[SOLUTION] Re: Request assistance configuring RPZ
David Bank
dbank at ncdot.gov
Tue Jun 11 20:05:07 UTC 2019
About a week-and-a-half ago, I wrote into the list, looking for some
help configuring RPZ. I wanted to have a name server (zurg) in a special
network that, when queried for two specific hosts (andy and sid) in a
zone, would give replies from its own information, while forwarding on all
other requests to the "real" DNS servers (buzz, woody) for the zone and
returning whatever they said.
Thanks to Carl Byington for replying.
The solution came from Grant Taylor, after some off-list dicussion, but
the idea was one he mentioned on-list - instead of using RPZ, configure
the special name server with "Apex" zones for the two host names I needed
to handle differently.
So zurg regards himself as master of zones "andy.internal.local" and
"sid.internal.local", and has a Zone file that returns specific 192.168/16
addresses for them.
For all other requests, zurg forwards to buzz and woody (which will
return 10/8 addresses for everything).
On zurg, the relevant parts of /etc/named.conf look like:
# (buzz) (woody)
forwarders { 10.1.2.10; 10.1.2.20; };
allow-recursion { any; };
zone "andy.internal.local" in {
type master;
file "andy.internal.local.zone";
};
zone "sid.internal.local" in {
type master;
file "sid.internal.local.zone";
};
Also, the Zone files look like:
$TTL 1D
$ORIGIN sid.internal.ebsad.local.
@ IN SOA @ ns (
201906030 ; Serial #
2H ; refresh
4M ; retry
1M ; expiry
1H ) ; minimum
; Apex record for the Zone
@ IN A 192.168.1.11
; Name server info for zone
@ IN NS ns
ns IN A 192.168.1.10
That does exactly what I was looking for, so thank you Grant.
More information about the bind-users
mailing list