Authoritative only based on interface

Jim Reid jim at rfc1035.com
Tue Jul 17 16:29:57 UTC 2001


>>>>> "pelln" == pelln  <pelln at icke-reklam.ipsec.nu.invalid> writes:

    >> Bob <BHockney at ix.netcom.com> wrote:
    >> Is there a way I can configure BIND (9.1) to answer a query
    >> only if it is authoritative if the query comes from one
    >> interface, but allow forwarding to answer the query if it come
    >> from another interface?  What I want to do is have it respond
    >> it external queries only if authoritative but respond to all
    >> internal queries.  Any insight appreciated.

    pelln> Views can do this, it does not work by interface though,
    pelln> but by the source address in the query.

It's not necessary to use views to control lookups based on IP
address. Just define ACLs for the inside and outside networks and
apply them to allow-query clauses as appropriate. For instance,
someone could have a global allow-query clause which is limited to the
local network and have per-zone allow-query clauses which are
unrestricted. That way local users can make arbitrary lookups and the
outside world can only get answers for queries about names in the
zones served by the name server.

    pelln> You could use interface-specific bind behaviour, you would
    pelln> have to start several bind, and on each bind's config have
    pelln> 'listen-on' statements to use a specific interface.

This probably won't solve the problem. It will do more or less what
the original poster asked, namely handle queries based on the
interface that they were sent to. This is not necessarily the same
thing as the interface that took delivery of the incoming packet which
is what seems to have been originally asked. Most (all?) Unix TCP/IP
implementations use the weak end system model. They accept packets for
any of the local addresses for the host no matter which interface
receives them. [See Stevens: Unix Network Programming Vol1 or TCP/IP
Illustrated Vol2.] There's usually no way of telling which interface
actually received the query. Packets come off the wire and the host's
network interface device drivers put them into one queue for going up
the kernel's TCP/IP stack.


More information about the bind-users mailing list