If you are using a split DNS design you can do this with Internal ONLY
servers. One way that we do that with our internal DNS servers is that
we create a zone (become authoritative) for the domain you wish to block
then put in an A record for everything to resolve to It
works for us. Not best practice, but with our setup we can get away
with it.

Tim Moore
Network Operations Center

>>> Kevin Darcy 7/11/2006 9:52 PM >>>

Gordon Bowersox wrote:
> I am using DNS to block access to certain external websites. Our
> firewall does not block entire domains well.
> But I have need to allow certain people to correctly resolve some of

> external sites. I am looking at views to control this, but wonder

if I
> can use acl to block some people from seeing some of my fake zones?

Offhand, I can't see how this could work. If you restrict people from
resolving names in a particular zone, they just get a REFUSED response.

The algorithm doesn't "fail over" from an ACL-based denial to global
forwarding or anything like that.
> Or
> perhaps allow some people to forward request on a per zone basis?

If you want some people to see the "fake" authoritative contents of a
given zone, and others to not see that same data for the same zone,
I think your only option is to define the zone in different views.
Whether you then throw forwarding into the mix is up to you, but
generally speaking, I'd advise against it.

- Kevin

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain private, confidential, and/or privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, employee, or agent responsible for delivering this message, please contact the sender by reply e-mail and destroy all copies of the original e-mail message.