use bind 9.8 as caching server and authoritative nameserver
Steven Carr
sjcarr at gmail.com
Mon Oct 28 13:54:01 UTC 2013
You're seriously over-complicating the admin for yourselves by
creating dummy zones. Look at RPZ as this will achieve what you want
in a much simpler and easier to manage way.
Steve
On 28 October 2013 13:10, <bind-check at telenet.be> wrote:
> Hi all ,
>
> I installed a new bind caching server called nameserver.hiddendomain.be by
> using Ubuntu server 12.04.3 LTS with the included bind version :
> 9.8.1.dfsg.P1-4 for testing.
>
> We are a tiny ISP for some regional customers so we don't use forwarders, we
> host the caching servers for them.
>
> Recently our government obligated all ISP's to block access to child-porn,
> illegal betting sites, illegal file share sites etc...
> I have been asked now to implement this on our caching DNS servers (serve a
> custom zone to all of our customers that points to an IP from the government
> that hosts a block-page)
>
> It's the first time I try to use this mixed bind setup. (still act as
> caching server for our customers, but be authoritative for all domains we
> need to block)
>
> When I query a to-be-blocked-zone with for example: dig @localhost stop.com
> , I get the response I want from within our local zone file (see zone file
> below; /etc/bind/stop.com.zone).
> If I use another Ubuntu host in the same network and qery with dig
> @nameserver stop.com , I get the response from the Internet and not from the
> master zone file located on our 'nameserver'. (our test caching server seems
> to ignore it's master for the zone stop.com)
>
> Below you will find our config files ,I don't see the problem, thanks for
> your help !
>
> Regards,
> Olivier
>
> (the name of my test server and the name of the zone we need to block have
> been replaced by fake ones for privacy reasons. Except for those names and
> it's IP, all other info is from my test server-setup)
>
> ---cat /etc/hosts -->
>
> 127.0.0.1 localhost
> IP.IP.IP.IP nameserver.hiddendomain.be nameserver
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> ---cat /etc/bind/named.conf -->
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> ---cat /etc/bind/named.conf.options -->
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
>
>
> //========================================================================
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //========================================================================
> dnssec-enable yes;
> dnssec-validation auto;
>
> auth-nxdomain no; # conform to RFC1035
> listen-on-v6 { any; };
>
> ---cat /etc/bind/named.conf.local -->
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> zone "stop.com"
> {
> type master;
> file "/etc/bind/stop.com.zone";
> };
>
> ---cat /etc/bind/stop.com.zone -->
>
> $TTL 86400
> $ORIGIN stop.com.
>
> @ IN SOA nameserver.hiddendomain.be.
> hostmaster.hiddendomain.be. (
> 2013101601 ; serial number YYMMDDNN
> 28800 ; Refresh
> 7200 ; Retry
> 864000 ; Expire
> 86400 ; Min TTL
> )
>
> NS ns3.hiddendomain.be.
> NS ns4.hiddendomain.be.
>
> IN A 193.191.245.56
> www IN A 193.191.245.56
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list