Stupid DNS tricks -- the "black hole" DNS

John Manly jwmanly at amherst.edu
Wed Apr 21 15:34:13 UTC 2004


Greetings.  Here at my institution, we are doing what many other
institutions are doing in terms of forcing users to register when they
first connect to the network.  A critical part of this is that we are
running a "black hole" DNS resolver configured such that no matter what
name is requested, the A record returned points to a particular IP
address.  There are several templates for doing this on the web, and our
configuration files for this are below.  On the whole, this all works
fine.

My question is, is there a straightforward way to exclude a particular
domain from this black hole effect?  That is, suppose I want name
queries for any DNS name to point to the common IP number EXCEPT those
for any address in the GOOGLE.COM domain.  Assuming that I don't want to
just enter in my own A records for all of Google's services, is there a
way that name resolution within the google.com namespace works properly
(querying either Google's name servers, or  the root servers, or
whatever)?

Our current configuration is below.  The result is that any query
against this resolver of any DNS name other than "test", resolves to IP
172.20.1.1. A lookup of "test" resolves to "172.20.2.2".  What I want is
for this behavior to continue, EXCEPT for DNS names in the "google.com"
domain.  So that if a user queries for "www.google.com", for example,
they would get back the proper IP number(s).  (I realize in this case
that I would probably have to except both google.com and
google.adadns.net domains, since it appears that www.google.com is a
CNAME to a name in the akadns.net domain.  But what I'm looking for here
is the concept/principles involved.  I'm not necessarily looking to
support this functionality with the google domain in particular.

In particular, can I just add in the NS records for the domains I care
about (which probably don't change very often and are easy to enumerate)
to get this to work, or is there a better/cleaner way to, for example,
force this resolver to forward requests to my regular resolvers for
particular names/domains?

Thanks for any help!=20

-- John W. Manly  <jwmanly at amherst.edu>
   Systems and Networking, Amherst College


-------- [The named.conf file] ---------

// named.conf for NetReg
// Belongs at /etc/named.conf
options {
        directory "/var/named/";
        recursion no;
#       fetch-glue no;
        listen-on { 172.20.1.1; };
};

zone "." in {
        type master;
        file "db.root";
};


-------- [The db.root file] ---------

; Bind 8 -- Zone file -- for NetReg
; Belongs at /etc/db.root
$TTL 3600

. IN SOA netreg.amherst.edu.  root at amherst.edu. (
                        1       ; serial
                        10800   ; refresh
                        3600    ; retry
                        604800  ; expire
                        86400   ; default_ttl
                        )

                        IN      NS      netreg.amherst.edu.

test                    86400   IN      A       172.20.2.2
netreg                  86400   IN      A       172.20.1.1
*.                      86400   IN      A       172.20.1.1
1.1.20.172.in-addr.arpa.        IN      PTR
netreg.amherst.edu.



$ nslookup -q=3DA www.google.com
Server:         148.85.1.3
Address:        148.85.1.3#53
Non-authoritative answer:
www.google.com  canonical name =3D www.google.akadns.net.
Name:   www.google.akadns.net
Address: 64.233.161.104
Name:   www.google.akadns.net
Address: 64.233.161.99


More information about the bind-users mailing list