0

I have a DNS server (BIND 9.10.3-P4-Ubuntu) on an Ubuntu 16.04 machine. I have a domain with two A records (IP1,IP2) which indicates to two separate web servers (Wserver1, Wserver2). I want the DNS server responds to the queries of country A from IP1 and the others from IP2. I have created a file named GeoIP.acl and included it in bind configurations and also added my A records to the related files of bind service.

named.conf:

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/GeoIP-AA.acl";

named.conf.options:

    options {
        recursion no;
        // Put files that named is allowed to write in the data/ directory:
        directory                "/var/cache/bind";
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        allow-query     { any; };
    };
logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 128M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity warning;
        };
        channel query_log {
                file "/var/log/named/query.log";
                severity debug 3;
                print-severity yes;
                print-time yes;
        };
        category queries { query_log; };
        category default { default_log; };
        category general { default_log; };
};

named.conf.default-zones

view "Country A" {
  match-clients { AA; };
  recursion no;
  additional-from-cache no;
zone "test.com" IN {
    type master;
    file "/var/cache/bind/test-AA.com.db";
    allow-update { none; };
    allow-query { any; };
    notify yes;
  };

view "Other" {
  match-clients { any; };
  recursion no;
  additional-from-cache no;

  zone "test.com" IN {
    type master;
    file "/var/cache/bind/test.com.db";
    allow-update { none; };
    allow-query { any; };
    notify yes;
  };

GeoIP-AA.acl:

acl "AA" {
        x1.x2.0.0/16;
        y1.y2.0.0/22;
        z1.z2.0.0/22;
        w1.w2.0.0/8;
};

test-AA.com.db has IP1 as A record and test.com.db has IP2 as A record. With these configurations I hope all clients from country A receives IP1 and other clients receives IP2 as the site IP address. It seems everything is working OK except that I saw some IP addresses in the logs which are redirected from wrong clients! I mean when I check the webserver logs of Wserver2 I can see some IPs which are in the GeoIP-AA.acl IP address ranges and received IP2 as the web site IP address. The file GeoIP-AA.acl has 6000 records. I wonder to know is there any limitations on using GeoIP ACLs with bind9? I think all IP address ranges are not checked in Bind or something else happens such as limitations in number of ACL records. Any help is appreciated

Sinai
  • 193
  • 1
  • 2
  • 17
  • Your setup will horribly fail (in the sense not providing you the feature you seek about) when people (from whatever country) will use public DNS resolvers, like `8.8.8.8` or `9.9.9.9` or `1.1.1.1`. You may get a little help if they (and you) support EDNS Client Subnet option. – Patrick Mevzek Jul 07 '18 at 21:57
  • Yeah I know. But the visitors of my web site are mainly ordinary people who uses the default DNS resolvers of their ISPs. With this little trick, I want to create a very simple CDN (GeoDNS) – Sinai Jul 09 '18 at 06:59
  • I think people not using ISP nameservers are as normal as others... and you may find more on more DNS over TLS or DNS over HTTPS to public resolvers, especially for those that wants to make sure their ISP do not see their queries. You still need to remember that the clients of your authoritative nameservers are the recursive ones and hence their IP, which is not the IP that your webserver will see later on. Also you have other nameservers will specific features for GeoDNS. – Patrick Mevzek Jul 09 '18 at 13:34
  • Yes, you are right. I was a little wrong about the IP addresses reaching to the DNS server and web servers. But after the @Esa Jokinen explanation I learned much and it seems the system is working fine right now. What nameservers can I use for GeoDNS? – Sinai Jul 10 '18 at 07:15
  • For GeoDNS you have these solutions at least: https://github.com/abh/geodns/ and https://doc.powerdns.com/authoritative/backends/geoip.html – Patrick Mevzek Jul 11 '18 at 02:57
  • Thank you @Patrick. I will check out your suggested solutions deeper. But I use Bind9+GeoIP just for simplicity :D. The new solutions seem to be a little sophisticated. But it worth a try. – Sinai Jul 11 '18 at 06:43

1 Answers1

2

For me it seems your configuration is ok and following exactly e.g. the view clause example from Zytrax DNS BIND view Clause.

Don't focus on web server logs and stop comparing them to your ACL:

  • The clients won't be using your authoritative name servers directly, but through their recursive name servers.
  • Result for the queries are always cached for TTL seconds, so don't expect immediate results.

Instead, debug by adding more verbose logging to your BIND, namely for category queries.

logging {
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity debug 6;
        print-time yes;
        print-severity yes;
    };
    category queries { queries_file; };
}

If you see any of the queries falling to your ACL view, it's probably working. You could ensure this by randomly checking that queries matched to view "Other" don't have IP addresses matching your ACL and contrariwise. There's no documented limits for ACL size and no reason to believe so.

Currently (from comments) around 25% of your DNS queries falls into view "Country A", which seems very reasonable. You shouldn't think that statistics on DNS level has anything to do with the amount of actual web service clients, as the results are, again, cached for TTL. It's only natural that you get more DNS queries from countries where you have less clients, because the clients are divided among several ISPs, while a single country has less recursive DNS servers. Once a recursive DNS server has cached the record, many clients can be requesting for it during the TTL without additional request to your authoritative servers.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • I have activated logging already. I updated my question and added logging section. The visitors of my website are mainly from country A. I also checked the query.log but the number of view "Other" is highly more than that of "Country A". I did a grep on the query.log and the results are disappointing: 803789 queries for view "Other" and 277726 for vew "Country A" within tha last four days. At first there was 1600 IP address ranges in GeoIP-AA.acl. But after I added about 5000 more ranges, it is working badly! – Sinai Jul 04 '18 at 06:38
  • I want to know is there any limitations on the number of IP addresses in the acl file from Bind9 side? e.g it can load a certain number of IPs and if I want to use more IP addresses I have to modify a parameter or something else. – Sinai Jul 04 '18 at 06:42
  • AFAIK there's no documented limitations in ACL size. Is it possible that there's a syntax error in your massive ACL list? On the other hand, 803789 queries for the view shows it must be working. Keep in mind that not all queries are for www traffic! – Esa Jokinen Jul 04 '18 at 06:54
  • I checked the ACL file line by line, it is OK. and if there is a syntax error the bind service will not be started as well. 803789 queries for the view "Other" is not OK!I want this number for view "Country A", because as I said all visits are from Countery A and only some bots and few users view the site from outside the country A. I have also changed the A record IP addresses for the high traffic subdomains too. I am really confused why it is not working as I expect! – Sinai Jul 04 '18 at 07:56
  • I tried to explain why 25% of DNS queries actually proves that your country ACL is working correctly and why you can't and shouldn't try to make it 75%. – Esa Jokinen Jul 04 '18 at 15:52
  • Thank you. You are right @Esa Jokinen. I checked the IP addresses of queries in query.log in DNS server. The ACL is working correctly. The huge number for view "Other" is correct and all IPs are from outside of Country A. I think a lot of visitors are using VPN or some sort of proxies! – Sinai Jul 06 '18 at 15:47