Answer for a specific host, but recurse for all others within a zone
Jon Fullmer
FullmerJF at familysearch.org
Fri May 9 17:39:28 UTC 2014
Rich, you and Barry both touched on my original tactic. I can define
³something.xyz.com² as a master zone with a single entry. The problem, as
you pointed out, is that this doesn¹t catch ³www.something.xyz.com².
Unfortunately, the ³www² section will have any number of random hosts, so
putting manually entries will be impractical.
I¹m intrigued by the RPZ option. I¹m not familiar with it. I realize that
it¹s only available in 9.8.1 and above (which will require me to upgrade;
I¹m using 9.7.3). I¹ve been scouring the Net for examples, but they¹re
typically targeted to one of RPZ¹s main purposes (spam blacklisting,
etc.).
IF I¹m following the config right, let¹s say that the local server in my
example is 10.1.2.3:
---- named.conf ----
options {
response-policy { ³something.xyz.com²; };
};
zone ³something.xyz.com² {
type master;
file ³something.xyz.com.db²;
};
---- something.xyz.com.db ----
$TTL 900
@ IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30
IN NS localhost.
@ IN A 10.1.2.3
* IN CNAME .
---- end ----
Is this right? I guess the trick I¹m trying to sort out is how to tell the
zone file to ³recurse, if not explicitly Œsomething.xyz.com¹.² What else
am I leaving out?
- Jon
On 5/8/14, 10:05 PM, "Rich Goodson" <rgoodson at gronkulator.com> wrote:
>On your resolver, create a zone called
>something.xyz.com
>and only have one entry, an A record for the zone itself. something like
>this:---begin something.xyz.com zonefile---
>something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
> 2014050901
> 3H
> 300
> 2W
> 3600 )
>something.xyz.com. in ns ns1.abc.com.
>something.xyz.com. in ns ns2.abc.com.
>something.xyz.com. in a 192.168.100.15
>---end something.xyz.com zonefile---
>
>This will still allow www.xyz.com and mail.xyz.com to resolve, but will
>NOT
>recurse for www.something.xyz.com. If you want that to resolve, you'll
>have to
>add that to the zone as well, as you're claiming authority for
>something.xyz.com and everything "to the left" of that as well.
>
>It just occurred to me that you could also provide a local answer for a
>single
>name with RPZ, which would give the benefit of continuing to recurse for
>www.something.xyz.com.
>
>-Rich
>
>
>
>On May 9, 2014, at 1:15 AM, fullmerjf at ldschurch.org wrote:
>
>> Does anyone know how I might configure bind to answer for a specific
>>host within the zone, but perform a recursive lookup for the rest of the
>>zone?
>>
>> For example, given the domain "xyz.com", how might I configure a local
>>DNS server to reslove "something.xyz.com" to, maybe, a local server, but
>>still allow "Wwww.xyz.com", "mail.xyz.com" and "www.something.xyz.com"
>>to still recursively resolve?
>>
>> Is there a way?
>>
>> - Jon
>> _______________________________________________
>> Please visit
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>>
>>https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
>>listinfo/bind-users&k=wlPCrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmY
>>ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0A&m=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
>>TlkIicI%3D%0A&s=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
>>a95980c
>>
>
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
More information about the bind-users
mailing list