Windows server dns for root domain

domain-name-systemwindows-server-2003

I have a windows Server 2003 machine serving as a DNS server which I am using to override a number of DNS entries to route them to local IP addresses rather than public addresses. I can create a DNS entry (HOST / A) for www.foo.com, but I have been unable to figure out how to override the DNS entry for foo.com itself.

Here's what I have:

on public DNS servers foo.com and *.foo.com point to 1.2.3.4
1.2.3.4 is a NAT device that is mapping 1.2.3.4 to a machine in the local network 10.1.1.1

I'm trying to create a DNS entry inside of my network so that clients performing a lookup on foo.com that are using the local DNS server will resolve to 10.1.1.1 instead of the public address (because I can't go "out and back" through the NAT device).

I have created a new zone in the DNS management snapin called "foo.com" and added a host entry for "www" with the correct IP address (10.1.1.1). This seems to work correctly. However, when I try to add an entry for "" (no name) everything seems to work in the configuration UI and I get an entry with the name displayed as "(same as parent folder)" but the clients don't resolve this name.

Is there a way to accomplish what I'm trying to do?

Best Answer

I don't know the windows way to do this, but the BIND way to do it is:

[root@dhdx421 internal]# head -n 20 example.com
$ORIGIN .
$TTL 21600      ; 6 hours
example.com              IN SOA  ns3.example.com. hostmaster.example.com. (
                                2009111201 ; serial
                                10800      ; refresh (3 hours)
                                3601       ; retry (1 hour 1 second)
                                259200     ; expire (3 days)
                                21600      ; minimum (6 hours)
                                )
                        NS      ns2.example.com.
                        NS      ns3.example.com.
                        A       172.18.1.100
$ORIGIN example.com.

The A record above is the example.com record. Specifying *.example.com means "anything".example.com, but "anything" can't be null as you've specified a "." and periods have special meaning in DNS.

Additionally, keep in mind that if you're overriding someone else's DNS, unless you setup forwarding properly, you will only be able to resolve the addresses that you've overridden (i.e., made your server authoritative for).

Related Solutions

DNS Best Practices – Top Level Domain/Domain Suffix for Private Network

Since the previous answers to this question were written, there have been a couple of RFCs that alter the guidance somewhat. RFC 6761 discusses special-use domain names without providing specific guidance for private networks. RFC 6762 still recommends not using unregistered TLDs, but also acknowledges that there are cases where it will be done anyway. Since the commonly used .local conflicts with Multicast DNS (the main topic of the RFC), Appendix G. Private DNS Namespaces recommends the following TLDs:

intranet
internal
private
corp
home
lan

IANA appears to recognize both RFCs but does not (currently) incorporate the names listed in Appendix G.

In other words: you shouldn't do it. But when you decide to do it anyway, use one of the above names.

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Best Answer

Related Solutions

DNS Best Practices – Top Level Domain/Domain Suffix for Private Network

BIND – Overriding DNS Entries in BIND for Internal Networks

Related Topic