Restricted bind to my domain only

Darcy Kevin (FCA) kevin.darcy at
Tue Jan 17 22:54:33 UTC 2017

Seems like your requirements call for the classic, old-school "internal root" setup. Define your own root zone that *only* has delegations for and whatever parts of the namespace you want to resolve. That way, everything outside the namespace and the namespace(s) will get an NXDOMAIN response.

After doing that, you may find that you don't even need the "type forward" definition for If you happen to run across a subzone that isn't delegated properly, you can probably work around that "broken" subzone with a "stub" zone definition, until it can be fixed. Forwarding is usually to be considered as a last resort, if you really *cannot* talk directly to any of the authoritative nameservers for a given zone (e.g. in a DMZ scenario).

											- Kevin

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at] On Behalf Of Luis Felipe Dominguez Vega
Sent: Monday, January 16, 2017 10:17 AM
To: bind-users at
Subject: Restricted bind to my domain only

Hello, i was searching into google to find my problem, but i think that is better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving the domain, but i need resolv throw another server the querys to domain and anothers subdomains (like,, but i dont want resolve any other (to prevent DNS Tunnel). 
So i need enable the recursion and permit to my network that recursion, the problem is that always resolve the,, etc... and i want only resolve the names into Samba (BIND_DLZ) and all others be forwarded by my another server, files.

Note: is my forward DNS server that only accept domains and subdomains

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

options {
        directory "/var/cache/bind";
        dump-file "/var/cache/bind/data/cache_dump.db";
        statistics-file "/var/cache/bind/data/named_stats.txt";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        datasize default;
        empty-zones-enable no;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

        #recursion no;

        allow-query     {;;; };
        allow-recursion {;;; };
        allow-update    {; };
       allow-transfer  {; };

        version none;
        hostname none;
        server-id none;

        listen-on-v6 { none; };

logging {
        channel xfer-log {
                file "/var/log/named.log";
                print-category yes;
                print-severity yes;
                severity info;

        category xfer-in        { xfer-log; };
        category xfer-out       { xfer-log; };
        category notify         { xfer-log; };

statistics-channels {
        inet port 8653 allow {; }; }; ===========================================================================

// prime the server with knowledge of the root servers #zone "." { #  type hint; #  file "/etc/bind/db.empty"; #}; #zone "." {
#        type forward;
#        forward only;
#        forwarders {; };

// be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912

zone "" {
        type forward;
        forward only;
        forwarders {; };

zone "localhost" {
        type master;
        file "/etc/bind/db.local";

zone "" {
        type master;
        file "/etc/bind/db.127";

zone "" {
        type master;
        file "/etc/bind/db.0";
zone "" {
        type master;
        file "/etc/bind/db.255";
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list