[SOLVED] Bind Config

qwerty.yp · 12-14-2010, 09:20 AM

Hi,

I am a bind noob & am attempting to setup a DNS server that will only respond to requests for certain domains.

for example, should be allowed to get to: foo.org but NOT microsoft.com, pepsi.com etc.

I assume the easiest way to get this done is to setup foo.org to be forwarded to its actual DNS server and then remove root hints and disable forwarders.

From everything I've read on BIND, it seems like this *should* be doable but perhaps I'm wrong.

My problem is that in order for the server to actually forward the request if I have recursion on globally. This means that my server will also respond to pepsi.com.

If I have recursion turned off the query gets refused by my dns server...

Am I going about this all wrong? Is there any way to do this?

Here is my named.conf file

Code:

options {
  directory "/etc/namedb"; // Working directory
  recursion no; // this will disable lookups against our server recursion no;
  pid-file "/var/run/named.pid"; // Put pid file in working dir
  statistics-file "/var/run/named.stats";
  version "Bind 10";
  dnssec-enable no;
  allow-query { any; };

};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1;any; } keys { "rndc-key"; };
};
// Root server hints
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};

include "/etc/rndc.key";


zone "foo.org" {
       type forward;
        forwarders {
                xxx.xxx.xxx.xxx;
                };
       };

bathory · 12-14-2010, 11:53 AM

Quote:

I assume the easiest way to get this done is to setup foo.org to be forwarded to its actual DNS server and then remove root hints and disable forwarders.

For the 1st you're right. You can forward the zones you want to their authoritative name servers.
For the second, you should know that some of the root-servers are compiled into bind code, so even without root.hints it still works, as it can resolve domains through those root-servers.
What you can do, is to use a dummy file (like /dev/null) as a zone file for the hint zone. Doing so, your dns will try to use it and it will give a SERVFAIL answer for the rest of the domains.

Regards

qwerty.yp · 12-14-2010, 05:01 PM

Quote:

Originally Posted by bathory

For the 1st you're right. You can forward the zones you want to their authoritative name servers.
For the second, you should know that some of the root-servers are compiled into bind code, so even without root.hints it still works, as it can resolve domains through those root-servers.
What you can do, is to use a dummy file (like /dev/null) as a zone file for the hint zone. Doing so, your dns will try to use it and it will give a SERVFAIL answer for the rest of the domains.

Regards

Thank you for the idea. I'll give that a try and report back

qwerty.yp · 12-14-2010, 10:09 PM

Quote:

Originally Posted by bathory

For the second, you should know that some of the root-servers are compiled into bind code, so even without root.hints it still works, as it can resolve domains through those root-servers.
What you can do, is to use a dummy file (like /dev/null) as a zone file for the hint zone. Doing so, your dns will try to use it and it will give a SERVFAIL answer for the rest of the domains.

Regards

I tried using a dummy file as you suggested but it's giving me SERVFAIL for even my forwarded domain.
here is my updated named.conf:

Code:

options {
  directory "/etc/namedb"; // Working directory
  recursion yes; // this will disable lookups against our server recursion no;
  pid-file "/var/run/named.pid"; // Put pid file in working dir
  statistics-file "/var/run/named.stats";
  version "Bind 10";
  dnssec-enable no;
  allow-query { any; };

};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1;any; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
        type hint;
        file "/dev/null";
        };
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};

include "/etc/rndc.key";
zone "linuxquestions.org" {
        type forward;
        forwarders {
               204.13.248.76;
               204.13.249.76;

                };
        };

I'm assuming I'm missing something dumb. any assistance will be greatly appreciated.

bathory · 12-15-2010, 12:24 AM

Hi,

You should add a "forward only", because the default is to forward first:

Code:

zone "linuxquestions.org" {
        type forward;
        forward only;
        forwarders { 204.13.248.76; 204.13.249.76; };
        };

Regards

qwerty.yp · 12-15-2010, 07:15 AM

That did it.

Thank you so much. I really appreciate your help.

I had asked this question on another forum a few days ago but no one would even venture a guess as to what my problem was.

Thanks again!