limiting external visibility - without resorting to views.

Tim Peiffer peiffer at
Sat Mar 26 21:16:46 UTC 2005

I am interested in limiting the visibility of my nameservers to the 
extent that I do not want to answer external queries from my cache.  
What are the methods of control other than allow-query, 
allow-recursion?  I have ACL'ed 'allow-query' and 'allow-recursion' at 
the global option level, and have 'allow-query' as a per-zone option set 
to 'any'.  I have thought about removing the root hints as well, but not 
100% sure of the outcome.   Specifically, I want to restrict external 
use of my servers without resorting to 'views'.  I have members of our 
staff that are not comfortable with views at scale; scale being 
~50Million transactions/day/server

I am currently putting together an anycast service using Bind9.3.1, 
setting up the masters as authoritative only, with the anycast running 
from cache-only.  I could wait until I complete my anycast service and 
my masters are split out to ACL the cache servers to on-campus only.

Tim Peiffer
Network Support Engineer
University of Minnesota

More information about the bind-users mailing list