Restricted bind to my domain only

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Tue Jan 17 22:54:33 UTC 2017 

Seems like your requirements call for the classic, old-school "internal root" setup. Define your own root zone that *only* has delegations for example.com and whatever parts of the in-addr.arpa namespace you want to resolve. That way, everything outside the example.com namespace and the in-addr.arpa namespace(s) will get an NXDOMAIN response.

After doing that, you may find that you don't even need the "type forward" definition for example.com. If you happen to run across a subzone that isn't delegated properly, you can probably work around that "broken" subzone with a "stub" zone definition, until it can be fixed. Forwarding is usually to be considered as a last resort, if you really *cannot* talk directly to any of the authoritative nameservers for a given zone (e.g. in a DMZ scenario).

											- Kevin


-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Luis Felipe Dominguez Vega
Sent: Monday, January 16, 2017 10:17 AM
To: bind-users at lists.isc.org
Subject: Restricted bind to my domain only

Hello, i was searching into google to find my problem, but i think that is better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving the domain mtz.example.com, but i need resolv throw another server the querys to domain example.com and anothers subdomains (like grm.example.com, vcl.example.com), but i dont want resolve any other (to prevent DNS Tunnel). 
So i need enable the recursion and permit to my network that recursion, the problem is that always resolve the google.com, facebook.com, etc... and i want only resolve the names into Samba (BIND_DLZ) and all others be forwarded by my another server, files.

Note: 192.168.44.2 is my forward DNS server that only accept example.com domains and subdomains

named.conf:
===========================================================================
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
===========================================================================

named.conf.options:
===========================================================================
options {
        directory "/var/cache/bind";
        dump-file "/var/cache/bind/data/cache_dump.db";
        statistics-file "/var/cache/bind/data/named_stats.txt";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        datasize default;
        empty-zones-enable no;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

        #recursion no;

        allow-query     { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1/8; };
        allow-recursion { 127.0.0.1/8; 192.168.0.0/24; 10.11.0.1/24; };
        allow-update    { 127.0.0.1; };
       allow-transfer  { 192.168.0.0/24; };

        version none;
        hostname none;
        server-id none;

        listen-on-v6 { none; };
};

logging {
        channel xfer-log {
                file "/var/log/named.log";
                print-category yes;
                print-severity yes;
                severity info;
        };

        category xfer-in        { xfer-log; };
        category xfer-out       { xfer-log; };
        category notify         { xfer-log; };
};

statistics-channels {
        inet 127.0.0.1 port 8653 allow { 127.0.0.1; }; }; ===========================================================================

named.conf.default-zones
===========================================================================
// prime the server with knowledge of the root servers #zone "." { #  type hint; #  file "/etc/bind/db.empty"; #}; #zone "." {
#        type forward;
#        forward only;
#        forwarders { 192.168.44.2; };
#};

// be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912

zone "example.com" {
        type forward;
        forward only;
        forwarders { 192.168.44.2; };
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
===========================================================================
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list