host restriction

[Grant Taylor]

On 5/15/23 1:58 PM, Kereszt Vezeték wrote:
> Hi Everybody

Hi,

> I have a dns server in my private network with a local domain. The dns 
> server forward the public request to the google dns server . I wold like 
> separate hosts in the inside network.
> 
> One group allow only the local host resolve, not forward to the 8.8.8.8 
> .Other group allow the local hosts resolve, and able to forward to the 
> google dns server.
> 
> Are there any way to solve this problem with bind9 ?

It seems to me like this may be described a authoritative only without 
recursion and both authoritative and recursive service.

With this in mind, I'd wonder, if BIND's recursion restrictions might 
suffice.  E.e.  allow 192.168.1.10 & 192.168.1.11 to make recursive 
queries which get forwarded to ${UPSTREAM_DNS_PROVIDER} while only 
serving local authoritative content to 192.168.1.20 & 192.168.1.21.

I assume there is some nuance that I'm over looking / haven't had enough 
caffeine to properly appreciate yet.

But this is what I'd try myself.

N.B. you probably want to also apply the similar ACL to querying the 
cache, lest 192.168.1.20 & 192.168.1.21 be able get things out of cache 
that 192.168.1.10 & 192.168.1.11 queried from ${UPSTREAM_DNS_PROVIDER}.



Grant. . . .