BIND configuration question

[Cricket Liu]

On Apr 27, 2005, at 5:15 AM, Ronald I. Nutter wrote:

> I have posted a couple of messages over the last few days.  Guess I am
> not asking the question the right way.  I am trying to restrict our
> external DNS server running BIND to only allow lookups to domains we 
> are
> handling when those requests come from outside our network.  I want our
> internal users (which will be coming from one of 5 class C ip ranges we
> are assigned) to be able to to recursive lookups, etc without any
> problems.  I tried using the Secure Bind Template I found but the
> problem I ran into was that the server quits responding to any DNS
> requests when that is used.  Another message I talked about referenced
> Split DNS but I don't think that is the right term to use for what I am
> trying to do.
>
> Suggestions ?

This sounds like a job for the allow-recursion options substatement, 
e.g.,

options {
	allow-recursion { college-nets; };
};

Folks not in the ACL will have their queries treated as non-recursive,
while internal users will get recursive service.  You could also do this
with two views, a recursive internal view and a non-recursive external
view:

view internal {
	match-clients { college-nets; };
	recursion yes;

	[zone statements, etc.]
};

view external {
	match-clients { any; };
	recursion no;

	[zone statements, etc.]
};

cricket