<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_1_1442612731152_3637"><span id="yui_3_16_0_1_1442612731152_3713">Hello DNS gurus,</span></div><div id="yui_3_16_0_1_1442612731152_3637"><span><br></span></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr"><span id="yui_3_16_0_1_1442612731152_3714">I'm mastering a sinkhole DNS for a quarantine VLAN. My </span>sinkhole DNS resolves any request to the same host - so that the quarantined clients get redirected to my server. I have following DNS configuration (running bind-9.8.2-0.17.rc1 on RHEL 6.4):</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr"><br></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">options {</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> listen-on port 53 { 10.10.0.1;};</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> // listen-on-v6 port 53 { ::1; };</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> directory "/var/named";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> dump-file "/var/named/data/cache_dump.db";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> statistics-file "/var/named/data/named_stats.txt";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> memstatistics-file "/var/named/data/named_mem_stats.txt";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> allow-query { 10.10.0.0/24; };</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> allow-transfer {"none";};</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> recursion no;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3852" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> dnssec-enable yes;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> dnssec-validation yes;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> dnssec-lookaside auto;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3858" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> /* Path to ISC DLV key */</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> bindkeys-file "/etc/named.iscdlv.key";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3863" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> managed-keys-directory "/var/named/dynamic";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">};</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3868" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">logging {</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> channel default_debug {</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> file "data/named.run";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> severity dynamic;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> };</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">};</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3877" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">zone "." IN {</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> type master;</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> file "/var/named/named.sinkhole";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">};</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br id="yui_3_16_0_1_1442612731152_3884" class=""></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">// include "/etc/named.rfc1912.zones";<br></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">include "/etc/named.root.key";</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">The file /var/named/named.sinkhole has following content:</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""><br></div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">$TTL 600</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">@ IN SOA localhost root.localhost. (</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> 11 ; serial</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> 3H ; refresh</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> 15M ; retry</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> 1W ; expire</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> 1D ) ; minimum</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> IN NS @</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class=""> IN A 10.10.0.1</div><div id="yui_3_16_0_1_1442612731152_3637" dir="ltr" class="">* IN A 10.10.0.1</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br id="yui_3_16_0_1_1442612731152_3943" class=""></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">So far this is working perfect.</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">I have a new requirement now - the quarantined client should have an access to an external host. I haved added following configuration to /etc/named.conf:</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">zone "test.com" IN {</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> type master;</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> file "/var/named/named.test";</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">};</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">/var/named/named.test:<br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">$TTL 600</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">@ IN SOA ns.test.com. root.localhost. (</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> 22 ; serial</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> 3H ; refresh</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> 15M ; retry</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> 1W ; expire</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> 1D ) ; minimum</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""> IN NS ns.test.com.</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">ns IN A 10.10.0.1</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">www IN A X.X.X.X ;; X is replaced to an actual IP address</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">Unfortunately my naive approach did not work. "www.test.com" is still resolved to 10.10.0.1 and I see that the global zone "." is always hit unless I comment out the global zone definition.</div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1442612731152_3941" class="">I'm a bit new in DNS. Any help is appreciated. Ideally my DNS should delegate the "www.test.com" request and do not store its IP locally.</div></div></div><div></div><div id="yui_3_16_0_1_1442612731152_3636"> </div><div class="signature" id="yui_3_16_0_1_1442612731152_3633"><div id="yui_3_16_0_1_1442612731152_3635">Many Thanks,</div><div id="yui_3_16_0_1_1442612731152_3634">Sergey Emantayev</div><div id="yui_3_16_0_1_1442612731152_3632"><br></div></div></div></body></html>