selective forwarding resolver that isn't being selective
Mike
debian at good-with-numbers.com
Wed Aug 20 18:53:55 UTC 2025
Doug Freed wrote:
> It would be helpful if we could see your actual BIND configuration
Thanks for replying. Attached.
-------------- next part --------------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
-------------- next part --------------
acl internals { localhost; /* internal CIDRs */; }; // internal systems
options {
version " ";
allow-recursion { internals; };
notify no;
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
listen-on-v6 { any; };
/* From http://www.sput.nl/internet/dns-morons.html to address
* DNS rebinding attacks. */
deny-answer-addresses {
0.0.0.0; // unconfigured
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; // RFC 1918
169.254.0.0/16; // RFC 3927
::/80;
64:ff9b::/96; // RFC 6052
2001:db8::/32; // reserved for documentation
fc00::/7; // ULA
fe80::/10; // link local
fec0::/10; // site local
} except-from { "internal"; };
deny-answer-aliases { "internal"; };
response-policy {
zone "rpz.internal";
};
};
logging {
channel "info_channel" {
file "/var/log/info.log" versions unlimited size 20m;
severity debug;
print-time iso8601-utc;
print-category yes;
print-severity yes;
};
channel "queries_channel" {
file "/var/log/queries.log" versions unlimited size 20m;
severity debug;
print-time iso8601-utc;
print-severity yes;
};
channel "query_errors_channel" {
file "/var/log/query-errors.log" versions unlimited size 20m;
severity debug;
print-time iso8601-utc;
print-severity yes;
};
channel "xfer_channel" {
file "/var/log/xfer.log" versions unlimited size 20m;
severity debug;
print-time iso8601-utc;
print-category yes;
print-severity yes;
};
category "config" { "info_channel"; };
category "default" { "info_channel"; };
category "general" { "info_channel"; };
category "unmatched" { "info_channel"; };
category "security" { "info_channel"; };
category "queries" { "queries_channel"; };
category "query-errors" { "query_errors_channel"; };
category "notify" { "xfer_channel"; };
category "xfer-in" { "xfer_channel"; };
category "xfer-out" { "xfer_channel"; };
};
key "rndc-key" {
algorithm hmac-sha256;
secret "...";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
-------------- next part --------------
//
// Do any local configuration here
//
view "internal" {
match-clients { internals; };
allow-query { internals; };
forwarders {};
recursion yes;
// RPZ for internal overrides
zone "rpz.internal" {
type primary;
file "/etc/bind/rpz.internal";
allow-query { localhost; };
allow-transfer { none; };
};
// prime the server with knowledge of the root servers
zone "." { type hint; file "/etc/bind/db.root"; };
// some public domains of mine
zone "example1.com" { type primary; file "/etc/bind/example1.com"; };
zone "example2.com" { type primary; file "/etc/bind/example2.com"; };
zone "example1.org" { type primary; file "/etc/bind/example1.org"; };
// Kubernetes--use CoreDNS
zone "....in-addr.arpa" { type forward; forward only; forwarders { /* CoreDNS service IP */; }; };
zone "....in-addr.arpa" { type forward; forward only; forwarders { /* CoreDNS service IP */; }; };
zone "....ip6.arpa" { type forward; forward only; forwarders { /* CoreDNS service IP */; }; };
zone "....ip6.arpa" { type forward; forward only; forwarders { /* CoreDNS service IP */; }; };
// internal network zones
zone "....in-addr.arpa" { type primary; file "/etc/bind/db...."; };
zone "....d.f.ip6.arpa" { type primary; file "/etc/bind/db.fd..."; };
zone "internal" { type primary; file "/etc/bind/internal"; };
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" { type primary; file "/etc/bind/db.local"; };
zone "127.in-addr.arpa" { type primary; file "/etc/bind/db.127"; };
zone "0.in-addr.arpa" { type primary; file "/etc/bind/db.0"; };
zone "255.in-addr.arpa" { type primary; file "/etc/bind/db.255"; };
};
view "external" {
recursion no;
// RPZ for internal overrides
zone "rpz.internal" {
type primary;
file "/etc/bind/rpz.internal";
allow-query { localhost; };
allow-transfer { none; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "example1.com" {
type primary;
file "/etc/bind/example1.com";
notify yes;
allow-transfer { /* secondary server IP */; };
also-notify { /* secondary server IP */; };
};
zone "example2.com" {
type primary;
file "/etc/bind/example2.com";
notify yes;
allow-transfer { /* secondary server IP */; };
also-notify { /* secondary server IP */; };
};
zone "example1.org" {
type primary;
file "/etc/bind/example1.org";
notify yes;
allow-transfer { /* secondary server IP */; };
also-notify { /* secondary server IP */; };
};
};
More information about the bind-users
mailing list