filtering results to subnets

Jerome Haltom wasabi at larvalstage.net
Mon Jul 21 02:19:17 UTC 2008 

Well, this was sort of my last resort option. I guess it's where I'll be
heading.

On Sun, 2008-07-20 at 12:24 +0100, Howard Wilkinson wrote:
> Robert Spangler wrote:
> > On Saturday 19 July 2008 20:19, Barry Margolin wrote:
> >
> >   
> >>  In article <g5sup4$2gf7$1 at sf1.isc.org>,
> >>
> >>   Robert Spangler <mlists at zoominternet.net> wrote:
> >>  > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
> >>  > >  I have a desire to filter A records returned to clients that are
> >>  > > outside of certain subnets. Basically my zone has a lot of private
> >>  > > addresses in it. I'm cool with this.
> >>  >
> >>  > How about using the View Option in Bind?
> >>
> >>  Did you read his entire message?  He explained why views doesn't apply:
> >>  he's a slave to a Windows Active Directory.
> >>
> >>  To accomplish this they'd need to use separate zones for the public and
> >>  private hostnames, so that the private stuff could be in an internal
> >>  view.
> >>     
> >
> > Here is the issue, why would you have the slaves doing something different 
> > then the master?  You are just looking for issues.
> >
> > That is like saying if the answers come from server 'A' I want this to be 
> > returned but if the answer comes from server 'B' I want something different.  
> > That is just asking for resolve issues and a troubleshooting nightmare.
> >
> >
> >   
> I have lost the original message but if I remember correctly then a 
> combination of views and some post-processing of the transferred zone 
> file may achieve waht is wanted here.
> The internal view should be a slave of the Windows DNS server and serve 
> out the entire zone as required. A script would then be written to do a 
> zone transfer from the local server and generate a file with the 
> RFC1918(?) addresses removed. This file is then served from another view 
> as a master zone giving the answer required. The major problem with such 
> a scheme is getting a trigger to run the script when an updated zone is 
> transferred. This could be done from CRON by inspecting the serial 
> number on the internal zone and only running the update when it changes. 
> I suggest localhost to localhost transfers so as to not complicate the 
> security settings needed.
> 
> Apologies if this is noise but it is a solution I have used for other 
> similar problems elewhere.
> 
> Howard.
> 
> 
> 
> 
>

More information about the bind-users mailing list