SV: Views vs. firewall for simple usage?

[Ronni Jensen]

Thank you for the quick reply :)

Ok, so actually if I allow any network to access my slaves on port 53,
the following configuration on ns1 and ns2 (slaves, which are public)
will do the trick to let only our own customers on 111.222.0.0/20
network do recursive queries, and for "the world" to do only
authoritative queries?

acl "ourcustomers" {
	111.222.0.0/20;
	localnets;
};

options {
	allow-recursion { "ourcustomers"; };
};

/Ronni


-----Oprindelig meddelelse-----
Fra: Chris Boot [mailto:bootc at bootc.net] 
Sendt: 8. juni 2006 15:31
Til: Ronni Jensen
Cc: bind-users at isc.org
Emne: Re: Views vs. firewall for simple usage?

Ronni Jensen wrote:
> Hi,
>
> I have a little issue, that I hope you can help me enlighten;
>
> Our DNS setup:
> 1 master (on same LAN as slaves)
> 2 slaves (with public IPs NAT'ed through our firewall to their local
IP.
> Customers use these as pri/sec dns servers)
>
> The only purpose of this setup is to be authoritative for zones hosted
> by our company, and enable our customers to use the slaves for both
> authoritative and recursive queries.
>
> As I see it, there is no purpose of the headache of working with
> internal and external views in BIND, since it is only our customers on
a
> AAA.BBB/20 network that are supposed to query the servers.
>
> Could I just configure BIND with "recursion yes;" (default) and then
> prohibit the access in our firewall to only OUR customers, by allowing
> only AAA.BBB/20 to access ns1 and ns2 on port 53, and deny all other
> networks?
>
> Are there any security risks or other issues in this? I can't see any,
> since only our customers on AAA.BBB/20 are able to query the servers..
>
> With kind regards,
> Ronni
>   
Well if you want your servers to be authoritative for some external 
zones you're going to have to let the world query your server to get at 
those zones. You're best to set up ACLs and only allow your internal 
network + customers to do recursive queries.

Chris