Dynamic ACL

[Ali Jawad]

Hi

I am running BIND 9.10 and I have looked through various options including DLZ and RPZ but I am still not sure if they can do what I need or if i need to look at something different. Here is my scenario and I would appreciate if you could advice me. 

• I do have 6 different Geo ACLs and a default ACL
• Each ACL has its own zone file , users get served based on Geo location. If the users are not part of any geo location they are served the default ACL and zone files.
• For a few hundred users I want to asign their IPs to specific Geo locations even if they do not belong to those locations. I want to do this on the fly without having to edit zone files and if possible without having to reload BIND. I want to keep it as dynamic as possible.

Any input please ?

Regards

[Barry Margolin]

In article <mailman.1908.1428494...@lists.isc.org>,

Ali Jawad <alij...@gmail.com> wrote:

> Hi
> I am running BIND 9.10 and I have looked through various options including
> DLZ and RPZ but I am still not sure if they can do what I need or if i need
> to look at something different. Here is my scenario and I would appreciate
> if you could advice me.
>
>

> - I do have 6 different Geo ACLs and a default ACL
> - Each ACL has its own zone file , users get served based on Geo

> location. If the users are not part of any geo location they are
> served the
> default ACL and zone files.

> - For a few hundred users I want to asign their IPs to specific Geo

> locations even if they do not belong to those locations. I want
> to do this
> on the fly without having to edit zone files and if possible
> without having
> to reload BIND. I want to keep it as dynamic as possible.
>
> Any input please ?
>
> Regards

Sounds like you should be able to do this all with views. When you
reassign an IP, you edit named.conf to change the "match-address"
clause, and use "rndc reconfig" to load the new named.conf file.

--
Barry Margolin
Arlington, MA

[Ali Jawad]

Hi Barry
I would rather not do that through editing text files unless it is the last option. I want this dynamic and scalable . Down the road users will have option to change their view as such simultaneous read/write might happen
Regards

On Apr 8, 2015 4:42 PM, "Barry Margolin" <bar...@alum.mit.edu> wrote:

In article <mailman.1908.1428494...@lists.isc.org>,
 Ali Jawad <alij...@gmail.com> wrote:

> Hi
> I am running BIND 9.10 and I have looked through various options including
> DLZ and RPZ but I am still not sure if they can do what I need or if i need
> to look at something different. Here is my scenario and I would appreciate
> if you could advice me.
>
>

>    - I do have 6 different Geo ACLs and a default ACL
>       - Each ACL has its own zone file , users get served based on Geo

>       location. If the users are not part of any geo location they are
> served the
>       default ACL and zone files.

>       - For a few hundred users I want to asign their IPs to specific Geo

>       locations even if they do not belong to those locations. I want
> to do this
>       on the fly without having to edit zone files and if possible
> without having
>       to reload BIND. I want to keep it as dynamic as possible.
>
> Any input please ?
>
> Regards

Sounds like you should be able to do this all with views. When you
reassign an IP, you edit named.conf to change the "match-address"
clause, and use "rndc reconfig" to load the new named.conf file.

--
Barry Margolin
Arlington, MA

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Barry Margolin]

In article <mailman.1920.1428514...@lists.isc.org>,

Ali Jawad <alij...@gmail.com> wrote:

> Hi Barry
> I would rather not do that through editing text files unless it is the last
> option. I want this dynamic and scalable . Down the road users will have
> option to change their view as such simultaneous read/write might happen

I don't think BIND has a dynamic method for modifying ACLs or views.

[Grant Taylor]

On 04/08/2015 07:06 AM, Ali Jawad wrote:
> I am running BIND 9.10 and I have looked through various options
> including DLZ and RPZ but I am still not sure if they can do what I need
> or if i need to look at something different. Here is my scenario and I
> would appreciate if you could advice me.

I'm not aware of any way to do this in BIND. (That doesn't mean that
there isn't, just that I don't know it.)

I would be tempted to have multiple BIND listeners and serve up the
different GEOs on each. Then I'd leverage something like IPTables to
dynamically alter which BIND listener traffic goes to based on the
source IP belonging to different IP sets.

The BIND config would be mostly static and the IPSets are in kernel and
can easily be updated via a script that users interface with. Obviously
you will want to save the lists to a file for persistence across reboots.



--
Grant. . . .
unix || die