bind9 – How to Configure as Local DNS Only with No Internet Access

binddomain-name-systeminternetlocal-area-networkreverse-dns

I want to configure bind9 to be a local DNS only with no internet access at all. So I have 5 PCs in my virtual domain xy.com. Within this domain there is no access to the internet.

The DNS server has entries like:

pc1.xy.com IN A 10.1.1.1
pc2.xy.com IN A 10.1.1.2
.
.
pc5.xy.com IN A 10.1.1.5

Bind is configured correctly but when I do a "dig @localhost pc1" on the DNS server it does not work because he gets stuck contacting the root servers. But I only want him to be local and to answer which IP pc1 has.

How can I achieve this?

Best Answer

To achieve this you need to create a fake root zone to replace the "root.hints" zone that's normally configured.

In named.conf put this:

zone "." IN {
        type master;
        file "fake.root";
};

and in fake.root put this:

$TTL    300
.               IN      SOA ns. hostmaster.xy.com. (
                        20120101 1800 900 604800 86400
                )
.               IN      NS      ns
ns              IN      A       127.0.0.1

This will prevent all attempts to access the internet to obtain the real root hints.

You can also put your pcN.xy.com entries directly into that root zone, too - there's no need for them to be in their own xy.com zone file, so you can just append the following to fake.root:

$ORIGIN xy.com.
pc1             IN      A       10.1.1.1
pc2             IN      A       10.1.1.2
pc3             IN      A       10.1.1.3
pc4             IN      A       10.1.1.4
pc5             IN      A       10.1.1.5

Apart from any options { } that you may need (ACLs?) that's it - nothing else required.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Active Directory DNS – Change Entry Only on One Site

I would recommend putting the zone back to non integrated and using forwarders to achieve what you want. In this scenario you can still keep 1 record of the zone that every site can use.

In the example.

SiteA
ourdomain.com - NS for the zone - AD replicated
entry.ourdomain.com - NS for the zone - no replication

SiteB
ourdomain - NS for the zone - AD replicated
entry.ourdomain.com - forwards to the internet DNS server
subdomain.entry.ourdomain.com - forwards to site A
ourdomain.com - forwards to site A
anyotherrecord.ourdomain.com - forwards to site A

Setting up forwards in DNS is very easy http://technet.microsoft.com/en-us/library/cc754941.aspx

Alternatively, you could use a secondary DNS server in site B that everyone used, but that sounds a bit silly for your purpose, or host files on local machines, but that might be a bit silly as well.

Also, it may be you do not want to have a single copy of the DNS records, in that case you could use a secondary DNS server in Site A or Site B that was also a nameserver for the domain, and you can configure 2 forwarder address for redundancy.

If you have trouble with the forwarders please comment so I can provide more info.

Hope this helps you.

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

Active Directory DNS – Change Entry Only on One Site

Related Topic