one-zone-only forwarding DNS
Sig Pam
spam at itserv.de
Tue Nov 13 11:00:25 UTC 2018
Hi all!
I’m really despairing on a configuration, and start to wonder if it is possible at all.
Running Bind 9.5.5, I want to serve IP-Addresses for my internal network only, and none from the internet, except for a few domains. The idea is I don’t want any intranet client to be able to resolve Internet addresses, except for a few domains like Microsoft.com and others.
My named.config looks like this (shortened, copied together from multiple files including others):
acl intranet_nets {
192.168.94.0/24;
192.168.1.0/24;
192.168.5.0/24;
};
options {
directory "/var/cache/bind";
allow-query { localhost; intranet_nets;};
allow-query-cache { localhost; intranet_nets;};
recursion no; # switching this on would resolve ANY Internet address, which I don’t want
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
zone "corp.intranet.de" {
type master;
file "/etc/bind/db.corp.intranet.de";
allow-transfer { 192.168.94.242; };
allow-update { none;};
};
zone "94.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.94.168.192";
allow-transfer { 192.168.94.242; };
allow-update { none;};
};
zone "microsoft.com" IN {
type forward;
forwarders { 9.9.9.9; 194.150.168.168; 8.8.8.8; 8.8.4.4; };
};
Running this configuration, my local addresses are correctly resolved, external addresses not (good), but DNS-requests for the domain Microsoft.com neither (bad!).
I actually wonder if “forward” is the right keyword (is forward = answer to the client: “don’t ask me, ask one of the forwarders” ???), or if I’m totally on the wrong way.
Any support on how to implement this setup is highly appreciated,
Sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181113/fcf6b3bd/attachment-0001.html>
More information about the bind-users
mailing list