Specifying a view for dig?
Barry Margolin
barmar at alum.mit.edu
Sat Feb 9 05:08:49 UTC 2008
In article <foh39t$15cb$1 at sf1.isc.org>,
Michael Rasmussen <mikeraz at patch.com> wrote:
> I'd like to specify a particular view for dig so that from an internal client
> I can do something like
>
> for s in secondary1.example.com secondary.example.net myserver.mydomain.org
> do
> echo -n "$s "
> dig @$s questionalably_syncddomain.net SOA | egrep "^q.*SOA"
> done
>
> Giving myself no mental breakdown room to compare the results.
>
> This is presuming the source IP of the digging client is in a seperate view
> between mydomain.org and the other two.
>
> The dig manpage has nothing on view.
> A web search for terms including dig and view return too much irrelevant
> stuff.
>
> Is it possible?
Would you really want it to be possible?
If a client could specify which view to use, it would allow external
clients to look at your internal view, even though they don't match the
ACL in the view. Most organizations use views as a way to protect their
internal DNS, and this would make that protection nonexistent.
I suppose that there could be another ACL that specifies who is allowed
to override the view's match-XXX criteria.
But as others have said, there's nothing about views in the DNS
protocol, it's just a decision made by the server using the match-XXX
vriteria.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list