restricting internal hosts access to the Internet question

Jim Reid jim at rfc1035.com
Fri Jul 21 18:40:58 UTC 2000


>>>>> "Kelly" == Kelly Scroggins <kelly at cliffhanger.com> writes:

    Kelly> I want to allow internal hosts (subnets) to resolve names
    Kelly> for internal devices but limit which subnets can resolve
    Kelly> names on the Internet.

    Kelly> Should I apply an access list to the "." zone to accomplish
    Kelly> this?

Probably not. [Doing anything to the root zone is generally a bad idea
unless you're running a root server.] You need at least two
allow-query clauses:
	options {
		....
		allow-query { !10.10.10/24; };
		...
	};

	zone "some-local-domain" {
		...
		allow-query { any; };
		...
	};

The global list prevents the name server from handling queries from
subnet 10.10.10/24. However addresses in that net can lookup names in
the some-local-domain domain. For this domain, the local ACL is
applied instead of the global ACL. The local ACL lets anyone issue
queries for names in that domain. When there's both a global and
zone-specific option, the zone-specific one is used instead of the
global one.




More information about the bind-users mailing list