question about views
Chris Buxton
cbuxton at menandmice.com
Tue Sep 23 21:14:10 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You absolutely can break backup.example.com out from example.com
without affecting the rest of example.com. Just be aware that the file
for backup.example.com will be the place to put any name that ends in
"backup.example.com.", unless you then break its subdomains out into
even more files.
Chris Buxton
Professional Services
Men & Mice
On Sep 23, 2008, at 2:00 PM, Michele Chubirka wrote:
> Thanks. But one more question. We keep our subdomains in one main db
> file. Can we break out one subdomain into a separate db file while
> leaving the main db file intact? Or will we have to break out all our
> subdomains in order to do this?
>
> Chris Buxton wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Views are probably not the answer. Try allow-query instead:
>>
>> zone backup.example.com {
>> type master;
>> file "backup.db";
>> allow-query { restricted_networks_ACL; };
>> };
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>>
>> On Sep 23, 2008, at 1:29 PM, Michele Chubirka wrote:
>>
>>> We have a dedicated, non-routable, private network for backups which
>>> maps to a specific subdomain in our zone files, For example,
>>> backup.example.com. We would like to prevent access to lookup
>>> records in
>>> this subdomain from outside our network, but not the rest of the
>>> domain.
>>> It isn't really practical for us to multi-home our DNS server onto
>>> this
>>> network or to place a dedicated server there. Since all the hosts
>>> have
>>> public interfaces as well, we had thought the best way to achieve
>>> this
>>> would be with setting up views on our current BIND server, but
>>> since we
>>> only want to restrict access to the subdomain, is this possible
>>> without
>>> having two copies of the entire db file for each view? For
>>> example, we
>>> would like to have an internal view which allowed access to
>>> backup.example.com and an external view which allowed access to
>>> the rest
>>> of the domain. Can I have a forward zone file for the subdomain
>>> with the
>>> internal view config (also including the IN-ADDR.ARPA for the
>>> private IP
>>> space)and leave it out of the external db file for the main zone,
>>> example.com, without any delegation? We aren't trying to hand out
>>> different IPs based upon match-clients, just block access to one
>>> subdomain. Anyone have a better suggestion to accomplish this?
>>>
>>> view "backup" {
>>> match-clients {restricted_networks_ACL;};
>>>
>>> zone "10.IN-ADDR.ARPA" in {
>>> type master;
>>> file "10.db"
>>> notify yes;
>>> };
>>>
>>> zone "backup.example.com" in {
>>> type master;
>>> file "backup.db"
>>> notify yes;
>>> };
>>>
>>> view "external" {
>>> match-clients {any;};
>>>
>>> zone "routable_IP_space" in {
>>> type master;
>>> file "routeable.db"
>>> notify yes;
>>> };
>>>
>>> zone "example.com" in {
>>> type master;
>>> file "example.db"
>>> notify yes;
>>> };
>>>
>>>
>>> --
>>> Michele Chubirka
>>> Senior Information Systems Engineer
>>> Information Systems and Services
>>> George Washington University
>>> 202-994-5791
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>>
>> iEYEARECAAYFAkjZVXMACgkQOcbWp2QNGR/spgCgm7H68DK7r/9hR+SetPkLftrN
>> EpsAn1H1RwoWxdfoNhQEzeY0D9CYd8kn
>> =BB8H
>> -----END PGP SIGNATURE-----
>
> --
> Michele Chubirka
> Senior Information Systems Engineer
> Information Systems and Services
> George Washington University
> 202-994-5791
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjZXCIACgkQOcbWp2QNGR+wjQCfRnJoQ9MWmcIalXUWbOLDzK4j
JRoAnija6qsJzQAXsVJKT3/ZGn+Ezqyl
=bVzp
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list