host restriction
Grant Taylor
gtaylor at tnetconsulting.net
Tue May 16 14:01:13 UTC 2023
On 5/15/23 1:58 PM, Kereszt Vezeték wrote:
> Hi Everybody
Hi,
> I have a dns server in my private network with a local domain. The dns
> server forward the public request to the google dns server . I wold like
> separate hosts in the inside network.
>
> One group allow only the local host resolve, not forward to the 8.8.8.8
> .Other group allow the local hosts resolve, and able to forward to the
> google dns server.
>
> Are there any way to solve this problem with bind9 ?
It seems to me like this may be described a authoritative only without
recursion and both authoritative and recursive service.
With this in mind, I'd wonder, if BIND's recursion restrictions might
suffice. E.e. allow 192.168.1.10 & 192.168.1.11 to make recursive
queries which get forwarded to ${UPSTREAM_DNS_PROVIDER} while only
serving local authoritative content to 192.168.1.20 & 192.168.1.21.
I assume there is some nuance that I'm over looking / haven't had enough
caffeine to properly appreciate yet.
But this is what I'd try myself.
N.B. you probably want to also apply the similar ACL to querying the
cache, lest 192.168.1.20 & 192.168.1.21 be able get things out of cache
that 192.168.1.10 & 192.168.1.11 queried from ${UPSTREAM_DNS_PROVIDER}.
Grant. . . .
More information about the bind-users
mailing list