BIND 9 – How to enter a DNS record for the main domain

binddomain-name-systeminternal-dns

Let's say I have a domain named example.com.
The subdomains on that work, however I cannot attach example.com to an IP Address of its own.

wifi    IN    A   1.1.1.1     ; -Works (wifi.example.com)
router  IN    A   1.1.1.2     ; -Works (router.example.com)
@       IN    A   1.1.1.3     ; - Doesn't Work (example.com)

named-checkconf and named-checkzone both return nothing. I am rather new at BIND so instead of trouble shooting my zone file. Can you simply provide the instructions for achieving my above question?

Best Answer

To add an address record (A/AAAA) like in your example, regardless if it's at the zone apex or at some other level, you simply need to specify the desired owner name.

An example that doesn't rely on any "tricks":

example.com. IN A 192.0.2.7

What you did is also a potentially working way of doing it but the value of @ is very much context sensitive.
@ expands to the the current origin (can be changed using the $ORIGIN directive).

At a point in the zone file where there have been no $ORIGIN directives the origin is the zone name (example.com. in your example).
If there are $ORIGIN directives you'll have to keep track of what the current origin is to know what @ actually means. (Where you add your line will affect its meaning.)

The same also applies for relative names (which you used for the other records in your example), these are also relative to the current origin.

wifi.example.com. IN A 192.0.2.8

is using an absolute name and is not context sensitive

while

wifi IN A 192.0.2.8

is context sensitive and will expand to wifi with whatever the current origin is appended to it, with pretty much identical implications as the use of @.

You having different success with eg wifi and @ could be explained by you adding these lines in different positions in a zone file that has $ORIGIN directives.

named-checkconf -zj/named-checkzone not showing any errors supports this theory as it's not an actual error, it's just that you have added the record in a different place than you intended, eg at foo.example.com. instead of at example.com..

To see the actual zone data fully spelled out for you, you may want to format it into its fully expanded form, you can easily get this using eg dig @localhost example.com AXFR (if you allow yourself to AXFR) or named-compilezone -f text -F text -s full -j -o - example.com db.example.com (if you have the file available).

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

DNS Records – How to List All DNS Records in a Domain Using Dig

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.