Hi all!
I’m really despairing on a configuration, and start to wonder if it is possible
at all.
Running Bind 9.5.5, I want to serve IP-Addresses for my internal network only,
and none from the internet, except for a few domains. The idea is I don’t want
any intranet client to be able to resolve Internet addresses, except for a few
domains like Microsoft.com and others.
My named.config looks like this (shortened, copied together from multiple files
including others):
acl intranet_nets {
192.168.94.0/24;
192.168.1.0/24;
192.168.5.0/24;
};
options {
directory "/var/cache/bind";
allow-query { localhost; intranet_nets;};
allow-query-cache { localhost; intranet_nets;};
recursion no; # switching this on would resolve ANY Internet address, which I
don’t want
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
zone "corp.intranet.de" {
type master;
file "/etc/bind/db.corp.intranet.de";
allow-transfer { 192.168.94.242; };
allow-update { none;};
};
zone "94.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.94.168.192";
allow-transfer { 192.168.94.242; };
allow-update { none;};
};
zone "microsoft.com" IN {
type forward;
forwarders { 9.9.9.9; 194.150.168.168; 8.8.8.8; 8.8.4.4; };
};
Running this configuration, my local addresses are correctly resolved, external
addresses not (good), but DNS-requests for the domain Microsoft.com neither
(bad!).
I actually wonder if “forward” is the right keyword (is forward = answer to the
client: “don’t ask me, ask one of the forwarders” ???), or if I’m totally on
the wrong way.
Any support on how to implement this setup is highly appreciated,
Sig
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
