Hi all! I’m really despairing on a configuration, and start to wonder if it is possible at all.
Running Bind 9.5.5, I want to serve IP-Addresses for my internal network only, and none from the internet, except for a few domains. The idea is I don’t want any intranet client to be able to resolve Internet addresses, except for a few domains like Microsoft.com and others. My named.config looks like this (shortened, copied together from multiple files including others): acl intranet_nets { 192.168.94.0/24; 192.168.1.0/24; 192.168.5.0/24; }; options { directory "/var/cache/bind"; allow-query { localhost; intranet_nets;}; allow-query-cache { localhost; intranet_nets;}; recursion no; # switching this on would resolve ANY Internet address, which I don’t want dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; zone "corp.intranet.de" { type master; file "/etc/bind/db.corp.intranet.de"; allow-transfer { 192.168.94.242; }; allow-update { none;}; }; zone "94.168.192.in-addr.arpa" { type master; file "/etc/bind/db.94.168.192"; allow-transfer { 192.168.94.242; }; allow-update { none;}; }; zone "microsoft.com" IN { type forward; forwarders { 9.9.9.9; 194.150.168.168; 8.8.8.8; 8.8.4.4; }; }; Running this configuration, my local addresses are correctly resolved, external addresses not (good), but DNS-requests for the domain Microsoft.com neither (bad!). I actually wonder if “forward” is the right keyword (is forward = answer to the client: “don’t ask me, ask one of the forwarders” ???), or if I’m totally on the wrong way. Any support on how to implement this setup is highly appreciated, Sig
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users