Gordon Bowersox wrote:
> I am using DNS to block access to certain external websites. Our
> firewall does not block entire domains well.
>
> But I have need to allow certain people to correctly resolve some of the
> external sites. I am looking at views to control this, but wonder if I
> can use acl to block some people from seeing some of my fake zones?

Offhand, I can't see how this could work. If you restrict people from
resolving names in a particular zone, they just get a REFUSED response.
The algorithm doesn't "fail over" from an ACL-based denial to global
forwarding or anything like that.
> Or
> perhaps allow some people to forward request on a per zone basis?
>

If you want some people to see the "fake" authoritative contents of a
given zone, and others to not see that same data for the same zone, then
I think your only option is to define the zone in different views.
Whether you then throw forwarding into the mix is up to you, but
generally speaking, I'd advise against it.


- Kevin