Ubuntu – use BIND to provide DNS resolution for two isolated networks via a dual-homed DNS server

binddomain-name-systemisolated-networkmulti-homedUbuntu

I am setting up two small isolated networks. Neither of these networks will have an Internet connection. I am trying to provide DNS and DHCP to both networks via a single Ubuntu server I have available, and while DHCP is working file, I have never set up BIND before.

Following the DNS Howto guide, I edited named.conf.local and told it to look for the configurations to my two domains (network1.local and network2.local) in /etc/bind/db.network1.local and db.network2.local. Btw, network1.local is on eth0, network2.local is on eth1.

I then went ahead and copied db.local to each of those two files and edited them to provide an A record for the nameserver itself, ns.network1.local.

However, I see nothing in the configuration that would prevent hosts on network1 from receiving DNS resolution for names on network2.local. What can I do to prevent this from occurring? Is there any way to bind BIND (ugh) to a single domain for each interface?

Perhaps a better question would be, should I do this? Or is there a better way of hosting two zones via each NIC? Should I use something other than BIND?

Best Answer

I'm winging this off of something I set up for myself a few years ago, but you could use views to separate the domains you server. I used this so I could provide my RFC1918 addrs to my local clients and my public addresses to public clients, but I think it would work for what you want to do.

Something like this (assuming clients on network1.local are using 192.168.0.0/24 and clients on network2.local are using 192.168.1.0/24):

view "network1" {
  match-clients { 192.168.0.0/24; };
  zone "." { type hint; file "hints/named.root"; };
  zone "0.0.127.in-addr.arpa" { type master; file "zones/localhost.rev"; };
  zone "0.168.192.in-addr.arpa" { type master; file "zones/0.168.192.rev";
                       allow-transfer { 192.168.0.0/24; }; };
  zone "network1.local" { type master; file "zones/network1.local";
                       allow-transfer { 192.168.0.0/24; }; };
};


view "network2" {
  match-clients { 192.168.1.0/24; };
  zone "." { type hint; file "hints/named.root"; };
  zone "0.0.127.in-addr.arpa" { type master; file "zones/localhost.rev"; };
  zone "1.168.192.in-addr.arpa" { type master; file "zones/1.168.192.rev";
                       allow-transfer { 192.168.1.0/24; }; };
  zone "network2.local" { type master; file "zones/network2.local";
                       allow-transfer { 192.168.1.0/24; }; };
};

I can't remember if there's more to it than that but that should give you a toehold on it. Good luck.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Related Topic