Re: Answer for a specific host, but recurse for all others within a zone
Rich, you and Barry both touched on my original tactic. I can define ³something.xyz.com² as a master zone with a single entry. The problem, as you pointed out, is that this doesn¹t catch ³www.something.xyz.com². Unfortunately, the ³www² section will have any number of random hosts, so putting manually entries will be impractical. I¹m intrigued by the RPZ option. I¹m not familiar with it. I realize that it¹s only available in 9.8.1 and above (which will require me to upgrade; I¹m using 9.7.3). I¹ve been scouring the Net for examples, but they¹re typically targeted to one of RPZ¹s main purposes (spam blacklisting, etc.). IF I¹m following the config right, let¹s say that the local server in my example is 10.1.2.3: named.conf options { response-policy { ³something.xyz.com²; }; }; zone ³something.xyz.com² { type master; file ³something.xyz.com.db²; }; something.xyz.com.db $TTL 900 @IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30 IN NS localhost. @IN A 10.1.2.3 *IN CNAME . end Is this right? I guess the trick I¹m trying to sort out is how to tell the zone file to ³recurse, if not explicitly Œsomething.xyz.com¹.² What else am I leaving out? - Jon On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote: On your resolver, create a zone called something.xyz.com and only have one entry, an A record for the zone itself. something like this:---begin something.xyz.com zonefile--- something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. ( 2014050901 3H 300 2W 3600 ) something.xyz.com. in ns ns1.abc.com. something.xyz.com. in ns ns2.abc.com. something.xyz.com. in a 192.168.100.15 ---end something.xyz.com zonefile--- This will still allow www.xyz.com and mail.xyz.com to resolve, but will NOT recurse for www.something.xyz.com. If you want that to resolve, you'll have to add that to the zone as well, as you're claiming authority for something.xyz.com and everything to the left of that as well. It just occurred to me that you could also provide a local answer for a single name with RPZ, which would give the benefit of continuing to recurse for www.something.xyz.com. -Rich On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote: Does anyone know how I might configure bind to answer for a specific host within the zone, but perform a recursive lookup for the rest of the zone? For example, given the domain xyz.com, how might I configure a local DNS server to reslove something.xyz.com to, maybe, a local server, but still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com to still recursively resolve? Is there a way? - Jon ___ Please visit https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/ listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163 a95980c to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/ listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163 a95980c NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Answer for a specific host, but recurse for all others within a zone
(Sorry, let's try that again WITHOUT smart quotes:) Rich, you and Barry both touched on my original tactic. I can define something.xyz.com as a master zone with a single entry. The problem, as you pointed out, is that this doesn't catch www.something.xyz.com. Unfortunately, the www section will have any number of random hosts, so putting manually entries will be impractical. I'm intrigued by the RPZ option. I'm not familiar with it. I realize that it's only available in 9.8.1 and above (which will require me to upgrade; I'm using 9.7.3). I've been scouring the Net for examples, but they're typically targeted to one of RPZ's main purposes (spam blacklisting, etc.). IF I易m following the config right, let易s say that the local server in my example is 10.1.2.3: named.conf options { response-policy { something.xyz.com; }; }; zone something.xyz.com { type master; file something.xyz.com.db; }; something.xyz.com.db $TTL 900 @IN SOA soa.xyz.com. hostmaster.xyz.com. 0001 900 900 604800 30 IN NS localhost. @IN A 10.1.2.3 *IN CNAME . end Is this right? I guess the trick I'm trying to sort out is how to tell the zone file to recurse, if not explicitly 'something.xyz.com'. What else am I leaving out? - Jon On 5/8/14, 10:05 PM, Rich Goodson rgood...@gronkulator.com wrote: On your resolver, create a zone called something.xyz.com and only have one entry, an A record for the zone itself. something like this:---begin something.xyz.com zonefile--- something.xyz.com. in soa ns1.abc.com. hostmaster.abc.com. ( 2014050901 3H 300 2W 3600 ) something.xyz.com. in ns ns1.abc.com. something.xyz.com. in ns ns2.abc.com. something.xyz.com. in a 192.168.100.15 ---end something.xyz.com zonefile--- This will still allow www.xyz.com and mail.xyz.com to resolve, but will NOT recurse for www.something.xyz.com. If you want that to resolve, you'll have to add that to the zone as well, as you're claiming authority for something.xyz.com and everything to the left of that as well. It just occurred to me that you could also provide a local answer for a single name with RPZ, which would give the benefit of continuing to recurse for www.something.xyz.com. -Rich On May 9, 2014, at 1:15 AM, fullme...@ldschurch.org wrote: Does anyone know how I might configure bind to answer for a specific host within the zone, but perform a recursive lookup for the rest of the zone? For example, given the domain xyz.com, how might I configure a local DNS server to reslove something.xyz.com to, maybe, a local server, but still allow Wwww.xyz.com, mail.xyz.com and www.something.xyz.com to still recursively resolve? Is there a way? - Jon ___ Please visit https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/ listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163 a95980c to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://urldefense.proofpoint.com/v1/url?u=https://lists.isc.org/mailman/ listinfo/bind-usersk=wlPCrglRP6kzT4RbABWMaw%3D%3D%0Ar=Ba5TSsfIG%2FGaAmY ncsVzcofx4V7vYqn9mL8OSu2ZU3A%3D%0Am=uVzLIfZgMUTetuqtnP9GK6Ddz3XeGsxjEeZZ TlkIicI%3D%0As=639cc9d4a7f3a72cde94ea93443c8a9f748a5b3f0323cb447ecb57163 a95980c NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users