BIND – How to Resolve One IP Address Differently in Internal DNS

bindinternal-dns

I have an internal DNS (it is completely internal, ie. the network is not connected to Internet) for a group of networks. They are set up as follows:

Each network has a different address range of 10.x.0.0/16 and its own domain domainx (it is a top-level domain) – for example network 10.1.0.0/16 has domain1 (all hosts in this network have DNS names somehost.domain1)
For each network/domain, host ns.domainx (10.x.1.1) is a DNS server that handles both forward zone domainx and reverse zone x.10.in-addr.arpa
These networks are not interconnected, except of a special multi-homed server that has connectivity to all these networks (and my question is about that server in fact) – but it does not route packets between those networks, it only can communicate with each of them. It is by design, each network is designed to be operated separately and standalone.
Therefore, the DNS server in each network knows only about its domain; it doesn't know (and should not know) anything about domains from other networks.
However, the multi-homed server I mentioned earlier needs to have working DNS resolution for addresses in all these networks. By requirement, I can't touch anything in any of the networks, in particular their DNS servers. I can only modify configuration of the multi-homed server.

So I set up BIND on the multi-homed server that just defines zone . as "master", and the zone file contains the following records:

1.10.in-addr.arpa.    IN    NS    ns.domain1.
domain1.              IN    NS    ns.domain1.
ns.domain1.           IN    A     10.1.1.1

2.10.in-addr.arpa.    IN    NS    ns.domain2.
domain2.              IN    NS    ns.domain2.
ns.domain2.           IN    A     10.2.1.1

3.10.in-addr.arpa.    IN    NS    ns.domain3.
domain3.              IN    NS    ns.domain3.
ns.domain3.           IN    A     10.3.1.1

and so on for all networks.

Everything works OK, but there is one small issue.

Sometimes the DNS server for a particular network is down. In these networks, the DNS server being down is not considered a failure – it is just a normal operating state that can happen. It is expected and normal that there will be no DNS resolution for that particular network at that time.

But there is one particular IP address in network 1 (say, 10.1.10.10) that I want always to resolve to a domain name – even when the DNS for network 1 is down. So it must be resolved by the local server, not delegated to the server for network 1. Actually, it is also acceptable that NXDOMAIN will be returned as a response to the query for this address (if this is easier to configure), but the response must be returned immediately, without trying to contact the DNS server for network 1 – the delay when that server is down is exactly what we want to avoid.

And I don't know how to do this.

Adding a PTR record for 10.10.1.10.in-addr.arpa. to the . zone file does not work – it seems to be simply ignored, and when the DNS for network 1 is not working, 10.1.10.10 is not resolved.

How to make this address resolve locally?

Best Answer

I found a solution. It was actually simple. It was sufficient to add 10.10.1.10.in-addr.arpa as another "master" zone to my named.conf file, with the zone file being named.empty ie. the default file included in BIND configuration to serve zone 0.in-addr.arpa.

Now the query for 10.1.10.10 gives the answer that the address has no PTR record, regardless whether the DNS server for 10.1.0.0/16 is up or down. That eliminates the delay when resolving the address, which is sufficient for me. Of course I could define a separate zone file for this zone instead of named.empty and add in this zone file a PTR record for @ to make the IP address actually resolve to some domain name, but I have no need for this right now.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Linux – BIND/Named DNS zone file: Cannot access website without using www

You forget a dot at the end of the name ourcompany.com. In fact, here, you create an address ourcompany.com.ourcompany.com, with the ORIGIN tag

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

Linux – BIND/Named DNS zone file: Cannot access website without using www

Related Topic