Hi all,
i have defined access control for a specific class of IPs and
everything is working fine, both for recursive and private class
requests.
Now, i would like to define a static zone and grant everyone (public)
to query *only* this zone, without allowing to recursion.
Is it possible?
Thank you
F
Hi,
Hi all,
i have defined access control for a specific class of IPs and
everything is working fine, both for recursive and private class
requests.Now, i would like to define a static zone and grant everyone (public)
to query *only* this zone, without allowing to recursion.
Yes there are two access-control types for that from the access-control
statement. The deny_non_local allows requests to local-zones (and
auth-zones with for-downstream: yes) and drops recursion requests. The
refuse_non_local sends an rcode REFUSED message instead of dropping
disallowed requests.
Just set everyone with an access-control statement. Access-control
statements are applied with the most-specific; so that if you give a /8
deny_non_local and another /24 allow; then the /24 is allowed everything
and everyone else only the local-zone and for-downstream auth-zone
information. Or give a /0. You would need a 0.0.0.0/0 for IP4 and a
::0/0 for IP6 to cover everyone. You can also carve out more specific
subnets and disallow with access-control type 'deny' that drops messages
from them.
Note that this would allow access to all the local-zones and auth-zones
for-downstream, and not just that specific zone. Something that you can
fix, in this case, if you want to, by putting the local-zone in a view
for everyone and putting local-zones for the specific group in another
view. And then use the access-control-view statement. Or tag the
local-zone and use the access-control-tag statement.
Best regards, Wouter