question about views

[Michele Chubirka]

Thanks. But one more question. We keep our subdomains in one main db 
file. Can we break out one subdomain into a separate db file while 
leaving the main db file intact? Or will we have to break out all our 
subdomains in order to do this?

Chris Buxton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Views are probably not the answer. Try allow-query instead:
> 
> zone backup.example.com {
>     type master;
>     file "backup.db";
>     allow-query { restricted_networks_ACL; };
> };
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> On Sep 23, 2008, at 1:29 PM, Michele Chubirka wrote:
> 
>> We have a dedicated, non-routable, private network for backups which
>> maps to a specific subdomain in our zone files, For example,
>> backup.example.com. We would like to prevent access to lookup records in
>> this subdomain from outside our network, but not the rest of the domain.
>> It isn't really practical for us to multi-home our DNS server onto this
>> network or to place a dedicated server there. Since all the hosts have
>> public interfaces as well, we had thought the best way to achieve this
>> would be with setting up views on our current BIND server, but since we
>> only want to restrict access to the subdomain, is this possible without
>> having two copies of the entire db file for each view? For example, we
>> would like to have an internal view which allowed access to
>> backup.example.com and an external view which allowed access to the rest
>> of the domain. Can I have a forward zone file for the subdomain with the
>> internal view config (also including the IN-ADDR.ARPA for the private IP
>> space)and leave it out of the external db file for the main zone,
>> example.com, without any delegation? We aren't trying to hand out
>> different IPs based upon match-clients, just block access to one
>> subdomain. Anyone have a better suggestion to accomplish this?
>>
>>  view "backup" {
>>     match-clients {restricted_networks_ACL;};
>>
>>     zone "10.IN-ADDR.ARPA" in {
>>         type master;
>>         file "10.db"
>>         notify yes;
>>     };
>>
>>     zone "backup.example.com" in {
>>         type master;
>>         file "backup.db"
>>         notify yes;
>>     };
>>
>> view "external" {
>>     match-clients {any;};
>>
>>     zone "routable_IP_space" in {
>>         type master;
>>         file "routeable.db"
>>         notify yes;
>>     };
>>
>>     zone "example.com" in {
>>         type master;
>>         file "example.db"
>>         notify yes;
>>     };
>>        
>>
>> -- 
>> Michele Chubirka
>> Senior Information Systems Engineer
>> Information Systems and Services
>> George Washington University
>> 202-994-5791
>>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iEYEARECAAYFAkjZVXMACgkQOcbWp2QNGR/spgCgm7H68DK7r/9hR+SetPkLftrN
> EpsAn1H1RwoWxdfoNhQEzeY0D9CYd8kn
> =BB8H
> -----END PGP SIGNATURE-----

-- 
Michele Chubirka
Senior Information Systems Engineer
Information Systems and Services
George Washington University
202-994-5791