restricting internal hosts access to the Internet question
Jim Reid
jim at rfc1035.com
Fri Jul 21 18:40:58 UTC 2000
>>>>> "Kelly" == Kelly Scroggins <kelly at cliffhanger.com> writes:
Kelly> I want to allow internal hosts (subnets) to resolve names
Kelly> for internal devices but limit which subnets can resolve
Kelly> names on the Internet.
Kelly> Should I apply an access list to the "." zone to accomplish
Kelly> this?
Probably not. [Doing anything to the root zone is generally a bad idea
unless you're running a root server.] You need at least two
allow-query clauses:
options {
....
allow-query { !10.10.10/24; };
...
};
zone "some-local-domain" {
...
allow-query { any; };
...
};
The global list prevents the name server from handling queries from
subnet 10.10.10/24. However addresses in that net can lookup names in
the some-local-domain domain. For this domain, the local ACL is
applied instead of the global ACL. The local ACL lets anyone issue
queries for names in that domain. When there's both a global and
zone-specific option, the zone-specific one is used instead of the
global one.
More information about the bind-users
mailing list