use bind 9.8 as caching server and authoritative nameserver

Steven Carr sjcarr at gmail.com
Mon Oct 28 13:54:01 UTC 2013 

You're seriously over-complicating the admin for yourselves by
creating dummy zones. Look at RPZ as this will achieve what you want
in a much simpler and easier to manage way.

Steve


On 28 October 2013 13:10,  <bind-check at telenet.be> wrote:
> Hi all ,
>
> I installed a new bind caching server called nameserver.hiddendomain.be by
> using Ubuntu server 12.04.3 LTS with the included bind version :
> 9.8.1.dfsg.P1-4 for testing.
>
> We are a tiny ISP for some regional customers so we don't use forwarders, we
> host the caching servers for them.
>
> Recently our government obligated all ISP's to block access to child-porn,
> illegal betting sites, illegal file share sites etc...
> I have been asked now to implement this on our caching DNS servers (serve a
> custom zone to all of our customers that points to an IP from the government
> that hosts a block-page)
>
> It's the first time I try to use this mixed bind setup. (still act as
> caching server for our customers, but be authoritative for all domains we
> need to block)
>
> When I query a to-be-blocked-zone with for example: dig @localhost stop.com
> ,  I get the response I want from within our local zone file (see zone file
> below; /etc/bind/stop.com.zone).
> If I use another Ubuntu host in the same network and qery with dig
> @nameserver stop.com , I get the response from the Internet and not from the
> master zone file located on our 'nameserver'. (our test caching server seems
> to ignore it's master for the zone stop.com)
>
> Below you will find our config files ,I don't see the problem, thanks for
> your help !
>
> Regards,
> Olivier
>
> (the name of my test server and the name of the zone we need to block have
> been replaced by fake ones for privacy reasons. Except for those names and
> it's IP, all other info is from my test server-setup)
>
> ---cat /etc/hosts -->
>
> 127.0.0.1       localhost
> IP.IP.IP.IP    nameserver.hiddendomain.be     nameserver
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> ---cat /etc/bind/named.conf -->
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> ---cat /etc/bind/named.conf.options -->
>
> options {
>         directory "/var/cache/bind";
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses replacing
>         // the all-0's placeholder.
>
>         // forwarders {
>         //      0.0.0.0;
>         // };
>
>
> //========================================================================
>         // If BIND logs error messages about the root key being expired,
>         // you will need to update your keys.  See
> https://www.isc.org/bind-keys
>
> //========================================================================
>  dnssec-enable yes;
>  dnssec-validation auto;
>
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
>
> ---cat /etc/bind/named.conf.local -->
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> zone "stop.com"
> {
> type master;
> file "/etc/bind/stop.com.zone";
> };
>
> ---cat /etc/bind/stop.com.zone -->
>
> $TTL 86400
> $ORIGIN stop.com.
>
> @       IN      SOA     nameserver.hiddendomain.be.
> hostmaster.hiddendomain.be. (
>                         2013101601      ; serial number YYMMDDNN
>                         28800           ; Refresh
>                         7200            ; Retry
>                         864000          ; Expire
>                         86400           ; Min TTL
>                         )
>
>                 NS      ns3.hiddendomain.be.
>                 NS      ns4.hiddendomain.be.
>
>         IN      A       193.191.245.56
> www     IN      A       193.191.245.56
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list