"sinkhole" DNS with external hosts
Chuck Anderson
cra at WPI.EDU
Sat Sep 19 14:13:22 UTC 2015
I'm not sure keeping "dnssec-enable yes" is a good idea, because you
are creating a fake root zone and you won't have the real root keys to
sign answers with.
The best way I've found to allow some DNS queries to resolve to their
regular answers is to create a forward-only zone. That way you don't
have to keep a copy of the real RDATA up to date in your own zone
file. You also need to add fake NS delegation entries for the zones
you are overriding. Here is how I did it for apple.com:
named.conf:
zone "." in {
type master;
file "/var/named/fakeroot.zone";
};
zone "." in {
type hint;
file "/var/named/named.root";
};
// Allow clients to resolve real addresses of Apple services for new device registration
// You also need matching fake NS records in the fake root zone to allow the forward-only
// zones to work.
zone "apple.com" {
type forward;
forward only;
forwarders { ip1.of.real.recursive.dns.server; ip2.of.real.recursive.dns.server; };
};
named.root:
. 3600 IN NS fakens.
fakens. 3600 A ip.of.captive.portal.server
fakeroot.zone:
$ORIGIN .
$TTL 2
. IN SOA localhost. root.localhost. ( 2015082010 ; serial
3600 ; refresh
1 ; retry
604800 ; expire
86499 ; minimum
)
NS fakens.
fakens . IN A ip.of.captive.portal.server
; Allow clients to resolve real addresses of Apple services for new device registration
; These NS records are fake/unused but they allow the matching forward-only
; zones in named.conf to work with the fake root zone.
apple.com. IN NS fakens.
; Any zones referenced above must have an explicit wildcard entry
; for ALL the parent zones here for them to be able to resolve to
; the captive portal server. Otherwise you will get NXDOMAIN
; for those names, which is probably not what you want.
*.com. IN A ip.of.captive.portal.server
*. IN A ip.of.captive.portal.server
On Sat, Sep 19, 2015 at 01:37:31PM +0000, Sergey Emantayev wrote:
> Hello DNS gurus,
>
> I'm mastering a sinkhole DNS for a quarantine VLAN. My sinkhole DNS resolves any request to the same host - so that the quarantined clients get redirected to my server. I have following DNS configuration (running bind-9.8.2-0.17.rc1 on RHEL 6.4):
>
> options {
> listen-on port 53 { 10.10.0.1;};
> // listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { 10.10.0.0/24; };
> allow-transfer {"none";};
> recursion no;
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type master;
> file "/var/named/named.sinkhole";
> };
>
> // include "/etc/named.rfc1912.zones";
>
> include "/etc/named.root.key";
>
> The file /var/named/named.sinkhole has following content:
>
> $TTL 600
> @ IN SOA localhost root.localhost. (
> 11 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expire
> 1D ) ; minimum
> IN NS @
> IN A 10.10.0.1
> * IN A 10.10.0.1
>
> So far this is working perfect.
> I have a new requirement now - the quarantined client should have an access to an external host. I haved added following configuration to /etc/named.conf:
>
> zone "test.com" IN {
> type master;
> file "/var/named/named.test";
> };
>
> /var/named/named.test:
>
>
> $TTL 600
> @ IN SOA ns.test.com. root.localhost. (
> 22 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expire
> 1D ) ; minimum
> IN NS ns.test.com.
> ns IN A 10.10.0.1
> www IN A X.X.X.X ;; X is replaced to an actual IP address
>
> Unfortunately my naive approach did not work. "www.test.com" is still resolved to 10.10.0.1 and I see that the global zone "." is always hit unless I comment out the global zone definition.
>
> I'm a bit new in DNS. Any help is appreciated. Ideally my DNS should delegate the "www.test.com" request and do not store its IP locally.
>
> Many Thanks,
>
> Sergey Emantayev
More information about the bind-users
mailing list