Tell BIND to not forward for domains used by DNS block list services

binddomain-name-system

How can I tell BIND to stop forwarding queries to my provider's DNS servers for a specific list of domains, but to forward for everything else?

I'm using BIND as an authorative nameserver for my domain. It also provides DNS resolution for other queries on the host, by forwarding them to my provider's DNS servers:

forward first;
forwarders {
    1.2.3.4;
    5.6.7.8;
};

However I am running SpamAssassin and my queries to various DNS blocklists are being rejected, since they are going through my provider's nameservers (along with many of my fellow customers) and reaching the limit for free queries originating from their IP addresses. Since I only have a small number of queries myself (maybe 5-10 a day) I would like to configure BIND so that it does NOT forward DNSBL queries to my provider's servers, but it DOES forward everything else.

This should allow me to continue to use DNS blocklists to spam check the small amount of e-mail I get, without having to turn off the forwarding/caching entirely.

How can I tell BIND not to forward just a handful of domains, but keep it forwarding everything else?

Best Answer

Try configuring zones for your blacklists, and configure them not to forward. Something like this should work. You will need one of these for each blacklist zone.

zone "blacklist.example.com" {
    type static-stub;
    recursion yes;
};

You will also need to setup the root zone so recursion will work. You likely already have done this.

Related Solutions

How to set up multiple DNS servers on an intranet

Internet-facing DNS servers that host zones should have recursion disabled and should be used only for hosting zones.

If a DNS server has a zone on it, it considers itself authoritative for that zone so when a request is sent to it for a record in a zone it hosts, it answers definitively (including saying 'no such record' if doesn't exist locally - it won't forward that request). You don't want to have the same zone on multiple servers for this reason. Of course you could have the zone on multiple servers if one was a primary and the other a secondary that receives zone transfers from the primary but the way you worded your question it sounds like you either have or are thinking about having more than one server configured as primary for the same zone which you don't want.
Yes you would list OpenDNS as the last forwarder. You don't actually have to delete the root servers - as long as the forward is in place your DNS server will honor that config.
Kinda hard to answer this one because you have a DNS config that sounds slightly more complex than necessary. I guess I'd suggest simplifying things a bit and have the AD servers forward to OpenDNS directly and then you can put in other forwarders for locally-hosted zones if it is necessary. I'm not sure you're gaining anything with all that forwarding.

In general, you really should separate out servers that host internet facing zones (and disable recursion on those servers) from servers that provide internal recursion. It would make things much simpler.

BIND – Forward DNS Query for Specific Domain to Specific Nameserver

Have a look at this page. You can use the forward and forwarders statements inside your zone block.

forward ( only | first )
forwarders { ipv4_addr }

Related Topic