1

Not sure if the title fits the question please feel free to edit, Thanks

I am using bind9 as an internal caching DNS server for my small office network I have a single device which is allowed to resolve addresses (this is a proxy server running squid 3.1) all other devices get the IP 192.168.1.99 returned for any query this is acheived with this named.conf.local file:

view "Allowed" {
 match-clients { 192.168.1.99; 127.0.0.1; };
 recursion yes;
 zone "webb.local" {
  type master;
  allow-query { any; };
  file "/etc/bind/master/webb.local";
  };
 };
view "Blocked" {
 match-clients { any; };
 recursion no;
 zone "." {
  type master;
 file "/etc/bind/master/db.catchall";
 };
};

What I now want to do is allow the "Blocked" view to correctly resolve a select group of domain names, namely those ending "meraki.com", but for them to continue getting 192.168.1.99 for all other addresses (as defined in "/etc/bind/master/db.catchall"). My guess is this can be done with "match-destination" but I cannot find any documentation on how to use this feature.

Many thanks for all help in advance it is greatly appreciated!

o.comp
  • 125
  • 6
  • `match-destination` matches the destination IP of a DNS packet and isn't what you're looking for. You can find the documentation in the [BIND ARM](http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#view_statement_grammar). – Andrew B Jun 06 '15 at 19:19

1 Answers1

1

Your current DNS firewall strategy for BIND is a little behind the times as you are stealing authority for the root zone. Making a passthrough work in this situation is rather difficult; there is no "whitelisting" functionality that allows you to re-enable recursion for specific DNS records. The solution doesn't scale because you're stuck keeping information up to date manually in all cases:

  • You can set up a forwarder statement for each internal domain that you manage as there is reasonable confidence that your nameserver IPs will not be changing without warning. Using a forwarder for a domain that you don't manage is a bad idea because the nameservers can change at any time.
  • The other solution is to statically define any and all DNS records that you want to duplicate in the . zone. This doesn't scale due to the fact that the remote parties may change these DNS records at any time, or add content to their sites that require DNS records that you haven't replicated.

My recommendation is that you consider abandoning the approach and instead utilize RPZ. The following Q&A can help get you started: Set up BIND9 as DNS Firewall

If you go with RPZ, the whitelisting term you'll want to look for is rpz-passthru; remember to whitelist both the top of the domain (example.com) and all records below it with a wildcard (*.example.com).

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Thank you for passing on your wisdom, this sounds like an eminently sensible answer, many thanks for taking the time it is greatly appreciated! – o.comp Jun 06 '15 at 19:38
  • Happy to help; RPZ hasn't been around for very long so it isn't in most of the tutorials that have been written. It's a vastly superior approach though. – Andrew B Jun 06 '15 at 19:41