Public and private hosts in the same BIND zone
For my particular setup, I've got control of a BIND 9 zone file for, say, example.com
. There are several hosts in this zone, such as www.example.com
and mail.example.com
. I want the public internet to be able to query these hosts and retrieve their IPs as you'd expect.
Can some hosts be flagged as "private", in the sense that most public internet users can't query information about these hosts, except for a specific IP range of users? For example, can I make a third host, secret.example.com
query-able only by users in the 192.168.0.x
range?
I'm aware that I can do this with separate zones in BIND, but this doesn't seem to offer what I need. The key here is that both the public and private hosts need to be part of the same parent, example.com
in this case. This could also be achieved by the /etc/hosts
file on the few privy machines, but then the records would not be centrally manageable.
Is this possible, or am I overlooking a different solution?
Solution 1:
Yes, Bind does this with views. Some in detailed examples are here and here.
It would look something like this in named.conf:
view "trusted" {
match-clients { 192.168.23.0/24; }; // our network
recursion yes;
zone "example.com" {
type master;
// private zone file including local hosts
file "internal/master.example.com";
};
// add required zones
};
view "badguys" {
match-clients {"any"; }; // all others hosts
// recursion not supported
recursion no;
};
zone "example.com" {
type master;
// public only hosts
file "external/master.example.com";
};
// add required zones
};
One trick I typically do to make administration easier is to simply have the internal file $INCLUDE the external file -- just don't forget about SOAs.
As a final word of caution, don't pretend this is anything more than Rubber Chicken Security (not that there's anything wrong with that).