Bind9 – Forward to Another External IP

binddomain-name-system

I have set up a DNS server using bind9 and will forward any DNS request to 1.1.1.1. It working fine with the resolving of DNS requested by users. Note that my DNS resolver is residing in a VPS and not locally in my network.

The issue is that if i would want to redirect a domain 'blocksite.com' to another external IP 100.100.100.200, how can i configure it ?

It will be something like ISP censoring prohibited website and redirect it to another IP (blocked warning page) when user tries to access to the website.

Please help.. much thanks in advance.

Best Answer

It's possible to add a zone for the domain, but the feature you are probably looking for is called Response Policy Zones (RPZ). With an RPZ, you can add a single zone that can lie about the domains / hostnames you would like to block.

Response Policy Zone (RPZ) Rewriting

BIND 9 includes a limited mechanism to modify DNS responses for requests analogous to email anti-spam DNS blacklists. Responses can be changed to deny the existence of domains (NXDOMAIN), deny the existence of IP addresses for domains (NODATA), or contain other IP addresses or data.

Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones.

options {
    // . . .
    response-policy { zone "rpz"; };
}

zone "rpz" {
    type master;
    file "rpz.db";
    allow-query { 127.0.0.1; };
};

Then you can add the domain to the rpz.db file with an A record to your warning page server:

$TTL 3600
@ IN SOA localhost. root.localhost. ( 2 3H 1H 1W 1H )
@ IN NS localhost.
blocked.example.com. IN A 192.0.2.1
Related Topic