Inverse ACLs / split domains on the same server

Barry Margolin barmar at bbnplanet.com
Wed Sep 22 17:19:41 UTC 1999


In article <7sa9e3$pqm$1 at news.ecrc.de>,
Phil Sykes <phil.sykes at cwe.cwplc.com> wrote:
> What I'm wondering is whether it's possible to have two copies of a zone on
>one single server, one of which is queried when an ACL is passed, and one
>when it is failed. This is for a forward DNS zone that contains both RFC1918
>and public zones.

Not currently.  An upcoming version of BIND is rumored to have a feature
called "views" that will implement this.

> On a related note, is it possible to have 'reverse' ACLs, e.g. 'allow
>everything BUT 192.168.0.0/16'?

Yes:

allow-query { !192.168.0.0/16; };

> If the same zone can't be loaded twice, I think the same effect could be
>achived by having two servers on the same box (on seperate IP addresses),
>both of which consider themselves authoritative for a domain. The 'private'
>copy of bind is then configured with an ACL, whilst the public copy isn't.

This is the way people do it with current vesions of BIND.  Examples of
this have been posted to this group a number of times in the past.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list