Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

[Manuel Ramírez]

Thank you very much for both answers.

Regards


El 11 abr. 2017 19:17, "Chris Buxton" <cli...@buxtonfamily.us> escribió:

On Apr 11, 2017, at 2:19 AM, Manuel Ramírez <manuel.rami...@grupoica.com>
wrote:

Hi,

I would like to allow queries for specific blogspot.com subdomains and
block the rest of the queries.
I have a file with several zones configured, one of those zones is  the
specific subdomain type "forward":

*zone "w.blogspot.com <http://w.blogspot.com/>" IN { type forward;
forwarders { 213.0.184.85; 213.0.184.88; };};*

and below i have the zone blogspot.com as master resolving an internal ip:

*zone "blogspot.com <http://blogspot.com/>" IN { type master; file
"/var/named/data/db.sinkhole"; };*


But is not working, always resolves the internal ip address, i thought it
evaluates the zones in order and first should forward the query for
w.blogspot.com but is always matching the other zone.
Any idea about how can i achieve my goal?


No, order is not considered. Rather, there are two separate searches:

- Is there an authoritative answer available from local data? In this case,
yes, because you have a sinkhole zone named "blogspot.com", from which an
authoritative negative answer can be derived.
- If the first search does not return an answer, then use the recursion
algorithm, including checking the cache and checking for the most specific
forwarding configuration (if any) that would apply.

Doing what you want is better solved using RPZ, as Tony Finch mentioned. To
do this, do not define these two zone statements. Instead, define a
response policy zone that says that *.blogspot.com should be blocked, but
that specific names (e.g. w.blogspot.com) should be whitelisted. Read the
BIND v9 ARM for details on how to accomplish this.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

[Manuel Ramírez]

Hi,

I would like to allow queries for specific blogspot.com subdomains and
block the rest of the queries.
I have a file with several zones configured, one of those zones is  the
specific subdomain type "forward":

*zone "w.blogspot.com " IN { type forward;
forwarders { 213.0.184.85; 213.0.184.88; };};*

and below i have the zone blogspot.com as master resolving an internal ip:

*zone "blogspot.com " IN { type master; file
"/var/named/data/db.sinkhole"; };*


But is not working, always resolves the internal ip address, i thought it
evaluates the zones in order and first should forward the query for
w.blogspot.com but is always matching the other zone.
Any idea about how can i achieve my goal?

Regards

Manuel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: doubt about queries.log format

[Manuel Ramírez]

Thanks Tony for your answer,
and is there any possibility using other category and/or debug level to
obtain the record and the ip resolved in the same log entry?

Regards

Manuel

2016-07-18 12:50 GMT+02:00 Tony Finch <d...@dotat.at>:

> Manuel Ramírez <manuel.rami...@grupoica.com> wrote:
> >
> > I would like to know if is possible to see in the queries.log output the
> ip
> > address resolved
>
> No, it only logs the query not the answers.
>
> Have a look at passive DNS or dnstap if you want more detailed telemetry.
>
> Tony.
> --
> f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h
> punycode
> Irish Sea, Shannon: South 4 or 5, becoming variable 3 or 4. Smooth or
> slight
> in Irish Sea, moderate in Shannon. Fog patches. Moderate or good,
> occasionally
> very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

doubt about queries.log format

[Manuel Ramírez]

Hi,

first of all sorry for my poor English.

I would like to know if is possible to see in the queries.log output the ip
address resolved, for example, this is one line from the queries.log:



*18-Jul-2016 10:54:15.226 queries: info: client 10.1.116.27#10760
(update.microsoft.com ): view
localhost_resolver: query: update.microsoft.com
 IN A + (10.1.0.244)*
I would like to see  the ip resolved for   *update.microsoft.com
 ,* is this possible?

Thanks in advance

Regards

Manuel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ipv6 AAAA register and ipv4 NS register with the same name

[Manuel Ramírez]

Hello,

We have bind 9.8.4. P2 with many registers delegated to Link load
balancer (we have two public ip´s range and linkproof acts as a dns
balancer).
Now we need to add the ipv6  register for all those registers that
are in ipv4 delegated to the link balancer but this balancer doesn´t
support ipv6.

So we have the ipv4 register as NS and the same register in ipv6 as
.I thought that when i ask for the ipv4 register the link balancer
should show the two public ip´s and when i ask for the  register,
the dns shows the ipv6 ip, but is not like this.Doesn´t matter i ask
for ipv4(ns) or ipv6(), always obtent the ipv4 ip delegated to the
link balancer.

Is there any way to achieve the ipv6 register, despite the same
regiter is created in ipv4 and delegated to the load balancer,resolves
the  record type?

Please excuse my limited English.

Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users