Re: filtering results to subnets - DNS

This is a discussion on Re: filtering results to subnets - DNS ; On Friday 18 July 2008 22:27, Jerome Haltom wrote: > I have a desire to filter A records returned to clients that are outside > of certain subnets. Basically my zone has a lot of private addresses in > it. ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Re: filtering results to subnets

  1. Re: filtering results to subnets

    On Friday 18 July 2008 22:27, Jerome Haltom wrote:

    > I have a desire to filter A records returned to clients that are outside
    > of certain subnets. Basically my zone has a lot of private addresses in
    > it. I'm cool with this.


    How about using the View Option in Bind?


    --

    Regards
    Robert

    Smile... it increases your face value!
    Linux User #296285
    http://counter.li.org


  2. Re: filtering results to subnets

    In article ,
    Robert Spangler wrote:

    > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
    >
    > > I have a desire to filter A records returned to clients that are outside
    > > of certain subnets. Basically my zone has a lot of private addresses in
    > > it. I'm cool with this.

    >
    > How about using the View Option in Bind?


    Did you read his entire message? He explained why views doesn't apply:
    he's a slave to a Windows Active Directory.

    To accomplish this they'd need to use separate zones for the public and
    private hostnames, so that the private stuff could be in an internal
    view.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


  3. Re: filtering results to subnets

    On Saturday 19 July 2008 20:19, Barry Margolin wrote:

    > In article ,
    >
    > Robert Spangler wrote:
    > > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
    > > > I have a desire to filter A records returned to clients that are
    > > > outside of certain subnets. Basically my zone has a lot of private
    > > > addresses in it. I'm cool with this.

    > >
    > > How about using the View Option in Bind?

    >
    > Did you read his entire message? He explained why views doesn't apply:
    > he's a slave to a Windows Active Directory.
    >
    > To accomplish this they'd need to use separate zones for the public and
    > private hostnames, so that the private stuff could be in an internal
    > view.


    Here is the issue, why would you have the slaves doing something different
    then the master? You are just looking for issues.

    That is like saying if the answers come from server 'A' I want this to be
    returned but if the answer comes from server 'B' I want something different.
    That is just asking for resolve issues and a troubleshooting nightmare.


    --

    Regards
    Robert

    Smile... it increases your face value!
    Linux User #296285
    http://counter.li.org


  4. Re: filtering results to subnets

    Robert Spangler wrote:
    > On Saturday 19 July 2008 20:19, Barry Margolin wrote:
    >
    >
    >> In article ,
    >>
    >> Robert Spangler wrote:
    >> > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
    >> > > I have a desire to filter A records returned to clients that are
    >> > > outside of certain subnets. Basically my zone has a lot of private
    >> > > addresses in it. I'm cool with this.
    >> >
    >> > How about using the View Option in Bind?

    >>
    >> Did you read his entire message? He explained why views doesn't apply:
    >> he's a slave to a Windows Active Directory.
    >>
    >> To accomplish this they'd need to use separate zones for the public and
    >> private hostnames, so that the private stuff could be in an internal
    >> view.
    >>

    >
    > Here is the issue, why would you have the slaves doing something different
    > then the master? You are just looking for issues.
    >
    > That is like saying if the answers come from server 'A' I want this to be
    > returned but if the answer comes from server 'B' I want something different.
    > That is just asking for resolve issues and a troubleshooting nightmare.
    >
    >
    >

    I have lost the original message but if I remember correctly then a
    combination of views and some post-processing of the transferred zone
    file may achieve waht is wanted here.
    The internal view should be a slave of the Windows DNS server and serve
    out the entire zone as required. A script would then be written to do a
    zone transfer from the local server and generate a file with the
    RFC1918(?) addresses removed. This file is then served from another view
    as a master zone giving the answer required. The major problem with such
    a scheme is getting a trigger to run the script when an updated zone is
    transferred. This could be done from CRON by inspecting the serial
    number on the internal zone and only running the update when it changes.
    I suggest localhost to localhost transfers so as to not complicate the
    security settings needed.

    Apologies if this is noise but it is a solution I have used for other
    similar problems elewhere.

    Howard.






  5. Re: filtering results to subnets

    Well, this was sort of my last resort option. I guess it's where I'll be
    heading.

    On Sun, 2008-07-20 at 12:24 +0100, Howard Wilkinson wrote:
    > Robert Spangler wrote:
    > > On Saturday 19 July 2008 20:19, Barry Margolin wrote:
    > >
    > >
    > >> In article ,
    > >>
    > >> Robert Spangler wrote:
    > >> > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
    > >> > > I have a desire to filter A records returned to clients that are
    > >> > > outside of certain subnets. Basically my zone has a lot of private
    > >> > > addresses in it. I'm cool with this.
    > >> >
    > >> > How about using the View Option in Bind?
    > >>
    > >> Did you read his entire message? He explained why views doesn't apply:
    > >> he's a slave to a Windows Active Directory.
    > >>
    > >> To accomplish this they'd need to use separate zones for the public and
    > >> private hostnames, so that the private stuff could be in an internal
    > >> view.
    > >>

    > >
    > > Here is the issue, why would you have the slaves doing something different
    > > then the master? You are just looking for issues.
    > >
    > > That is like saying if the answers come from server 'A' I want this to be
    > > returned but if the answer comes from server 'B' I want something different.
    > > That is just asking for resolve issues and a troubleshooting nightmare.
    > >
    > >
    > >

    > I have lost the original message but if I remember correctly then a
    > combination of views and some post-processing of the transferred zone
    > file may achieve waht is wanted here.
    > The internal view should be a slave of the Windows DNS server and serve
    > out the entire zone as required. A script would then be written to do a
    > zone transfer from the local server and generate a file with the
    > RFC1918(?) addresses removed. This file is then served from another view
    > as a master zone giving the answer required. The major problem with such
    > a scheme is getting a trigger to run the script when an updated zone is
    > transferred. This could be done from CRON by inspecting the serial
    > number on the internal zone and only running the update when it changes.
    > I suggest localhost to localhost transfers so as to not complicate the
    > security settings needed.
    >
    > Apologies if this is noise but it is a solution I have used for other
    > similar problems elewhere.
    >
    > Howard.
    >
    >
    >
    >
    >




  6. Re: filtering results to subnets

    In article ,
    Robert Spangler wrote:

    > On Saturday 19 July 2008 20:19, Barry Margolin wrote:
    >
    > > In article ,
    > >
    > > Robert Spangler wrote:
    > > > On Friday 18 July 2008 22:27, Jerome Haltom wrote:
    > > > > I have a desire to filter A records returned to clients that are
    > > > > outside of certain subnets. Basically my zone has a lot of private
    > > > > addresses in it. I'm cool with this.
    > > >
    > > > How about using the View Option in Bind?

    > >
    > > Did you read his entire message? He explained why views doesn't apply:
    > > he's a slave to a Windows Active Directory.
    > >
    > > To accomplish this they'd need to use separate zones for the public and
    > > private hostnames, so that the private stuff could be in an internal
    > > view.

    >
    > Here is the issue, why would you have the slaves doing something different
    > then the master? You are just looking for issues.


    The master presumably isn't accessible from the Internet, so it doesn't
    need to distinguish between the different client locations. He's hoping
    that BIND can be used on the slave to respond to Internet clients.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


+ Reply to Thread