Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

Chris Buxton clists at buxtonfamily.us
Tue Apr 11 17:17:18 UTC 2017


> On Apr 11, 2017, at 2:19 AM, Manuel Ramírez <manuel.ramirez at grupoica.com> wrote:
> 
> Hi,
> 
> I would like to allow queries for specific blogspot.com <http://blogspot.com/> subdomains and block the rest of the queries.
> I have a file with several zones configured, one of those zones is  the specific subdomain type "forward":
> 
> zone "w.blogspot.com <http://w.blogspot.com/>" IN { type forward; forwarders { 213.0.184.85; 213.0.184.88; };};
> 
> and below i have the zone blogspot.com <http://blogspot.com/> as master resolving an internal ip:
> 
> zone "blogspot.com <http://blogspot.com/>" IN { type master; file "/var/named/data/db.sinkhole"; };
> 
> 
> But is not working, always resolves the internal ip address, i thought it evaluates the zones in order and first should forward the query for w.blogspot.com <http://w.blogspot.com/> but is always matching the other zone.
> Any idea about how can i achieve my goal?

No, order is not considered. Rather, there are two separate searches:

- Is there an authoritative answer available from local data? In this case, yes, because you have a sinkhole zone named "blogspot.com <http://blogspot.com/>", from which an authoritative negative answer can be derived.
- If the first search does not return an answer, then use the recursion algorithm, including checking the cache and checking for the most specific forwarding configuration (if any) that would apply.

Doing what you want is better solved using RPZ, as Tony Finch mentioned. To do this, do not define these two zone statements. Instead, define a response policy zone that says that *.blogspot.com <http://blogspot.com/> should be blocked, but that specific names (e.g. w.blogspot.com <http://w.blogspot.com/>) should be whitelisted. Read the BIND v9 ARM for details on how to accomplish this.

Regards,
Chris Buxton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170411/2acd61f3/attachment.html>


More information about the bind-users mailing list