question about views

[Michele Chubirka]

We have a dedicated, non-routable, private network for backups which 
maps to a specific subdomain in our zone files, For example, 
backup.example.com. We would like to prevent access to lookup records in 
this subdomain from outside our network, but not the rest of the domain. 
It isn't really practical for us to multi-home our DNS server onto this 
network or to place a dedicated server there. Since all the hosts have 
public interfaces as well, we had thought the best way to achieve this 
would be with setting up views on our current BIND server, but since we 
only want to restrict access to the subdomain, is this possible without 
having two copies of the entire db file for each view? For example, we 
would like to have an internal view which allowed access to 
backup.example.com and an external view which allowed access to the rest 
of the domain. Can I have a forward zone file for the subdomain with the 
internal view config (also including the IN-ADDR.ARPA for the private IP 
space)and leave it out of the external db file for the main zone, 
example.com, without any delegation? We aren't trying to hand out 
different IPs based upon match-clients, just block access to one 
subdomain. Anyone have a better suggestion to accomplish this?

  view "backup" {
	match-clients {restricted_networks_ACL;};

	zone "10.IN-ADDR.ARPA" in {
		type master;
		file "10.db"
		notify yes;
	};

	zone "backup.example.com" in {
		type master;
		file "backup.db"
		notify yes;
	};

view "external" {
	match-clients {any;};

	zone "routable_IP_space" in {
		type master;
		file "routeable.db"
		notify yes;
	};

	zone "example.com" in {
		type master;
		file "example.db"
		notify yes;
	};
		

-- 
Michele Chubirka
Senior Information Systems Engineer
Information Systems and Services
George Washington University
202-994-5791