Excluding one host from a view
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Sat Feb 1 10:09:54 UTC 2003
>
> Hi;
>
> I'm looking at running my nameservers inside my NAT capable firewall.
> Currently we have a couple of hosts, sitting outside the firewall, just
> for nameservice. I'd love to use a couple of relatively idle, internal
> hosts for that purpose, by using Virtual IP Mapping to route DNS requests
> to them through the NAT router.
>
> However, when I ran a little test I saw that my 'view' statements will
> cause major problems. Since the internal address of the NAT router is
> part of "trusted" subnet, requests forwarded through it are given the
> "internal" view response.
>
> My current ACL is something like this:
>
> acl "trusted" {
> localhost;
> 192.168.1.0/24;
> 10.200.0.0/16;
> };
>
> and the view statements are also simple. (see below) Everything works
> well when we run the servers outside the NAT gateway.
>
> My question is this; is there a way to negate a single host? (Namely,
> the internal address of the NAT gateway.) Something like this:
>
> acl "trusted" {
> localhost;
> 192.168.1.0/24;
> !192.168.1.23/32;
> 10.200.0.0/16;
> };
acl "trusted" {
localhost;
!192.168.1.23/32;
192.168.1.0/24;
10.200.0.0/16;
};
>
>
> I haven't found anything in the 4th edition BIND book that implies
> this can be easily done.
>
> Linolil
>
> ---------------- abstracts of the configuration ----------------
> view "internal" {
> // our internal networks
> match-clients {
> "trusted";
> };
> // Provide recursive service to internal clients only.
> recursion yes;
> [snip]
>
> view "external" {
> match-clients { any; };
> // Refuse recursive service to external clients.
> recursion no;
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list