Resolve DNS Queries Based on Source IPs in BIND (NEED ADVISE)

Md. abdullah Al naser mail.naserbd at
Tue Nov 19 08:24:30 UTC 2019

Hi everyone, I hope you all are fine. I am new in the mailing list and looking for an advise. If this mailing-list is not suitable for my below query then please pardon me. 
I am stuck in a situation and looking for a solution. My scenario is like below.
I want to block some websites for my all users.
I did it using Response Policy Zone (RPZ) in BIND.        response-policy {zone "rpz";};rrset-order { order cyclic; };
zone "rpz" {    type master;    allow-query { any; };    file "/etc/bind/rpz.db";    }; In my RPZ zone file I created CNAME entries for above mentioned FQDNs which have been pointed to IN CNAME; IN CNAME;
And later on, in zone file (which is another fake zone) I created an A record for which has been pointed to (a fake IP). discard   IN  A;
In this way all the dns requests from my all users for above mentioned sites are resolved to and the real websites are unreachable.
(N.B. I am not worry about the situation when users change their DNS IP to any open resolver and can access the websites.)
Everything was going fine. By this time another requirement came into the picture. Now I need to block the mentioned websites for some specific users (based on source IP).
So in my RPZ configuration I specified the users source IP block like below.
zone "rpz" {    type master;    allow-query {; };    file "/etc/bind/rpz.db";    };
At this point the dns queries from the specified block are resolved to my fake ip and all other requests from rest of IP blocks are dropped (as expected as per configuration).
But I want to do like this, the dns queries from blocks will be matched with RPZ zone and other requests from rest of IPs will bypass the RPZ configuration and will match my general "allow-query {any;}" statement mentioned in named.conf file.
Will the logic work as I stated above?? Any comments from the experts will be great for me.
(N.B. I came to know that, resolving different IP based on different source can be possible in KNOT DNS, but I would be happy to do it in BIND (if possible).

Thanks & Regards,
Md. Abdullah Al NaserDhaka, Bangladesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list