LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-05-2015, 11:24 AM   #1
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Rep: Reputation: Disabled
DNS Bind help to resolve somesite and block others using "View"


Hi all
i have BInd basic config
i need sme ips to be able to access some sites like google.com , ccn.com

and block all other domains

i know i need to sue the views function simliar like :


view "officeB" {
match-clients { 192.168.2.0/24; };

include "/etc/named.conf.zones-rfc1912";
include "/etc/named.conf.zones-common";
include "/etc/named.conf.zones-officeB";
};



but i want to get help how to allow those 2 domains only and block all other domains ??



as example ip with 1.1.1.1 need only see google.com and cnn.com

what do i need in named.conf file ???

cheers
 
Old 06-05-2015, 11:31 AM   #2
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
Bind is actually two different services combined. There is a resolving DNS server for looking up information, and a Hosting DNS server for giving information being looked up. What you want to do is disable "Recursive Look Up" in the configuration:

HOWTO Close an Open DNS
http://www.zytrax.com/books/dns/ch9/close.html
 
1 members found this post helpful.
Old 06-05-2015, 11:39 AM   #3
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Original Poster
Rep: Reputation: Disabled
thank u

i have :

==================================================
options {
listen-on port 53 { 127.0.0.1; xxxx; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; xxxxx; };
recursion yes;
////////////////Extend limits
recursive-clients 50000;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/////// forwarders { 199.85.126.20; 199.85.127.20; };
forwarders { 198.153.192.50; };
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";




can u tel me what i need to modify the file above as i asked u ???
cheers
 
Old 06-05-2015, 11:47 AM   #4
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
recursion yes;

Change that to no
 
Old 06-05-2015, 12:47 PM   #5
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by joec@home View Post
recursion yes;

Change that to no
ok i will do that .....but

thank u , asking about below :

view "officeB" {
match-clients { 192.168.2.0/24; };

include "/etc/named.conf.zones-rfc1912";
include "/etc/named.conf.zones-common";
include "/etc/named.conf.zones-officeB";
};


wt i need to modify this above so that only google/cnn works and block other sites ??

do i need to include :
include "/etc/named.conf.zones-rfc1912";
include "/etc/named.conf.zones-common";
include "/etc/named.conf.zones-officeB";

lines ????


thanks
 
Old 06-05-2015, 01:27 PM   #6
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
My apologies, I think there might be a language barrier problem here. Are you trying to prevent people from using a hosting DNS server as a resolver? Or are you trying to control network traffic as the resolver for that network?
 
Old 06-05-2015, 04:05 PM   #7
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by joec@home View Post
My apologies, I think there might be a language barrier problem here. Are you trying to prevent people from using a hosting DNS server as a resolver? Or are you trying to control network traffic as the resolver for that network?

i want some likes like
192.168.1.10-192.168.1.20 to only be able to access google/cnn sites and all other sites is no .


i feel that i need to use the View function that match the source ip and match the domains that allowed and block others .


thats what i need to do and thats why i asking here the question


cheers
 
Old 06-05-2015, 04:18 PM   #8
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
While DNS is one possible method, I'm not certain it would be the best or easiest. Nor am I certain I could answer you question fully. However that said, what about other functions? The system needs to contact its vendor (Microsoft? Redhat?) for updates. Any other services other than web such as e-mail? Will it need to access those as well? I'm thinking perhaps Squid for controlling only the web traffic since it specifically has that feature built into it, but not certain how it would be configured. Though it would be far less painful that the customization Bind would need to control it from the DNS level. Hopefully if nothing else I am pointing you in the right direction.

Squid: Optimising Web Delivery
http://www.squid-cache.org/

DansGuardian
https://wiki.archlinux.org/index.php/DansGuardian

Last edited by joec@home; 06-05-2015 at 04:20 PM.
 
Old 06-05-2015, 04:39 PM   #9
paul2015
Member
 
Registered: Apr 2015
Distribution: CentOS Fedora
Posts: 149

Rep: Reputation: 4
what if someone will use 8.8.8.8 as DNS server? As mentioned squid is best solution for that.
 
Old 06-05-2015, 05:38 PM   #10
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
Quote:
Originally Posted by paul2015 View Post
what if someone will use 8.8.8.8 as DNS server? As mentioned squid is best solution for that.
Now you are getting into a whole different issue of what the network users have access to. If the network users have the knowledge and access to the TCP settings on the systems, then your fighting an endless uphill battle that you can not win. Your better off with company policies that would allow a manager to fire an employee for wasting company resources.
 
Old 06-06-2015, 03:07 AM   #11
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Original Poster
Rep: Reputation: Disabled
Guys , plz dont let it a complex task .

i dont want squid there ........

all users will have my dns ip and no one cacn change it

i just need the solution as i mentioned above

i need based on the src ip to allow some domains and block all other domains

plz help me

cheers
 
Old 06-06-2015, 05:38 PM   #12
dr.x
Member
 
Registered: Jan 2013
Posts: 151

Original Poster
Rep: Reputation: Disabled
Guys any help ????


awaiting ur help


cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND dns "Do I need external IP" def1 Linux - Server 1 12-03-2010 01:54 AM
DNS-BIND, got "BAD (HORIZONTAL) REFERRAL" error jeff14 Linux - Server 7 11-17-2010 07:23 AM
"Multicolumn" or "tiles", or even "list" icon view on desktop, in any DE? the dsc Linux - Desktop 3 02-20-2010 09:25 AM
How to run "Closed" DNS on CentOS using BIND PhilipTodd Linux - Newbie 5 04-10-2006 01:26 AM
dns named.conf: "view" unknown option rioguia Linux - Networking 16 11-02-2004 11:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration