: Can a single view run "listen-on"ing only one of
> > multiple Ethernet interfaces?
>
> Yes.
>
> Use match-destination to select the traffic for the view.
> listen-on must include the interface.
...
Thanks for your comment!
I wasn't clear what I was trying to do.
I was hoping for a single generic configuration to give to people on
our network who just lost the company lottery and now they have to
manage the firewall [;-(], as well as folks who have a better idea what
they are doing. The former are much happier, the less complex one can
express things to them.
I was hoping that I could do something inside the view{} to force the
'named' to only listen on the one interface (or the internal + DMZ
interfaces). Thus, all those people from the public Internet who keep
showing up on my monitors doing DNS queries would not be able to
connect, much less query. I had hoped to avoid the "complexity" of
having to make changes in two different places.
I finally realized that I need to give the firewall admins the
listen-on{} in the external-to-all-views options{} statement, and tell
them to ONLY include the internal interface's IP address. I also have
hooks for those who know what they are doing to give an external view
as well, after including the external interface's IP address in the
listen-on{}. There is an inescapable amount of complexity.
Thanks again!
--
Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the bind-users
mailing list