limiting external visibility - without resorting to views.
Tim Peiffer
peiffer at umn.edu
Sat Mar 26 21:16:46 UTC 2005
I am interested in limiting the visibility of my nameservers to the
extent that I do not want to answer external queries from my cache.
What are the methods of control other than allow-query,
allow-recursion? I have ACL'ed 'allow-query' and 'allow-recursion' at
the global option level, and have 'allow-query' as a per-zone option set
to 'any'. I have thought about removing the root hints as well, but not
100% sure of the outcome. Specifically, I want to restrict external
use of my servers without resorting to 'views'. I have members of our
staff that are not comfortable with views at scale; scale being
~50Million transactions/day/server
I am currently putting together an anycast service using Bind9.3.1,
setting up the masters as authoritative only, with the anycast running
from cache-only. I could wait until I complete my anycast service and
my masters are split out to ACL the cache servers to on-campus only.
Tim Peiffer
Network Support Engineer
University of Minnesota
More information about the bind-users
mailing list