Restricted bind to my domain only
Luis Felipe Dominguez Vega
luis.dominguez at mtz.desoft.cu
Mon Jan 16 15:17:08 UTC 2017
Hello, i was searching into google to find my problem, but i think that is
better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving
the domain mtz.example.com, but i need resolv throw another server the querys
to domain example.com and anothers subdomains (like grm.example.com,
vcl.example.com), but i dont want resolve any other (to prevent DNS Tunnel).
So i need enable the recursion and permit to my network that recursion, the
problem is that always resolve the google.com, facebook.com, etc... and i want
only resolve the names into Samba (BIND_DLZ) and all others be forwarded by my
another server, files.
Note: 192.168.44.2 is my forward DNS server that only accept example.com
domains and subdomains
named.conf:
===========================================================================
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
===========================================================================
named.conf.options:
===========================================================================
options {
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
statistics-file "/var/cache/bind/data/named_stats.txt";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
datasize default;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
#recursion no;
allow-query { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1/8; };
allow-recursion { 127.0.0.1/8; 192.168.0.0/24; 10.11.0.1/24; };
allow-update { 127.0.0.1; };
allow-transfer { 192.168.0.0/24; };
version none;
hostname none;
server-id none;
listen-on-v6 { none; };
};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
===========================================================================
named.conf.default-zones
===========================================================================
// prime the server with knowledge of the root servers
#zone "." {
# type hint;
# file "/etc/bind/db.empty";
#};
#zone "." {
# type forward;
# forward only;
# forwarders { 192.168.44.2; };
#};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "example.com" {
type forward;
forward only;
forwarders { 192.168.44.2; };
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
===========================================================================
More information about the bind-users
mailing list