Restricted bind to my domain only
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Tue Jan 17 22:54:33 UTC 2017
Seems like your requirements call for the classic, old-school "internal root" setup. Define your own root zone that *only* has delegations for example.com and whatever parts of the in-addr.arpa namespace you want to resolve. That way, everything outside the example.com namespace and the in-addr.arpa namespace(s) will get an NXDOMAIN response.
After doing that, you may find that you don't even need the "type forward" definition for example.com. If you happen to run across a subzone that isn't delegated properly, you can probably work around that "broken" subzone with a "stub" zone definition, until it can be fixed. Forwarding is usually to be considered as a last resort, if you really *cannot* talk directly to any of the authoritative nameservers for a given zone (e.g. in a DMZ scenario).
- Kevin
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Luis Felipe Dominguez Vega
Sent: Monday, January 16, 2017 10:17 AM
To: bind-users at lists.isc.org
Subject: Restricted bind to my domain only
Hello, i was searching into google to find my problem, but i think that is better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving the domain mtz.example.com, but i need resolv throw another server the querys to domain example.com and anothers subdomains (like grm.example.com, vcl.example.com), but i dont want resolve any other (to prevent DNS Tunnel).
So i need enable the recursion and permit to my network that recursion, the problem is that always resolve the google.com, facebook.com, etc... and i want only resolve the names into Samba (BIND_DLZ) and all others be forwarded by my another server, files.
Note: 192.168.44.2 is my forward DNS server that only accept example.com domains and subdomains
named.conf:
===========================================================================
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
===========================================================================
named.conf.options:
===========================================================================
options {
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
statistics-file "/var/cache/bind/data/named_stats.txt";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
datasize default;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
#recursion no;
allow-query { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1/8; };
allow-recursion { 127.0.0.1/8; 192.168.0.0/24; 10.11.0.1/24; };
allow-update { 127.0.0.1; };
allow-transfer { 192.168.0.0/24; };
version none;
hostname none;
server-id none;
listen-on-v6 { none; };
};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; }; }; ===========================================================================
named.conf.default-zones
===========================================================================
// prime the server with knowledge of the root servers #zone "." { # type hint; # file "/etc/bind/db.empty"; #}; #zone "." {
# type forward;
# forward only;
# forwarders { 192.168.44.2; };
#};
// be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912
zone "example.com" {
type forward;
forward only;
forwarders { 192.168.44.2; };
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
===========================================================================
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list