Re: Answer for a specific host, but recurse for all others within a zone
Rich, you and Barry both touched on my original tactic. I can define
³something.xyz.com² as a master zone with a single entry. The problem, as
you pointed out, is that this doesn¹t catch ³www.something.xyz.com².
Unfortunately, the ³www² section will have any number of random hosts, so
putting manually entries will be impractical.
I¹m intrigued by the RPZ option. I¹m not familiar with it. I realize that
it¹s only available in 9.8.1 and above (which will require me to upgrade;
I¹m using 9.7.3). I¹ve been scouring the Net for examples, but they¹re
typically targeted to one of RPZ¹s main purposes (spam blacklisting,
etc.).
IF I¹m following the config right, let¹s say that the local server in my
example is 10.1.2.3:
named.conf
options {
response-policy { ³something.xyz.com²; };
};
zone ³something.xyz.com² {
type master;
file ³something.xyz.com.db²;
};
something.xyz.com.db
$TTL 900
@IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30
IN NS localhost.
@IN A 10.1.2.3
*IN CNAME .
end
Is this right? I guess the trick I¹m trying to sort out is how to tell the
zone file to ³recurse, if not explicitly Œsomething.xyz.com¹.² What else
am I leaving out?
- Jon
On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote:
On your resolver, create a zone called
something.xyz.com
and only have one entry, an A record for the zone itself. something like
this:---begin something.xyz.com zonefile---
something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
2014050901
3H
300
2W
3600 )
something.xyz.com. in ns ns1.abc.com.
something.xyz.com. in ns ns2.abc.com.
something.xyz.com. in a 192.168.100.15
---end something.xyz.com zonefile---
This will still allow www.xyz.com and mail.xyz.com to resolve, but will
NOT
recurse for www.something.xyz.com. If you want that to resolve, you'll
have to
add that to the zone as well, as you're claiming authority for
something.xyz.com and everything to the left of that as well.
It just occurred to me that you could also provide a local answer for a
single
name with RPZ, which would give the benefit of continuing to recurse for
www.something.xyz.com.
-Rich
On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
Does anyone know how I might configure bind to answer for a specific
host within the zone, but perform a recursive lookup for the rest of the
zone?
For example, given the domain xyz.com, how might I configure a local
DNS server to reslove something.xyz.com to, maybe, a local server, but
still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com
to still recursively resolve?
Is there a way?
- Jon
___
Please visit
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Answer for a specific host, but recurse for all others within a zone
(Sorry, let's try that again WITHOUT smart quotes:)
Rich, you and Barry both touched on my original tactic. I can define
something.xyz.com as a master zone with a single entry. The problem, as
you pointed out, is that this doesn't catch www.something.xyz.com.
Unfortunately, the www section will have any number of random hosts, so
putting manually entries will be impractical.
I'm intrigued by the RPZ option. I'm not familiar with it. I realize that
it's only available in 9.8.1 and above (which will require me to upgrade;
I'm using 9.7.3). I've been scouring the Net for examples, but they're
typically targeted to one of RPZ's main purposes (spam blacklisting,
etc.).
IF I易m following the config right, let易s say that the local server in my
example is 10.1.2.3:
named.conf
options {
response-policy { something.xyz.com; };
};
zone something.xyz.com {
type master;
file something.xyz.com.db;
};
something.xyz.com.db
$TTL 900
@IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30
IN NS localhost.
@IN A 10.1.2.3
*IN CNAME .
end
Is this right? I guess the trick I'm trying to sort out is how to tell the
zone file to recurse, if not explicitly 'something.xyz.com'. What else
am I leaving out?
- Jon
On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote:
On your resolver, create a zone called
something.xyz.com
and only have one entry, an A record for the zone itself. something like
this:---begin something.xyz.com zonefile---
something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. (
2014050901
3H
300
2W
3600 )
something.xyz.com. in ns ns1.abc.com.
something.xyz.com. in ns ns2.abc.com.
something.xyz.com. in a 192.168.100.15
---end something.xyz.com zonefile---
This will still allow www.xyz.com and mail.xyz.com to resolve, but will
NOT
recurse for www.something.xyz.com. If you want that to resolve, you'll
have to
add that to the zone as well, as you're claiming authority for
something.xyz.com and everything to the left of that as well.
It just occurred to me that you could also provide a local answer for a
single
name with RPZ, which would give the benefit of continuing to recurse for
www.something.xyz.com.
-Rich
On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote:
Does anyone know how I might configure bind to answer for a specific
host within the zone, but perform a recursive lookup for the rest of the
zone?
For example, given the domain xyz.com, how might I configure a local
DNS server to reslove something.xyz.com to, maybe, a local server, but
still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com
to still recursively resolve?
Is there a way?
- Jon
___
Please visit
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/
listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY
ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ
TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163
a95980c
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
