limiting external visibility - without resorting to views.
Barry Margolin
barmar at alum.mit.edu
Sat Mar 26 22:19:10 UTC 2005
In article <d24kop$uf9$1 at sf1.isc.org>, Tim Peiffer <peiffer at umn.edu>
wrote:
> I am interested in limiting the visibility of my nameservers to the
> extent that I do not want to answer external queries from my cache.
> What are the methods of control other than allow-query,
> allow-recursion? I have ACL'ed 'allow-query' and 'allow-recursion' at
> the global option level, and have 'allow-query' as a per-zone option set
> to 'any'. I have thought about removing the root hints as well, but not
> 100% sure of the outcome. Specifically, I want to restrict external
> use of my servers without resorting to 'views'. I have members of our
> staff that are not comfortable with views at scale; scale being
> ~50Million transactions/day/server
If you remove the root hints, your internal users won't be able to look
up external names using this server.
A global "allow-query {internal;}" option and per-zone "allow-query
{any;}" on the public zones you host should do fine.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list