Bind: recursive lookups for only certain domains

[mikedudeha]

Howdy all,

I was wondering if there is a way to configure Bind to provide non-authoritive/recursive lookups for a limited numbere of specified domains but not just any domain that exists..

For example; provide clients a non authoritive answer for

http://www.tek-tips.com

but don't provide one for

http://www.someotherwasteoftimewebsite.com?

Thanks much!!

Mike

 

[TechyMcSe2k]

sounds like you need a proxy server or just a nice web filter.

But in DNS, you can point forwarders to the sites like

http://www.tek-tips.com

to their outside NS servers and then change the All Other DNS Domains to point to an internal DNS ip which would then time out because it won't be able to resolve the unlisted domain. This is a very tidious, and I am sure not a recommended practice.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[mikedudeha]

Thanks.. I have recommended multiple other solutions including OpenDNS, a proxy server, a filtering solution through one of our ISPs, and even some simple web browser level filtering; but our security manager wants it done with Bind. I have been working with Bind for about 10 years and this one has me beat, I am starting to question if this is even possible at all, but I don't have any proof to show him that so he told me to keep working on it!! Ah!!

How exactly would I configure your suggestion below. I tried pointing "." to a bogus forwarder and then "mysampledomainthatiwanttoresolve.com" to it's auth DNS servers as a forwarder, but it still doesn't work.

Thanks again!

 

[TechyMcSe2k]

for the domains/zones you want to block, can you point them to one zone file that resolves to 127.0.0.1? and therefore goes no where? Otherwise, tell your security person to show you documentation on how...or actually listen to their IT guru and shove a proper filter down their throat....hahah can you tell I have had many days dealing with "IT Security"

The BIND way will be tidious and you should be focusing on better aspects of you infrastructure...IMHO

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[mikedudeha]

Thanks for the input everyone..

I spent 3 good solid workdays on this, and think I had a couple birthdays in the process. I did go the direction that TechyMcSe2k advised and finally got this working.. Here is how I did it in case anyone else is interested.

I still think this will be a constant maintance nightmare and there are other ways that are better like proxies, filters, etc. But at least this gets the project off my plate!

//BEGIN named.conf ----------------------------------------
//AA.AA.AA.AA/24 = network with limited recursive lookup ability
//192.168.168.168 = bogus forwarder that doesn't even exist
//GG.GG.GG.GG = good resolver I have that will answer anything
//MM.MM.MM.MM = master to my authoritive zone, unrelated to this

options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
check-names master ignore;
check-names slave ignore;
check-names response ignore;
transfers-in 30;
serial-queries 15;
version "version id withheld";
notify yes;
datasize 512m;
allow-transfer { XX.XX.XX.XX; };
};


//LIMITED RECURSIVE VIEW-------------------------

view "limitedrecursiveview" {
match-clients { AA.AA.AA.AA/24; };
allow-recursion { AA.AA.AA.AA/24; };
recursion yes;
forward only;
forwarders { 192.168.168.168; };

zone "tek-tips.com" in {
type forward ;
forwarders {GG.GG.GG.GG; };
};

};
//End of view--------------------------------------------


//Internet/everyoneelse VIEW------------------------------
//
//The authoritive stuff for most query makers

view "everyoneelse" {
recursion no;
match-clients { any;};

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

zone "myauthoritivezoneihappentohave.com" IN {
type slave;
file "myauthoritivezoneihappentohave.db";
masters {MM.MM.MM.MM;};
};

};

//End of view--------------------------------------------
//End of named.conf--------------------------------------