BIND - Query Control

ddaas · 01-27-2011, 12:04 PM

Hi there !
I am using BIND9 and I wand to deny some queries per domain basis.

Example: I don't want client1 to query the server for Ip address (A) for domain.com

The server should respond with an error, no such domain, nothing, etc.
It's not authoritative for domain.com. I don't want the server to resolve recursive or iterative that domain.

How can I do that?

Thanks

bathory · 01-27-2011, 01:18 PM

Hi,

You can create an acl like:

Code:

acl "queries" { 192.168.0.0/24; !192.168.0.1;};

and use it (in the options part of named.conf) like:

Code:

allow-query {127.0.0.1; queries;};

This way localhost and the whole 192.168.0.0/24 network, except the 192.168.0.1 host, can query the server. You can do the same for allow-recursion if you want.

Regards

ddaas · 01-28-2011, 05:09 AM

I want something else. I want for example that client 192.168.0.5 could not query for google.com, abc.com, 1234.de etc. All other queries are allowed.

bathory · 01-28-2011, 05:51 AM

In this case, the only thing that comes in mind, is to use 2 views:
One for that host and configure your name server as authoritative for the domains you don't want him to visit and another view for the rest of the hosts.
In the 1st view you can either use fake zonefile(s), or make zonefile(s) to point to /dev/null, so he gets a SERVFAIL response

You understand of course, that he can use a different name server, so it'll be able to resolve any domain